Spotify users can visit Spotify.me, log in to their account, and see some interesting figures and inferences about their listening habits. Although Spotify itself runs this service, users still need to grant it permission to analyze personal account data.
Spotify API authorization prompt
Spotify makes this data (and other platform functions) available to external software developers through its application programming interface (API). Given proper user authorization, programmers may use the Spotify API to operate on private user data: modify playlists, analyze users’ favorite albums, integrate Spotify with voice assistants, and more.
Spotify isn’t unique in giving third-party software access account-holders’ private data. Many other online services offer similar APIs, which enable a variety of valuable use cases. A Slack bot might integrate with Github’s API in order to issue project activity notifications in a team’s Slack channel. A file migration tool might use APIs offered by cloud storage providers (e.g. Dropbox, iCloud, OneDrive) to automatically move files between services. A script might use the Reddit API to export a user’s favorite links.
Online APIs pose privacy risks to users though, as the Cambridge Analytica scandal showed. A researcher developed a personality quiz app that integrated with Facebook’s API. Quiz-takers were unaware that the app harvested information from their Facebook profiles and that of their friends. Cambridge Analytica later used this data for targeted political advertising. Following its revelation in 2018 and the resulting public backlash, Facebook updated their platform to address API privacy risks. Their API would expose fewer private data types, and user consent would automatically expire for unused apps, among other safeguards.
Google API Usage in the Wild
It would be reasonable to expect other online services take similar measures to reduce the exposure of private user data through APIs. However, a cursory glance at one’s Google account authorizations may suggest that this isn’t as strong an assumption as expected.
Google API authorizations granted to Zoom
While Zoom is indeed a valuable product, it’s concerning that an external service can read email data, view calendar events, communicate with unspecified external services, and do so without user interaction. This observation prompted our preliminary investigation into the privacy risks of online APIs and mitigations in place to protect private data. Our research asked the following questions:
What API authorizations do third-party apps tend to request?
What safeguards are present to mitigate risks of API misuse?
To answer these, we examined 987 web apps listed on the G Suite Marketplace as of January 2020. This represents only a small portion of Google API integrations; Google APIs can be integrated into mobile apps, standalone desktop programs, and other classes of software not covered in our corpus. Still, the G Suite Marketplace represents a good cross-section of productivity-focused apps and add-ons, many of which have millions of installations each.
We developed a Selenium script to automate the installation of these apps onto a free @gmail.com test account. For each app, we collected the permissions disclosed on the app authorization screen.
API permissions requested by an app from the G Suite Marketplace
Among our corpus of 987 Marketplace apps, the most commonly requested API permissions were:
50% display and run third-party web content in prompts and sidebars inside Google applications
49% connect to an external service
27% see, edit, create, and delete your spreadsheets in Google Drive
25% allow this application to run when you are not present
21% see, edit, create, and delete all of your Google Drive files
We opted to look more closely at the apps with the ability to connect to an external service. These apps made up nearly half of the corpus. Among the 481 apps that did this, 21% had full access to users’ Google Drive data, 17% could read Gmail data while running as an add-on, and 3% had full access to Contacts data.
As a platform, the G Suite Marketplace does not appear to provide details about what external services apps use or what data is shared with those services. Users have to rely on voluntary disclosures from app developers in order to assess any potential privacy risks Marketplace apps might pose, as shown below. As these disclosures are voluntary; not all apps explain how they use external services.
A Marketplace app disclosing its use of an external service to process LaTeX markup
Google’s policies recognize risks in giving unrestricted access to user data via API. The platform enforces certain limits on the use of API scopes deemed “sensitive” and “restricted”. The strictest limits apply to the use of private Gmail and Drive data, which require verification by Google. We encountered unverified apps during the automated crawl and installation of G Suite Marketplace apps. The platform does allow up to 100 new users to install unverified apps, but it is subject to Google’s discretion. Users are unable to install unverified apps beyond this limit.
Users can still authorize unverified apps below the new-user cap after bypassing a warning
We measured how strictly Google adhered to its stated policy of limiting unverified apps to 100 new users. In our initial crawl of the G Suite Marketplace, we encountered 277 unverified apps, of which 144 were installable and thus included in our analysis corpus. We re-examined those 144 apps 16 days later and found that 124 were still unverified and installable. 24 apps netted more than 100 new users between the two crawls. The following apps are a sample of the largest net user growths:
+9,398 users — Chemistry Question Generator
+7,158 users — YouCanBook.me
+3,632 users — siteMastro
+2,332 users — Hippo Video
+1,135 users — ezShared Contacts
ezShared Contacts is of particular interest. We collected this data in January 2020. The app remains unverified but installable of May 2020. The app also continues to request full access to the user’s Gmail, Drive, and Contacts data.
API permissions requested by ezShared Contacts
Lessons to Re-Learn?
We believe our examination of G Suite Marketplace apps justifies further research into improved disclosure, control, and auditing mechanisms in this area. We don’t need to look far for productive ideas to this end. Mobile platforms have evolved to address some of these issues. For instance, install-time permissions remain common in online API authorizations, but have fallen out of favor in mobile platforms.
Run-time prompts have supplanted install-time permissions in mobile platforms
Although our findings come from a somewhat narrow class of apps that use the Google API, they reveal much opportunity for improving user privacy in the context of online API integrations. These integrations are widely used, but mostly invisible to end-users. It took a major breach of privacy as broad and political as the Cambridge Analytica scandal to bring this issue to the public eye. And while Facebook did indeed take sensible steps in response to that, this does not appear to be universal across online services.
Two Six Labs pushes the boundaries of the possible to protect the future. We design innovative solutions to complex challenges in data, cyber, IoT and beyond. We empower our clients’ critical missions, expanding operational capabilities and bringing new technologies to market.