Earlier this year, Google started a project to review third-party developer access to Google accounts through the use of APIs. It found a security breach surrounding Google+, and is now shutting the service down, at least for consumers.
The long and short of the issue is that there was a security hole that allowed third-party developers to access Google+ users’ account data, including name, email address, occupation, gender, and age—even if the account was set as private.. This isn’t particularly sensitive data, but regardless, a breach is a breach.
The bug was discovered in March of 2018, but was presumed to have been open since sometime in 2015. To make matters slightly more troubling, Google only keeps this particular API’s data log for two weeks…so the company has no way of knowing which users were affected. Presumably, however, some 500,000 users were on the list.
As a bit of a bright side, however, there was no evidence that any developer was even aware this bug existed, despite 438 applications using the API. Similarly, there was no evidence that any profile data was stolen, sold, or otherwise misused. That’s good, I guess.
The bug was patched two weeks after it was initially discovered (Google took two weeks to analyze the data before patching the hole), but has now decided to shut down Google+ as a consumer service. In a blog post by the company highlighting its findings, it’s stated that 90 percent of all Google+ visits last fewer than five seconds. Ouch.
So, instead of investing time, energy, and money into a clearly dead network, the company is just going to put it out of its misery. The consumers side will be completely closed by August of 2019. From that point forward, G+ will continue on as an enterprise product, where many companies seem to use it heavily.
As another upside, more granular account permissions are going to be available on Google accounts. That means instead of just allowing access to your account with one simple “Allow” button, you’ll get to choose which permissions apps are allowed access to each particular service.
So, for example, if you’re using your Google account to sign into a new service and it requests access to your Calendar and Drive, you’ll be able to grant or deny that permission on a per-service basis. Think of it like Android’s permission control, just for your Google account. They’re also limiting app’s access to your Gmail account moving forward, so only apps that “directly enhance” email functionality (like email clients and backup services) will be able to access your Gmail messages.
Finally, app access to Call Logs and SMS on Android are going to be limited moving forward. Google Play will limit the types of apps that are allowed to request these permissions—only your default app for the given situation will be able to access this info. So, for example, your default messaging app will have access to SMS permissions, and the default dialer can access Call Logs. But other apps won’t be able to.
All these changes are happening in the coming months, giving users more control over their own data. Google will also work with developers to give them time to adjust the required permissions for apps and services that will be affected by the changes.