Solved

What are the real risks of enabling 3rd party Google drive apps

Posted on 2016-08-14
28
99 Views
Last Modified: 2016-08-22
When granting approval of a google drive 3rd party app, what are the real risks?  I am quite security conscious for my personal drive and take all precautions as possible (two step verification etc) but still believe in being IT progressive.

When you approve an app, it gives the normal boiler plate warnings blah blah has access to all your files, life and will control the wife etc etc.  In reality, can they actually access your data on 4.30pm on a Sunday and snoop around?
0
Comment
Question by:u587162
  • 11
  • 11
  • 2
  • +2
28 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 41755450
If you do not allow access, then people cannot snoop around. For truly private use Google drive (or One Drive or Dropbox) are reasonably secure.
0
 

Author Comment

by:u587162
ID: 41755453
That didnt really answer my q.
0
 
LVL 87

Expert Comment

by:rindi
ID: 41755466
It would really depend on the app and what it is supposed to do. I'd suggest you try to find out more details of an app before using it. Besides that I wouldn't necessarily store any sensitive data in the cloud. What is on your local PC should be reasonably safe, as long as you also follow the basic security measures which should be used on all PC's, like only using standard user profiles, having the system patched, a good, free AV solution, not opening mail  attachments unless you expect them from a known person, only visiting trusted web-sites etc.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41755486
There is no perfect security on the internet - your documents, your own computer, your on-line bank account.

The risks are not quantifiable:  If you secure everything properly, and do not do silly things, your documents are secure.
0
 

Author Comment

by:u587162
ID: 41755828
John I appreciate you trying to answer as many questions on this site as possible, but I do often find your  comments vague and very general that they often strike me as common sense answers rather than specifically addressing the points :-)

If Google was to allow a third party app to connect to Gmail or Drive, then surely it must be vetted right?  So for example, when viewing a gmail attachment, it gives you the option to preview the attachment using one of several built in third party apps, like some advanced PDF tool or a video player etc.  I have approved the use of DocHub or Lumin to access my files.  But like with most apps, the general disclaimer is the same for all third party apps that you approve, it says you grant access for them to see your files etc.

In reality, I am trying to understand to what extent this is true and whether someone at that company can indeed just snoop around your google drive at will whilst on his coffee break.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41755831
I am confused by your paragraph on accessing your data. If you let people see your data they can snoop around. That is what you said " I have approved the use of DocHub or Lumin to access my files ... it says you grant access for them to see your files etc."

You cannot do this and have good security of your information.
0
 

Author Comment

by:u587162
ID: 41755832
So basically the millions of global users who permit third party plugins are opening up their entire google drive to anyone at that company to look around at will?  really????
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41755833
In reality, I am trying to understand to what extent this is true and whether someone at that company can indeed just snoop around your google drive at will whilst on his coffee break.

If they have access to your files on their computer, you cannot prevent snooping

If you secure access, then lock your computer when you are away from your desk.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41755834
You need to be VASTLY clearer. If the access provided is ONLY to you, then people cannot snoop. If you have provided access to others to view, then they can snoop.

Would you expect different?
0
 

Author Comment

by:u587162
ID: 41755835
Why are you referring to a computer for?  Where have I said that I granted access to my computer?

Good drive, web based, browser, third party app.  No computer.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41755836
Sorry, I figured you had a computer for working on.

So then clarify

1. If the access provided is ONLY to you, then people cannot snoop.
2. If you have provided access to others to view, then they can snoop.

 Would you expect different?
0
 

Author Comment

by:u587162
ID: 41755844
Yes.
I was hoping that someone would say, in non technical terms, that app plug-in would only be able to access data in a particular way.

The iphone allows third party developers to create apps for the phone, but doesn't allow it to do "anything" it likes on the phone.  There are limits.  And I was expecting a response to say that controls are in place to ensure that whilst the app might have access the file that you want to edit WHILST you use the app, they cannot simply just access your google drive like its another mapped drive.

Are you giving your opinion on this or are you speaking fact, because quite often I see your responses to my previous questions and others, as a 24/7 attempt to answer with general responses, maybe for the points but maybe to also be helpful I dont know.....and others have also commented the same.
0
 
LVL 5

Expert Comment

by:Antzs
ID: 41755847
Why not just use the Google Native app to access instead of 3rd party app?  This would minimize the risk since it will be only accessible from a single source (and you are actually giving permission to a single app instead of multiple app to access your files)

Depending on how confidential the files are, you may consider putting the files offline and non accessible when connected to the internet.   Or maybe host your own online storage server.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41755848
I think you are creating an impossible situation. You want to provide access (apparently to people you may not know) but control what they do even though they may have a jail-broken iPhone or an Android that can be programmed.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:u587162
ID: 41755851
Hi Anthony,
I agree with your comment - I guess when using Chrome / Gmail / preview - open with feature, there are some useful apps there that, for example, allow you to edit the document in question without the need to faff about opening other dedicated apps or indeed if you dont have e.g. a PDF writer or an application to draw lines or add text, quickly, some of these plug-in type apps, can be very useful.  

Reading a disclaimer is fine, but if everyone was assuming the risk that John is mentioning, we wouldn't be updating our iOS or Android firmwares because we would all be giving up our data to the software giants.  

I'm not saying we expose our data to dodgy web sites or even malware incorporated within peer2peer pirated software, but genuine plug-ins that are being promoted by google as part of its Google labs or whatever, must surely have some controls, regardless of what the "legal disclaimer" says.

As explained, I'm not referring to Google drive on a PC / computer.  My question relates purely to the use of plug ins for the online version of google mail and google apps.  I suppose to some extent, the question could also be extended to Dropbox and its third party plug-ins or Evernote third party plug-ins too.  

As the world starts using them, are we now all "100% opening our data for the world to hack" - I should certainly hope not or else these companies have something to answer for in their multi-billion dollar valuations.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41755853
I suppose to some extent, the question could also be extended to Dropbox and its third party plug-ins or Evernote third party plug-ins too.

I use Drop Box. My document store is password protected and no one snoops - ever.
0
 

Author Comment

by:u587162
ID: 41755854
John - why are you referring to jail broken phones now?  You are using extreme examples for something which I am saying is basic and almost an every day feature or offering.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41755856
You are using the word "snoop". People who snoop are often adept at using tools to snoop.
0
 

Author Comment

by:u587162
ID: 41755857
>>I use Drop Box. My document store is password protected and no one snoops - ever.

So you are choosing to not use other useful third party plug ins to Dropbox, ok that's your choice.  But that doesn't eliminate the question as to whether a fantastically produced productive app, maybe linking evernote and dropbox, would have dire side effects.

You remain content with saying what you do without necessarily exploring the other features.  Almost like blocking your ears not wanting to hear the good extended things that are available!
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41755858
As an example, I (along with others) have been given access to a Google Document that I cannot copy or save elsewhere. But I was able to create a PDF out of it (for proper purposes). My point is that people don't really understand what they are putting in public places.
0
 

Author Comment

by:u587162
ID: 41755859
Again, you're digressing.  Call it snoop, call it hack, call it what you want.  its just a play on words.  Ultimately I want to know if there are controls on what a third party app can do and if it ONLY accesses your data when you are using it.  I dont think you have the knowledge (no offense) to answer that, and your response is just an opinion.

I'm sure a security minded person here "in the know" might be able to answer that.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41755860
Almost like blocking your ears not wanting to hear   Goodbye. I do not need that.
1
 
LVL 14

Accepted Solution

by:
Allen Falcon earned 250 total points
ID: 41756860
When you grant 3rd party access to Google Drive, or to your Google Apps environment in general, the security risks depends on the application itself.  

APIs for Google Drive (and Google Apps) are pretty specific  as to what the application can and cannot do.  There are also broad permission like "Grant read/write access to all files and data".  Lazy 3rd party programmers use the broad permission rather than the granular options.

If the 3rd party app is secure and protects your data from the ISV (independent software vendor, maker of the 3rd party app) employees, your data remains secure and cannot be seen by the ISV employees.  Look for SOC Type II and other security credentials for any third party app.

We also recommend looking at the permissions you are granting (you can see these through the GAFW admin console).  If you are adding an org chart tool, for example, it will need write permissions to Drive in order to save files.  If the permissions don't seem to match the function of the app, you may have an issue.

Finally, your data may be susceptible to bugs in the 3rd party app.  Not too long ago, a 3rd party project management tool had a bug that set users' file permissions to public for all files.  Not a good thing.  It was a programming error in the app.

We strongly recommend a few tools for Google Apps if you are using Drive to store important/critical information and/or have specific security needs (regulatory and/or internal):

Use a tool to monitor and manage file permissions and 3rd party application access, such as BetterCloud Enterprise or CloudLock


Use a Backup/Recovery tool to protect your Drive (and other Google Apps data), such as Backupify for Google Apps

If you have specific security needs, message level email encryption and individual file encryption services may also be appropriate.

Regards,
Allen
1
 

Author Comment

by:u587162
ID: 41757238
Thank you, Allen.  That seems like a more informed and reasonable response rather than a "well if you let a third party app access your google drive, you should of course assume your files will be hacked/snooped on".

You've alluded to some technical tools / language that as a non IT person myself, will not be too familiar with.  Any suggestions as to how an ordinary person like myself could go about undertaking some very basic risk analysis and explain how not to read too much into it or vice versa?

Thanks.
0
 
LVL 14

Expert Comment

by:Allen Falcon
ID: 41757955
Most of the services offer a free trial.  We typically provide a trial of BetterCloud Enterprise, which lets you run a risk assessment against standard criteria (common regulatory requirements) to get a sense of your current exposure.
0
 
LVL 5

Assisted Solution

by:Antzs
Antzs earned 125 total points
ID: 41758709
I was just researching about disk/volume encryption and got to know that they also support encryption on the cloud.  That means, all data which are saved/stored in the cloud are also encrypted.

So even if the 3rd party app or provider has access to your data it will be encrypted.  This is probably the best way to mitigate the risk of data being accessed by any 3rd party.
0
 

Author Comment

by:u587162
ID: 41762044
Thanks Allen / Anthony.  Bettercloud enterprise sounds interesting, but I am just a ordinary consumer and probably will not have the skills to check to that level.

I guess this is a difficult question to answer definitively.
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 125 total points
ID: 41762118
Before getting a 3rd party app, check what it is used for. based on that you will know to which of your data it needs access to so it can work, and which data it should not touch. Many apps probably need to have access to your address book for example, or also know your location to work properly.

Once you know that try to find reviews and user experience on the web about that app and the company making it. That can help you decide whether you want to trust that company/app and use it or not.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

You can provide a virtual interface for remote stakeholders in a SWOT analysis through a Google Drawing template. By making real time viewing and collaboration possible, your team can build a stronger product.
Do you come here a lot? Are you lazy like me and don't want to go through the "trouble" of having to click your Dock's Safari icon and then having to click your Experts Exchange Favorites bookmark to get here? Well then this article is for you.
This Micro Tutorial will demonstrate importing calendar invites from events such as webinars into your Google Calendar.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now