2 of 2 people found this helpful
Yes, that's an issue. And, with the "View and manage your documents in Google Drive" level of permission, yes, a malicious developer could indeed access the contents of all of the files in Drive that that user has access to. So not installing stuff from developers you're unsure of is a very good idea.
For me, I'd love to see more-granular levels of permission for this sort of app. For example, I'd love, as the owner of a particular folder that might have sensitive data in it, to be able to say "no third-party apps (or only specifically whitelisted ones) are allowed into this folder tree".
Hope that helps,
1 of 1 people found this helpful
Good point Ian Crew about the whitelisting option available in the Admin Console.
And Kris Lockwood , perfectly understandable case and requirement, especially if you're the one responsible when things go awry.
Personally, whilst security concerns are important to me, I don't want to make my user experience any worse or my learning pathway anymore complicated / less desirable, so it would be great if Google had some kind of monitoring capacity of these third party apps, even though they themselves didn't make them.
May be difficult on the Chrome Web Store, but definitely desirable for Google Play, which comes onto Chrome OS 55.
Just to be totally clear, Liam:
My hope is that the ability to designate a folder tree as more secure, with all or most third-party apps blocked, would be an option available to the owner of that folder tree, not just something in the admin console. At the scale we operate at (~80K accounts across >170 departments), something that requires manual intervention in the admin console is effectively useless.
I could see giving the admin two different whitelists, one for more secure folder trees and one for everything else, but the designation of which trees are more secure should be up to the folder tree owners.
There seem to be more open questions relating to this type of security concern than resources for protecting the data in our domains. It would be great if we could escalate this issue to the top feature requests this quarter to get a view from the relevant product teams. Suggest upvoting this feature request which is the earliest I could find that would cover the issue: Control on OAuth tokens applications and scopes