granting the third-party access to their Google account.
We then invited
n = 214
participants from the first survey
to return for a follow-up survey. As part of this second survey,
participants installed a browser extension that parsed entries
in their Google account’s “Apps with access to your account”
dashboard.
2
Based on this data, we asked participants about
specific apps they currently have installed on their Google
account. From the browser extension, we observed 1,010
third-party services that use Google SSO and 455 third-party
apps that integrate with APIs for various Google services. Of
the observed third-party apps, nearly half require two or more
permissions accessing the participants’ Google account. The
most common permission is modifying Google Play Game
activity (223 instances), followed by viewing primary Google
email address (189), and viewing personal info (177).
Participants were overall only Slightly concerned or Not
concerned about the access granted to third-party apps, but
showed the most concern about apps viewing personal info;
39% were Very concerned, Concerned, or Moderately con-
cerned. Interestingly, such information is perhaps less of a
privacy and security risk than third-party apps that can mod-
ify/view contacts, email, calendar events, or cloud storage.
The relative lack of concern with these permissions could be
attributed to a transference of trust to Google, as evidenced
by open-ended responses where participants indicated that
they believe Google is properly vetting these accesses.
We surveyed participants about the specific apps on their
accounts and asked if they wished to keep or remove account
access for those apps. A logistic regression revealed that par-
ticipants were
5.8×
more likely to want to remove access for
an app when they wished to change which Google account
data the app can access. Additionally, they were
5.9×
more
likely to keep access when the app was recently used, and
6.0×
more likely to keep access when they viewed the app
as beneficial. However, 79% and 78% of participants indi-
cated that they currently Rarely or Never review their apps
and SSOs, respectively. After viewing their third-party ac-
cesses as part of our survey though, the vast majority (95%)
of participants indicated they would want reminders to review
those at least Once a year.
These findings suggest a significant opportunity to improve
how users interact with third parties with programmatic access
to their accounts by helping users to identify and remove less
frequently used apps/SSO in an automated way, or to simply
revoke access after a period of disuse. Similarly, Google
could require regular re-approval of access, perhaps yearly so
as not to be too disruptive. Additionally, many participants
articulated a desire for controls of the permissions for third-
party apps. This would allow users to better limit which
aspects of their Google account each app/SSO can access
with respect to the benefit being provided, rather than forcing
them to accept an all-or-nothing approach.
2
https://myaccount.google.com/permissions
2 Background and Related Work
Russell, et al. [
32
] characterize online APIs as among: content-
focused APIs that provide data; feature APIs that integrate
existing software functionality from elsewhere; unofficial
APIs that (unintentionally) expose internal interfaces; and
analytic APIs that track user experiences. Here, we focus
on Google’s content-focused and feature APIs that enable
third-party developers to register apps with Google that can
perform operations on behalf of a user. Most services, in-
cluding Google’s, use the OAuth standard [
2
] to delegate and
manage these authorizations. OAuth has been the focus of
much security research [
5
,
36
,
45
], and in this paper we do
not investigate the security of OAuth directly but rather user
awareness and concerns for such delegations.
While we primarily focus on third-party apps, we also
consider SSO services as a form of third-party apps with
limited functionality. Bauer et al. [
6
] looked at willingness to
use the SSOs of Google, Facebook and other services, finding
that there were concerns with information sharing through
SSO, despite messaging. We find similar concerns in our
study. Ghasemisharif et al. [
14
] studied SSO with respect to
potential for account hijacking. The authors also measured
the prevalence of SSOs, finding that Facebook is the most
prevalent SSO service, followed by Twitter and Google. Hu
et al. [
21
] investigated SSOs in the context of online social
networks and how apps can complete an impersonation attack.
And Zhou et al. completed automated vulnerability testing
of SSO on the web [
43
]. Here we assume that the SSO is
properly implemented and instead focus on user perceptions
of sharing information with third-parties via SSO services.
Prior work on third-party apps have mostly focused on the
Facebook ecosystem. Felt et al. [
11
] examined 150 Facebook
platform apps in 2008, finding that 90% of the examined apps
have unnecessary access to private data. Huber et al. [
22
] de-
veloped a method to analyze privacy leaks in Facebook apps
at scale by leveraging client-side
iframes
to capture network
traffic. Google third-party apps do not necessarily operate
client-side. More recently, Farooqi et al. [
10
] used “honey-
token” email addresses (i. e., auto-generated accounts on an
email server that the researchers control) to detect Facebook
apps inappropriately collecting and using those addresses.
Such a method could also be used for Google third-party apps
but was not the primary focus of this research.
Our work is also related to prior research on permission
management for online APIs. Similar to Wang et al. [
39
],
who analyzed the permissions requested by Facebook API
apps at install time, we explore the permissions requested by
third-party apps that integrate with Google’s API. Prior work
explored a subset of these permissions on Google [
31
]. A lack
of centralization for third-party apps means there is far from
comprehensive coverage. Our work expands on this effort
with in-the-wild observations of apps authorized on actual
users’ Google accounts.
Permissions have been extensively studied in the context
3398 31st USENIX Security Symposium USENIX Association