Google is shutting down Google+ following massive data breach


Google earlier this year started Project Strobe which is review system for third-party developer access to Google account and Android device data and its philosophy around apps’ data access. Google today is announcing the first four findings and actions from this review. Google is shutting down Google+ for consumers. The company says that users over the years wanted to better understand how to control the data they choose to share with apps on Google+. 

Google Permissions

So as part of Project Strobe, the company’s first priorities was to closely review all the APIs associated with Google+.  As the consumer version of Google+ currently has low usage and engagement; 90% of Google+ user sessions are less than five seconds.

The company has also discovered a bug in one of the Google+ People APIs;
users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API. The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public. This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender, and age.

It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content. The company discovered this and immediately patched this bug in March 2018. It made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. But a total of up to 500,000 Google+ accounts were potentially affected and up to 438 applications may have used this API. However, Google said that it found no evidence that any developer was aware of this bug or abusing the API, and found no evidence that any Profile data was misused. Google is giving a period of 10 months (by the end of August) for users to transition.

Google is also launching more granular Google Account permissions that will show in individual dialog boxes. When an app prompts you for access to your Google account data, it requires that you see what data it has asked for, and you must grant it explicit permission. Consumers will get more fine-grained control over what account data they choose to share with each app. Instead of seeing all requested permissions in a single screen, apps will have to show you each requested permission, one at a time, within its own dialog box.

Granular Permissions

Google is also limiting the types of use cases that are permitted. Only apps directly enhancing email functionality—such as email clients, email backup services and productivity services will be authorized to access this data. Moreover, these apps will need to agree to new rules on handling Gmail data and will be subject to security assessments.

Google is also limiting apps’ ability to receive Call Log and SMS permissions on Android devices, and are no longer making contact interaction data available via the Android Contacts API. Going forward, Google Play will limit which apps are allowed to ask for these permissions.  Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests.

Source