Arch Linux

TheCoon

Member

Registered: 2016-05-10

Posts: 42

Gnome Online Accounts (gvfs-goa, gvfs-google) in terms of security

Hi,
I'm interested in understanding how GOA and gvfs-google uses/controls the data in my Google account's various apps (Gmail, Calendar, Drive, etc.), starting from the authentication (OAuth) and all the way on to syncing files to Google Drive.
In terms of permissions, does the GNOME Google app have access to the files in my Drive, or is the GNOME app only a Google entity which is needed for generating tokens for my local system? Does the GNOME app and its owner have actual access to files in my Drive?
I hope I'm being clear, I'm having some trouble putting my thoughts into words. Thanks for any info, maybe someone can point me in the right direction.

ewaller

Administrator

From: Pasadena, CA

Registered: 2009-07-13

Posts: 19,774

Re: Gnome Online Accounts (gvfs-goa, gvfs-google) in terms of security

Welcome to the Arch Linux Forums.

I don't use Gnome, so I cannot answer directly.  You can always go to https://www.google.com/settings/dashboard (you will likely have to provide credentials) and follow  the 'Connected applications and sites' link.  It will tell you to what each entry has access.

---

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

TheCoon

Member

Registered: 2016-05-10

Posts: 42

Re: Gnome Online Accounts (gvfs-goa, gvfs-google) in terms of security

Thanks for the quick reply!
I'm familiar with the Google Dashboard and I've gone over the info that is listed; the exact permissions the app requests are actually listed even before allowing any app access to the account.
I'm more interested in who actually has direct access to Drive files or Gmail messages, rather than what permissions are granted to the app.
Just to clarify, I'm wondering what "giving" a Google app access actually means - does it mean that gvfs-google will be able to interact with the Google APIs to perform certain actions locally on my system, our does a third party (GNOME app) gain actual access to the listed permissions?
To put it bluntly: Can the GNOME app developer/owner access my Gmail/Drive/etc?

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 21,671

Re: Gnome Online Accounts (gvfs-goa, gvfs-google) in terms of security

Of course he could, as soon as you run someone's code you trust them to not be evil. The good thing about open source is that you can actually verify what it is doing beforehand. And I haven't used GNOME in a while either, but I don't suppose your credentials/token are  being sent to a third party and from a quick and incomplete glance the gvfs code also doesn't do anything suspicious.

mcComBat

Member

Registered: 2011-06-17

Posts: 7

Re: Gnome Online Accounts (gvfs-goa, gvfs-google) in terms of security

Hi guys,
Seconding the question TheCoon asked, I have similar security concerns, and would be really happy if someone could clarify those:
Upon enabling Google sync in GNOME (Calendar, in my case, might be Drive in some other scenario):
1. Why does the "GNOME Google App" request all of the possible permissions to my Google account, when I just want to sync the calendar? And is it possible to limit those?
2. As TheCoon asked, who really does get access to my Google account? Some GNOME App that is located on some servers out there, or a some local GNOME App? This is an important difference, as I'm not sure I can trust some 3rd party server, which I don't even know if exists and where.

Thanks.