“We’re constantly working to improve our phishing protections to keep your information secure,” account security product manager Jonathan Skelker wrote in a blog post. “This is yet another layer of protection on top of existing safeguards like Safe Browsing warnings, Gmail spam filters, and account sign-in challenges.”
With the change, Google is specifically targeting man in the middle (MITM) attacks, which it says are particularly difficult to spot from automation platforms like embedded browser frameworks. MITM intercepts data exchanges between users and servers in real time to gather credentials — behavior that Google can’t differentiate from legitimate sign-in attempts.
As an alternative to embedded browser frameworks, Google is suggesting that developers use browser-based OAuth authentication, which enables users to see the full address of the page where they’re entering their credentials. “If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today,” Skelker said.
Today’s announcement comes roughly two years after Google restricted sign-ins using web views, or browsers bundled within mobile apps. In a related development in February, Google said that it was actively testing improved phishing- and malware-filtering models within Gmail, and claimed that it’s now blocking more than 100 million more spam emails a day.