What are the real risks of enabling 3rd party Google drive apps

When granting approval of a google drive 3rd party app, what are the real risks?  I am quite security conscious for my personal drive and take all precautions as possible (two step verification etc) but still believe in being IT progressive.

When you approve an app, it gives the normal boiler plate warnings blah blah has access to all your files, life and will control the wife etc etc.  In reality, can they actually access your data on 4.30pm on a Sunday and snoop around?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
If you do not allow access, then people cannot snoop around. For truly private use Google drive (or One Drive or Dropbox) are reasonably secure.
u587162Author Commented:
That didnt really answer my q.
It would really depend on the app and what it is supposed to do. I'd suggest you try to find out more details of an app before using it. Besides that I wouldn't necessarily store any sensitive data in the cloud. What is on your local PC should be reasonably safe, as long as you also follow the basic security measures which should be used on all PC's, like only using standard user profiles, having the system patched, a good, free AV solution, not opening mail  attachments unless you expect them from a known person, only visiting trusted web-sites etc.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

JohnBusiness Consultant (Owner)Commented:
There is no perfect security on the internet - your documents, your own computer, your on-line bank account.

The risks are not quantifiable:  If you secure everything properly, and do not do silly things, your documents are secure.
u587162Author Commented:
John I appreciate you trying to answer as many questions on this site as possible, but I do often find your  comments vague and very general that they often strike me as common sense answers rather than specifically addressing the points :-)

If Google was to allow a third party app to connect to Gmail or Drive, then surely it must be vetted right?  So for example, when viewing a gmail attachment, it gives you the option to preview the attachment using one of several built in third party apps, like some advanced PDF tool or a video player etc.  I have approved the use of DocHub or Lumin to access my files.  But like with most apps, the general disclaimer is the same for all third party apps that you approve, it says you grant access for them to see your files etc.

In reality, I am trying to understand to what extent this is true and whether someone at that company can indeed just snoop around your google drive at will whilst on his coffee break.
JohnBusiness Consultant (Owner)Commented:
I am confused by your paragraph on accessing your data. If you let people see your data they can snoop around. That is what you said " I have approved the use of DocHub or Lumin to access my files ... it says you grant access for them to see your files etc."

You cannot do this and have good security of your information.
u587162Author Commented:
So basically the millions of global users who permit third party plugins are opening up their entire google drive to anyone at that company to look around at will?  really????
JohnBusiness Consultant (Owner)Commented:
In reality, I am trying to understand to what extent this is true and whether someone at that company can indeed just snoop around your google drive at will whilst on his coffee break.

If they have access to your files on their computer, you cannot prevent snooping

If you secure access, then lock your computer when you are away from your desk.
JohnBusiness Consultant (Owner)Commented:
You need to be VASTLY clearer. If the access provided is ONLY to you, then people cannot snoop. If you have provided access to others to view, then they can snoop.

Would you expect different?
u587162Author Commented:
Why are you referring to a computer for?  Where have I said that I granted access to my computer?

Good drive, web based, browser, third party app.  No computer.
JohnBusiness Consultant (Owner)Commented:
Sorry, I figured you had a computer for working on.

So then clarify

1. If the access provided is ONLY to you, then people cannot snoop.
2. If you have provided access to others to view, then they can snoop.

 Would you expect different?
u587162Author Commented:
I was hoping that someone would say, in non technical terms, that app plug-in would only be able to access data in a particular way.

The iphone allows third party developers to create apps for the phone, but doesn't allow it to do "anything" it likes on the phone.  There are limits.  And I was expecting a response to say that controls are in place to ensure that whilst the app might have access the file that you want to edit WHILST you use the app, they cannot simply just access your google drive like its another mapped drive.

Are you giving your opinion on this or are you speaking fact, because quite often I see your responses to my previous questions and others, as a 24/7 attempt to answer with general responses, maybe for the points but maybe to also be helpful I dont know.....and others have also commented the same.
AntzsInfrastructure ServicesCommented:
Why not just use the Google Native app to access instead of 3rd party app?  This would minimize the risk since it will be only accessible from a single source (and you are actually giving permission to a single app instead of multiple app to access your files)

Depending on how confidential the files are, you may consider putting the files offline and non accessible when connected to the internet.   Or maybe host your own online storage server.
JohnBusiness Consultant (Owner)Commented:
I think you are creating an impossible situation. You want to provide access (apparently to people you may not know) but control what they do even though they may have a jail-broken iPhone or an Android that can be programmed.
u587162Author Commented:
Hi Anthony,
I agree with your comment - I guess when using Chrome / Gmail / preview - open with feature, there are some useful apps there that, for example, allow you to edit the document in question without the need to faff about opening other dedicated apps or indeed if you dont have e.g. a PDF writer or an application to draw lines or add text, quickly, some of these plug-in type apps, can be very useful.  

Reading a disclaimer is fine, but if everyone was assuming the risk that John is mentioning, we wouldn't be updating our iOS or Android firmwares because we would all be giving up our data to the software giants.  

I'm not saying we expose our data to dodgy web sites or even malware incorporated within peer2peer pirated software, but genuine plug-ins that are being promoted by google as part of its Google labs or whatever, must surely have some controls, regardless of what the "legal disclaimer" says.

As explained, I'm not referring to Google drive on a PC / computer.  My question relates purely to the use of plug ins for the online version of google mail and google apps.  I suppose to some extent, the question could also be extended to Dropbox and its third party plug-ins or Evernote third party plug-ins too.  

As the world starts using them, are we now all "100% opening our data for the world to hack" - I should certainly hope not or else these companies have something to answer for in their multi-billion dollar valuations.
JohnBusiness Consultant (Owner)Commented:
I suppose to some extent, the question could also be extended to Dropbox and its third party plug-ins or Evernote third party plug-ins too.

I use Drop Box. My document store is password protected and no one snoops - ever.
u587162Author Commented:
John - why are you referring to jail broken phones now?  You are using extreme examples for something which I am saying is basic and almost an every day feature or offering.
JohnBusiness Consultant (Owner)Commented:
You are using the word "snoop". People who snoop are often adept at using tools to snoop.
u587162Author Commented:
>>I use Drop Box. My document store is password protected and no one snoops - ever.

So you are choosing to not use other useful third party plug ins to Dropbox, ok that's your choice.  But that doesn't eliminate the question as to whether a fantastically produced productive app, maybe linking evernote and dropbox, would have dire side effects.

You remain content with saying what you do without necessarily exploring the other features.  Almost like blocking your ears not wanting to hear the good extended things that are available!
JohnBusiness Consultant (Owner)Commented:
As an example, I (along with others) have been given access to a Google Document that I cannot copy or save elsewhere. But I was able to create a PDF out of it (for proper purposes). My point is that people don't really understand what they are putting in public places.
u587162Author Commented:
Again, you're digressing.  Call it snoop, call it hack, call it what you want.  its just a play on words.  Ultimately I want to know if there are controls on what a third party app can do and if it ONLY accesses your data when you are using it.  I dont think you have the knowledge (no offense) to answer that, and your response is just an opinion.

I'm sure a security minded person here "in the know" might be able to answer that.
JohnBusiness Consultant (Owner)Commented:
Almost like blocking your ears not wanting to hear   Goodbye. I do not need that.
Allen FalconCEO & Pragmatic EvangelistCommented:
When you grant 3rd party access to Google Drive, or to your Google Apps environment in general, the security risks depends on the application itself.  

APIs for Google Drive (and Google Apps) are pretty specific  as to what the application can and cannot do.  There are also broad permission like "Grant read/write access to all files and data".  Lazy 3rd party programmers use the broad permission rather than the granular options.

If the 3rd party app is secure and protects your data from the ISV (independent software vendor, maker of the 3rd party app) employees, your data remains secure and cannot be seen by the ISV employees.  Look for SOC Type II and other security credentials for any third party app.

We also recommend looking at the permissions you are granting (you can see these through the GAFW admin console).  If you are adding an org chart tool, for example, it will need write permissions to Drive in order to save files.  If the permissions don't seem to match the function of the app, you may have an issue.

Finally, your data may be susceptible to bugs in the 3rd party app.  Not too long ago, a 3rd party project management tool had a bug that set users' file permissions to public for all files.  Not a good thing.  It was a programming error in the app.

We strongly recommend a few tools for Google Apps if you are using Drive to store important/critical information and/or have specific security needs (regulatory and/or internal):

Use a tool to monitor and manage file permissions and 3rd party application access, such as BetterCloud Enterprise or CloudLock

Use a Backup/Recovery tool to protect your Drive (and other Google Apps data), such as Backupify for Google Apps

If you have specific security needs, message level email encryption and individual file encryption services may also be appropriate.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
u587162Author Commented:
Thank you, Allen.  That seems like a more informed and reasonable response rather than a "well if you let a third party app access your google drive, you should of course assume your files will be hacked/snooped on".

You've alluded to some technical tools / language that as a non IT person myself, will not be too familiar with.  Any suggestions as to how an ordinary person like myself could go about undertaking some very basic risk analysis and explain how not to read too much into it or vice versa?

Allen FalconCEO & Pragmatic EvangelistCommented:
Most of the services offer a free trial.  We typically provide a trial of BetterCloud Enterprise, which lets you run a risk assessment against standard criteria (common regulatory requirements) to get a sense of your current exposure.
AntzsInfrastructure ServicesCommented:
I was just researching about disk/volume encryption and got to know that they also support encryption on the cloud.  That means, all data which are saved/stored in the cloud are also encrypted.

So even if the 3rd party app or provider has access to your data it will be encrypted.  This is probably the best way to mitigate the risk of data being accessed by any 3rd party.
u587162Author Commented:
Thanks Allen / Anthony.  Bettercloud enterprise sounds interesting, but I am just a ordinary consumer and probably will not have the skills to check to that level.

I guess this is a difficult question to answer definitively.
Before getting a 3rd party app, check what it is used for. based on that you will know to which of your data it needs access to so it can work, and which data it should not touch. Many apps probably need to have access to your address book for example, or also know your location to work properly.

Once you know that try to find reviews and user experience on the web about that app and the company making it. That can help you decide whether you want to trust that company/app and use it or not.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Google Apps

From novice to tech pro — start learning today.