Google announced today on its Security Blog that it will block sign-ins from embedded browser frameworks starting in June. The hope is that such a move will better protect people from man-in-the-middle (MITM) attacks.
Embedded browser frameworks allow developers to include web instances in their applications. For example, Spotify uses embedded browser frameworks to allow folks to sign into their Facebook accounts. The idea behind embedded browser frameworks is to improve the user experience by keeping people in an app instead of kicking them to a full browser if they want to sign into a service.
The problem is that a MITM attack can intercept login credentials and second factors. According to Google, it’s unable to “differentiate between a legitimate sign-in and a MITM attack” in embedded browsers. Google’s solution, then, is to block sign-ins from embedded browser frameworks altogether.
As a result, Google wants developers to switch to browser-based OAuth authentication. That way, apps will send users to Chrome, Safari, Firefox, or other mobile browsers if they want to sign into a service.
It might seem more inconvenient relative to how sign-ins work now, but today’s announcement means that people can see a page’s full URL. That way, people know whether the page they’re typing their login credentials into is legitimate or not.
Developers with apps that requires access to Google Account data are encouraged to switch to using browser-based OAuth authentication today.