Mmmh, I considered a MITM attack an interception. While maybe making a custom browser (that obviously have access to the webpage) could be considered as "In the Middle" I do not think the definition sticks to it, but they seem to do, given your link. I understand the reasoning but I dont share it, it sort of make sense, but doesnt. If someone got to install a "Chrome Embedded Framework" then they already bypassed the "(in)secure screen", but I see how this could be a problem..
Google doesn't allow auth in a webview. The reasoning is that any application prompting you to login with a 3rd party service (ex: google/facebook/twitter/etc) in a webview can compromise the account.
Technically, they're correct - It's pretty easy to inject code into a webview you own, and it can do basically anything it likes (for example - record the username/password you just entered into the Google login page).
So Google's stance is that you need to use a browser they approve of to access your account, and if they spot a webview they tend to block it and show this message.
I'm conflicted - As someone responsible for doing security audits, their concerns are fair.
As someone who does not believe Google is operating with any vestiges of the "Do no evil" motto, this is also a very convenient way to block new entries to the browser market.
> Google's stance is that you need to use a browser they approve of to access your account
Yeah thats the crazy up situation..... I could maybe access via a imap client, Guess they will ask for an "insecure app password" (I forgot the name of this)
But the thing that blows my mind is that you cannot make your own browser! Thats the problem..... because I was considering to do just that, my own browser, wow, I cannot do it without google approval..... I will need to think about it....
Does anyone know how they're detecting this? User agents can be changed and JS APIs can be modified with very little effort. Short of making something absolutely insane and forcing everyone to go along like they did with SafetyNet on Android, I don't see a way for this to actually work...
5 comments
[ 2.7 ms ] story [ 15.7 ms ] threadIf that is the case, take a look at https://security.googleblog.com/2019/04/better-protection-ag... for the official statement and at https://stackoverflow.com/questions/59480956/browser-or-app-... and all the resources that it links to for some workarounds.
Technically, they're correct - It's pretty easy to inject code into a webview you own, and it can do basically anything it likes (for example - record the username/password you just entered into the Google login page).
So Google's stance is that you need to use a browser they approve of to access your account, and if they spot a webview they tend to block it and show this message.
I'm conflicted - As someone responsible for doing security audits, their concerns are fair.
As someone who does not believe Google is operating with any vestiges of the "Do no evil" motto, this is also a very convenient way to block new entries to the browser market.
Yeah thats the crazy up situation..... I could maybe access via a imap client, Guess they will ask for an "insecure app password" (I forgot the name of this)
But the thing that blows my mind is that you cannot make your own browser! Thats the problem..... because I was considering to do just that, my own browser, wow, I cannot do it without google approval..... I will need to think about it....