To increase protection against man-in-the-middle (MitM) attacks, Google in June will block sign-ins from embedded browser frameworks, which are used with some forms of phishing.
Embedded browser frameworks allow developers to add browsing capabilities to an application. One example is the Chromium Embedded Framework (CEF), which basically allows inserting Chromium-based browsers in apps.
Embedded browser frameworks hard to detect
Jonathan Skelker, Product Manager and Account Security at Google, says that Google “differentiate between a legitimate sign in and a MITM attack on these platforms.” The solution to this problem is to block login action through these platforms.
This measure affects developers who lose an easy way to offer authentication in their apps. A recommended alternative is to use browser-based OAuth authentication, which allows sharing login data while keeping the username and password safe.
“Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices,” Skelker says, strongly recommending developers to make the switch.
Google’s steps to protect user logins
Denying authentication from embedded browser frameworks is a measure similar to the restriction Google announced in 2016 on web views, which are also embedded browsers.