Google bans embedded in-app sign-ins to curb phishing attacks

Google is taking a big step to fight phishing attempts on its users.

In a post on the company’s security blog, Google’s Product Manager of Account Security Jonathan Skelker announced that the search giant will begin to block account sign-ins from embedded browsers within applications.

The problem with embedded browsers, as Skelker lays out, is that it leaves Google’s users susceptible to phishing attacks from bad actors.

Previously, third-party developers could add web browser instances, like the Chromium Embedded Framework, to their apps. This allowed users to log into a service with their existing Google account without having to sign-up for a fresh account on a brand new platform.

While embedded browsers may have made it easy for an app user to sign-up or login, it also made it just as simple for a hacker to carry out a man-in-the-middle phishing attack. Malicious actors could use embedded browser frameworks to essentially eavesdrop on an unsuspecting user and steal their login credentials.

Unfortunately, Google can’t differentiate between legitimate sign-ins and a phishing attack through embedded browser frameworks. Because of this, the company has decided to ban this login method outright.

The company is urging developers using embedded browsers to switch to browser-based OAuth authentication. Basically, when a user wants to login to a third-party app using their Google account, the app would open up the Google sign-in page through their mobile browser. This way users can view the URL of the site to ensure this is a legitimate Google page and not a phishing website imposter.

Google says it will begin blocking sign-ins from embedded browser frameworks in June.