Skip to content

Improve Your Google Account Security: A Complete Guide to Connected Apps

BetterCloud

February 20, 2017

7 minute read

Google Account Connect Apps Security

If you have a Google account, you’ve likely connected with an app or two that you shouldn’t have. Odds are you’ve not only permitted an obscure app to access your basic Google account information, but you’ve actually given them full access to your account.

In the internet age, that’s playing with fire.

It’s too easy to breezily hit “approve” or check the “I agree” box without a second thought.

In today’s world, data breaches happen regularly. Hackers can turn your life and career upside down with relative ease, and continuing to blindly connect your Google account to any and every app without so much as a second thought is a recipe for disaster.

For Google users, your online security is about securing your Google account, and by proxy controlling the number of apps that are connected to your account. (Of course, setting strong passwords and configuring 2-step verification doesn’t hurt either.)

In this post, we’re going focus on connected apps and we’ll help you answer the following questions (click the links to jump to the section):

If you read this post in full, I can guarantee two things: Your Google account security will improve, and you’ll gain a comprehensive understanding of connected apps.

What key terms do I need to know in regards to connected apps?

Before we dive in, let’s review some key terms that will provide clarity throughout this post.

  • Google Account: As of early 2016, Gmail joined the billion user club. And that’s just Gmail. According to Google Support, “If you’ve signed in to any Google product before (like Gmail, Google+ or YouTube), you already have a Google Account.” If you’re like me, you likely have several Google accounts (for work and personal use).
  • Connected Apps: A connected app, in the context of this post, is a service that accesses and uses (via authentication) your Google account information to function (or in some cases, simply log in). For Chrome and G Suite users, these connected apps most commonly come in the form of Chrome extensions, SaaS apps, mobile apps, and G Suite add-ons.
  • Software as a Service (SaaS): This is a term we use often on this site. Software as a Service, commonly shortened to SaaS, is a type of application that’s essentially synonymous with the term web app. SaaS apps are accessed via the internet. As TechTarget states, “SaaS removes the need for organizations to install and run applications on their own computers or in their own data centers.” When you check your email online at gmail.com, you’re using a SaaS app.
  • Authentication: User authentication forms a link between your Google account and an app. When you use your Google account to authenticate, you’re enabling an app to access at the very least your email.
  • Permissions: When you authenticate with an app, you’ll need to approve (or in some cases deny) a “Request of permissions.” These permissions vary based on the service you’re authenticating with and require access to your Google account information to function. Sometimes you must approve a lot of permissions; other times very little permissions are requested.

What are connected apps?

Apps connected to your account come in various shapes and sizes. According to Google, they can even be websites.

To simplify, connected apps are those which “you’ve granted permission to access your Google Account.” The most common apps that connect to your Google account are SaaS apps, Chrome extensions, G Suite add-ons, and mobile apps.

What do connected apps have to do with my Google account security?

As noted above, when you authenticate and connect your Google account with an app (which most often occurs when installing a SaaS app, extension, or add-on), you form a link that enables information to flow between your account and the app.

If you’re careless, you may put your personal security and your company’s sensitive information at risk (if you use Google at work).

You’re only as secure as the least secure app your account is connected to, and if you’ve connected to a vulnerable Chrome extension that has excessive access to your account, a hacker may not even need to target you at all. Instead, they can just target the app that has access your Google account.

Below is a basic summary of the permissions you may encounter when connecting apps with your Google account:

  • Full Access: “When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).”
  • Basic Information: This includes “name, email, gender, or country. You might also see that the app can ‘Sign you in using your Google Account.’ That means that you can sign in to these apps with your Google username and password as long as you’re signed in to Google.”
  • Read and Write Access: This means the app “can post information about your activity on their app or site to Google products you use. For example, you have an app on your phone that lets you track how far you run. If this app has read and write access to Google+, it can post the number of miles you run to your Google+ page.”

To find out which apps are connected to your account, go to myaccount.google.com/permissions.

You’d be surprised how many apps have access to your Google account. In general, you should remove access to any apps or websites you don’t use and those that ask for uncomfortably excessive permissions. “Try to figure out why an app asks for a given set of permissions,” says BetterCloud IT Specialist Nick Church. “It’s a huge red flag if an app asks for any permissions that seem unrelated to the function of the app.”

Pro tip: Before you authenticate with new apps, check user reviews to see if it’s created and maintained by a trusted organization. Apps with thousands of five-star reviews are typically a safer bet than those with a small number of reviews.

Lastly, if you have a Google account for work, your IT team will likely monitor which apps you’ve authenticated (in other words, connected) with your account. This will protect both you and the organization as a whole.

For IT: BetterCloud helps IT gain organization-wide clarity into which apps their users have connected with. Organizations can use BetterCloud to take bulk action to close security gaps, whitelist/blacklist apps, and put policies in place that protect against future threats. Schedule a demo today to learn how.

What are SaaS apps?

The term SaaS app is one we use often on this site.

In its most basic form, a SaaS app (sometimes called a cloud app) is one that you access and use via the internet. If you’re wondering whether or not you’re working with a SaaS app, just ask yourself, “Do I need Wi-Fi to use this app to its full potential?”

If the answer is yes, odds are you’re using a SaaS app.

At home, you use SaaS apps like Netflix and Spotify. At work, you use SaaS apps like Dropbox, Slack, Zendesk, and countless others.

For IT, SaaS apps have changed everything. Today, you can find and start using a SaaS app in less than five minutes. Because of this, many employees bypass IT to use the technology they want.

However, when you use your Google account to connect with SaaS apps, you’ve permitted these applications to know–at the very least–your basic account information. As a result, company data exists in too many places to count.

For most, that’s a huge security and compliance risk.

This isn’t an indictment on SaaS apps (personally, I couldn’t live without them). This is a word of caution.

I’m not saying that you shouldn’t connect an app to your Google account. I’m saying that you should keep a critical eye on what apps you connect with to keep yourself and your company safe.

Connecting with a SaaS app

This is the authentication page you will see when connecting your Google account with a SaaS app. Here the app is requesting permission to access your Google account information.

Check out the two posts below to learn more about how SaaS apps are changing the way we work.

What are Chrome extensions?

Google defines Chrome extensions as “small software programs that can modify and enhance the functionality of the Chrome browser. Extensions have little to no user interface.”

To translate, extensions sit in the corner of your browser and often work across a wide variety of websites. The Google Drive extension is a great example. It enables you to take a screen capture of the web page you’re visiting and save it to your Drive. The extension works nearly everywhere on the internet.

Connecting with a Chrome extension

Chrome extensions request permission to connect with your Google account with a small pop-up window.

Interested in discovering a Chrome extension that enhances the way you work? Check these out:

What are add-ons?

The term “add-ons” is a G Suite-specific term. G Suite apps, particularly Docs and Sheets, enable users to quite literally “add on” functionality to the app.

Add-ons can be as simple as a dictionary or as robust as a full-fledged project management tool like Smartsheet.

Connecting with Add-ons

Add-ons request permission to connect with your account much like SaaS apps.

Add-ons make working with G Suite tools better. Below are links to some of the best ones we’ve found.

What are mobile apps?

TechTarget defines a mobile app as “a software application developed specifically for use on small, wireless computing devices, such as smartphones and tablets, rather than desktop or laptop computers.”

A mobile app is essentially a SaaS app that you use on a mobile device.

As with SaaS apps, mobile apps require some form of authentication. Many mobile apps ask for authentication with Facebook or Twitter instead of with your Google account. However, some mobile apps will request to authenticate with your Google account.

You should know that using your Google account to connect with a mobile app is virtually the same as authenticating with a SaaS app. At the end of the day, you’re granting the app permission to access at least some of your Google account information.

We all love productivity-focused mobile apps. But make sure you separate work and play. When using a personal device, don’t connect any mobile app with the Google account you use for work (unless absolutely necessary or encouraged by your IT department).

If you enjoyed this article and want to learn more about technology, subscribe to our newsletter today for more articles just like this one.