“We’re constantly working to improve our phishing protections to keep your information secure,” account security product manager Jonathan Skelker wrote in a blog post. “This is yet another layer of protection on top of existing safeguards like Safe Browsing warnings, Gmail spam filters, and account sign-in challenges.”
With the change, Google’s specifically targeting man in the middle (MITM) attacks, which is says are difficult to detect from automation platforms like embedded browser frameworks. MITM intercepts data exchanges between users and servers in real-team and sign in — behavior that Google can’t differentiate from a legitimate sign-in attempt.
As an alternative to browser frameworks, Google’s suggesting developers use browser-based OAuth authentication, which enables users to see the full URL of the page where they’re entering their credentials. “If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today,” Skelker said.
Today’s announcement comes roughly two years after Google restricted sign-ins using webview, or browsers bundled within mobile apps. In a related development in February, Google said that it was actively testing improved phishing- and malware-filtering models within Gmail. (Google claims that it now blocks more than 100 million more spam emails a day.)