5 Replies Latest reply on Dec 12, 2016 4:52 PM by Anonymous

    Security & permissions we grant to products in the Chrome webstore.

    Anonymous

      I would like to learn more about the permissions we grant to products in the Chrome webstore.

       

      I’ll use this product as an example:

       

      Formula Editor

      https://chrome.google.com/webstore/detail/formula-editor/eahijjhckgnmcplbdhdmepaeanimlnjh?utm_source=permalink

       

      Formula Editor would like to:

       

      View and manage your documents in Google Drive

      Connect to an external service

       

      When I click for more information about the “View and manage your documents in Google Drive,” I see this:

       

       

      More info

      Create new documents

      View and modify existing documents

      Share documents with others

       

      How much can they see? This is really a nebulous area for me, and I need it to be crystal clear. I get that basically they need the permission to manage the document my students are working on, but what’s to prevent a malicious developer from going beyond that?  Previously I have stuck to apps that either don’t require intrusive permissions or apps published by Google and very well known companies.  Now that all of my students are on Chromebooks this year, teachers are requesting students install certain apps, which is awesome.  I want to support their work, and at the same time I want to protect the privacy of data stored on students’ and teachers’ Google Drives, and this is especially the case with teachers because they have information about students stored on Google drive -- notes about grades, accommodations, etc…

        • Re: Security & permissions we grant to products in the Chrome webstore.
          Anonymous

          Yes, that's an issue.  And, with the "View and manage your documents in Google Drive" level of permission, yes, a malicious developer could indeed access the contents of all of the files in Drive that that user has access to.  So not installing stuff from developers you're unsure of is a very good idea.

           

          For me, I'd love to see more-granular levels of permission for this sort of app.  For example, I'd love, as the owner of a particular folder that might have sensitive data in it, to be able to say "no third-party apps (or only specifically whitelisted ones) are allowed into this folder tree".

           

          Hope that helps,


          Ian

          2 of 2 people found this helpful
          • Re: Security & permissions we grant to products in the Chrome webstore.
            Anonymous

            Good point Ian Crew about the whitelisting option available in the Admin Console.

             

            And Kris Lockwood , perfectly understandable case and requirement, especially if you're the one responsible when things go awry.

            Personally, whilst security concerns are important to me, I don't want to make my user experience any worse or my learning pathway anymore complicated / less desirable, so it would be great if Google had some kind of monitoring capacity of these third party apps, even though they themselves didn't make them.

             

            May be difficult on the Chrome Web Store, but definitely desirable for Google Play, which comes onto Chrome OS 55.

            1 of 1 people found this helpful
              • Re: Security & permissions we grant to products in the Chrome webstore.
                Anonymous

                Just to be totally clear, Liam:

                 

                My hope is that the ability to designate a folder tree as more secure, with all or most third-party apps blocked, would be an option available to the owner of that folder tree, not just something in the admin console.  At the scale we operate at (~80K accounts across >170 departments), something that requires manual intervention in the admin console is effectively useless.

                 

                I could see giving the admin two different whitelists, one for more secure folder trees and one for everything else, but the designation of which trees are more secure should be up to the folder tree owners.

                 

                Cheers,


                Ian

              • Re: Security & permissions we grant to products in the Chrome webstore.
                Anonymous

                Ian, understood. Especially for the scale of your organisation it's a lot quicker and more effective for that option to be open to Drive folder owners, not just the IT admins.

                • Re: Security & permissions we grant to products in the Chrome webstore.
                  Anonymous

                  There seem to be more open questions relating to this type of security concern than resources for protecting the data in our domains. It would be great if we could escalate this issue to the top feature requests this quarter to get a view from the relevant product teams. Suggest upvoting this feature request which is the earliest I could find that would cover the issue: Control on OAuth tokens applications and scopes