Last week at Cloud Next 2019, Google announced that all Android 7.0+ devices can serve as security keys. However, the reality is that most people do not use 2FA, and other methods are susceptible to man-in-the-middle attacks. Google is now working to counter MITM attacks by blocking sign-ins from embedded browser frameworks.
Embedded browser frameworks allow developers to add web browser instances, like Chromium, into their application. This is useful for letting end users sign into an account via a service like Google, Facebook, or Twitter without having to jump to a full browser.
However, there are phishing risks associated with this seamless log-in experience. A man-in-the-middle attack could intercept credentials and second factors in real-time as Google is unable to “differentiate between a legitimate sign in and a MITM attack” in embedded browsers:
However, one form of phishing, known as “man in the middle” (MITM), is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework – CEF) or another automation platform is being used for authentication.
Developers are advised to switch to browser-based OAuth authentication where users are already familiar with signing in. Apps will send users to Chrome, Safari, Firefox, etc. to enter their password, with the necessary authentication information then communicated to the third-party client.
Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices. If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today.