Official Web Master Blog

Google has always added great security features that protect user accounts: from SSL access to most services, Google Safe Browsing, Gmail's spam and phishing filters to 2-step authentication, phone number verification and Gmail's account activity monitoring.

Sometimes Google's security features are extra paranoid and block Google's own services. I tried to use the mail fetcher feature from a secondary Gmail account and Google mentioned that the authentication failed (it's been enabled before). I entered the right password and Google still couldn't authenticate. Then Google started to show warnings in my main Gmail account, at the top of Google search pages and even sent an email and an SMS message: "Someone recently tried to use an application to sign in to your Google Account. We prevented the sign-in attempt in case this was a hijacker trying to access your account."

Google sent me to this page which says: "We detected activity on your Google Account from a location you don't usually sign in from." The IP address is 209.85.192.147 (mail-pd0-f147.google.com) and it's from United States. Obviously, it's Google's own IP address.




How to fix this issue? Go to this page, click "Yes" and "Yes - Continue". From the Google confirmation message: "As a security precaution, Google may prevent an application from accessing your account if it's the first time we've seen this application sign in to your account, or if it's attempting to sign in from a new location."


Then Google sends you to this page and you need to click "Continue" and "sign in using the application you want to authorize access to your account within the next ten minutes."


Unfortunately for Google, it wasn't even the first time when Gmail's mail fetcher was enabled. Google should find a way to make Gmail's mail fetcher work without having to jump through hoops.

A Google help center page mentions a new feature that will be added to the Google Account settings page: security notifications.


"Google notifies you via email and/or text message when your password is changed, and when we detect a suspicious attempt to sign in to your account. If you receive a notification about a password change you didn't make, or an attempt to sign in to your account that wasn't you, these email and text message notifications will provide details on next steps to help you secure your account," informs Google.

This feature should be available under the "security" tab of the Account Settings page, but I don't see it. Maybe it's enabled in your accounts.

In other related news, the Account Settings page has a new interface and shows information about your account activity, a large photo from your profile, Google Drive storage data.


{ Thanks, Herin. }

Google doesn't like to manually review user-generated content. It's not efficient and algorithms can do a better job. Imagine how many people would need to be hired to watch all the videos submitted to YouTube (60 hours of videos uploaded every minute).

In some ways, uploading an application to the Android Market is just like uploading a video to YouTube. Sure, you need to pay a fee, but you don't have to wait until a Google employee checks the application. Unfortunately, this also means that the application can include malware, deceive users, crash or spam your contacts. Google usually reviewed the app only after enough users reported that the app is malicious.

Now there's a new service called Bouncer "which provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process. The service performs a set of analyses on new applications, applications already in Android Market, and developer accounts. Here's how it works: once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google's cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior".

That seems like a great idea: Google actually tests the apps without having to wait until other users install them and notice there's something wrong. The bad news is that this service was tested last year and was used to find potentially-malicious apps. Despite that, the apps infected by DroidDream were found by a security vendor and not by Google.

"The service has been looking for malicious apps in Market for a while now, and between the first and second halves of 2011, we saw a 40% decrease in the number of potentially-malicious downloads from Android Market. This drop occurred at the same time that companies who market and sell anti-malware and security software have been reporting that malicious applications are on the rise," says Google. Another explanation could be that Google's service is not good enough.

Google also says that Android "makes malware less potent" because it uses sandboxing, it displays the list of permissions and Android Market can remotely remove malware. I don't think that most of the users read the list of permissions. They simply ignore them, click "OK" and install the application. Maybe it would be a better idea to require users to explicitly enable sensitive permissions when they're using the apps.

While security vendors try to scare Android users and push their products, Google should focus on removing spam and malware from the Android Market and make it a safer place. Improving Android's security model and finding ways to install security updates faster are also important.

Google announced that in the coming weeks all Google.com users that are logged in will be redirected to Google Secure Search. The secure version of Google Search has been launched last year and now includes all the features from the regular Google interface. The main difference is that the connection is encrypted and Google is the only one who knows the queries you've typed. ISPs, network administrators, those who intercept your connection and the webmasters of the pages from Google's search results won't able to find your searches. "SSL encrypts the communication channel between Google and a searcher's computer. When search traffic is encrypted, it can't easily be decoded by third parties between a searcher's computer and Google's servers," as Google says.

"As search becomes an increasingly customized experience, we recognize the growing importance of protecting the personalized search results we deliver. As a result, we're enhancing our default search experience for signed-in users. Over the next few weeks, many of you will find yourselves redirected to https://www.google.com (note the extra 's') when you're signed in to your Google Account. This change encrypts your search queries and Google's results page. This is especially important when you're using an unsecured Internet connection, such as a WiFi hotspot in an Internet cafe," explains Google.


Right now, https://www.google.com no longer redirects to https://encrypted.google.com and Google no longer informs users that they're using Secure Search. It's important to keep in mind that no other search engine offers this feature and SSL has a performance penalty, which means that search results pages will load slower. This is especially noticeable when you use Google Instant and the results won't show up as fast as before.

After the security incident from December 2009, Google went to great lengths to make its services more secure. Most services that require authentication default to SSL and many no longer offer unencrypted versions. It's interesting to see that Google Search will be treated just like Gmail, Google Docs, Google+ and other services that store user data even if this change won't make too many people happy (users will complain that search results pages load slower, webmasters will complain that their logs will be less useful, AdSense ads from search results will no longer be able to use the Google query and fewer users will click them, companies won't be able to monitor their employees' Google searches). Google already offers some solutions that address these issues: webmasters can use Google Webmaster Tools to find the most popular Google searches that sent users to their sites, while network admins can try the NoSSLSearch option.

It's an important change, but I don't see why signed-in users should be treated differently and why protecting user queries outweighs the drawbacks mentioned earlier. One of the explanations could be that search will no longer be a distinct service and will integrate with Google+, Gmail, Google Docs Drive so much that it will be hard to notice when you've switched to a different app. Larry Page, Google's CEO, has recently said that "our ultimate ambition is to transform the overall Google experience, making it beautifully simple, almost automagical, because we understand what you want and can deliver it instantly. This means baking identity and sharing into all of our products so that we build a real relationship with our users. Sharing on the Web will be like sharing in real life across all your stuff."