Top 10 Low-Risk Applications and Extensions for Google Workspace

Google Workspace is an extremely popular SaaS productivity suite used by millions of organizations today. Companies can also extend its features and capabilities with third-party applications and browser extensions to achieve an almost limitless set of features in Google Workspace.

However, this ability to extend Google Workspace features can quickly become a security liability as employees may grant access to untrusted third-party apps with their Google credentials without fully understanding the permissions granted or the data they expose with the integration. Even seemingly harmless and legitimate integrations can pose risks to organizations’ most critical data. So how do you know if your organization has integrated apps and extensions that are low risk or high risk? Let’s look at the top 10 most popular low-risk applications and browser extensions as of Q2 2024. And for comparison, let’s also take a look at the top 5 most popular, high-risk browser extensions. We will uncover the risks you should know about related to Google Workspace SaaS data stored across Gmail, Drive, Shared Drives, Calendar, Contacts, and Google Sites.

The explosive growth of SaaS

SaaS applications and browser extensions are seeing high growth and adoption across the enterprise.

• Growth in SaaS Market: The global SaaS industry has seen explosive growth. While the SaaS market was valued at USD 237.48 billion in 2022, it had increased to approximately USD 273.55 billion by the end of 2023. By 2030, the industry is expected to soar to nearly USD 908.21 billion.
• Adoption Rates: Organizations worldwide have adopted SaaS environments at a rapid pace. An estimated 95% of organizations have adopted SaaS technology by 2023. This has been a 71% increase in the adoption rate since 2018​​.
• Future Predictions: By 2025, some 85% of all business applications will be SaaS-based. This statistic reflects the continuing shift towards cloud-based solutions and away from on-premise deployments​​.

Top 10 Low-risk SaaS apps

LinkedIn

• Category: Professional Networking
• Overall Risk: Low
• Business Risk: High
• Security Risk: Low
• Compliance Risk: Low
• Permissions: This app has permissions to access a user’s profile information and email
• Why It Matters: While LinkedIn is considered low risk, the high business risk reflects its central role in professional networking, where data privacy is crucial.

Adobe

• Category: Creative Software
• Overall Risk: Low
• Business Risk: Medium
• Security Risk: Low
• Compliance Risk: Low
• Permissions: Access to profile information and email
• Why It Matters: Adobe’s suite of creative software is essential for many businesses, making its access to user information a point of interest for ensuring data protection

Dropbox

• Category: File Storage and Collaboration
• Overall Risk: Low
• Business Risk: Medium
• Security Risk: Low
• Compliance Risk: Low
• Permissions: Basic operational permissions
• Why It Matters: As a popular tool for file storage, Dropbox’s operational security is crucial for safeguarding sensitive business data

Grammarly

• Category: Writing and Grammar Checking
• Overall Risk: Low
• Business Risk: High
• Security Risk: Low
• Compliance Risk: Low
• Permissions: Access to profile information and email
• Why It Matters: Grammarly helps improve writing quality, but access to sensitive content requires attention to privacy practices

Booking.com

• Category: Travel 
• Overall Risk: Low
• Business Risk: High
• Security Risk: Low
• Compliance Risk: Low
• Permissions: Profile information and email access
• Why It Matters: In the context of travel planning, protecting personal and travel-related information is key

CloudConvert

• Category: File Conversion
• Overall Risk: Low
• Business Risk: Medium
• Security Risk: Low
• Compliance Risk: Low
• Permissions: Notifications
• Why It Matters: CloudConvert’s ability to handle diverse file types underlines the importance of secure data handling practices

Coursera

• Category: Online Learning
• Overall Risk: Low
• Business Risk: High
• Security Risk: Low
• Compliance Risk: Low
• Permissions: Access to profile and email
• Why It Matters: Coursera’s access to educational materials and user data underscores the need for privacy in online learning

Airtable

• Category: Database and Organization
• Overall Risk: Low
• Business Risk: Medium
• Security Risk: Low
• Compliance Risk: Low
• Permissions: Operational permissions
• Why It Matters: As a tool for database and organization management, Airtable’s security measures are vital for data integrity

Bitly

• Category: Link Management
• Overall Risk: Low
• Business Risk: Medium
• Security Risk: Low
• Compliance Risk: Low
• Permissions: Access to profile information and email
• Why It Matters: Bitly’s link management services necessitate attention to how user data is managed and protected

Yelp

• Category: Food, Delivery & Reviews
• Overall Risk: Low
• Business Risk: High
• Security Risk: Low
• Compliance Risk: Low
• Permissions: Access to profile and email
• Why It Matters: Yelp’s access to user information underscores the need for data privacy

Top low-risk browser extensions

Honey: Automatic Coupons & Cash Back

• Category: Shopping
• Overall Risk: Low
• Business Risk: Low
• Security Risk: Medium
• Compliance Risk: Low
• Permissions: Broad access including scripting, web requests, storage, and cookies on all websites
• Why It Matters: While aimed at saving money for users, the extensive permissions necessitate a balance between functionality and privacy/security

Adblock Plus – Free Ad Blocker

• Category: Workflow & Planning
• Overall Risk: Low
• Business Risk: Low
• Security Risk: Medium
• Compliance Risk: Low
• Permissions: Can block and manage web content across all websites
• Why It Matters: Even though it enhances the browsing experience by blocking ads, the control over web requests highlights the need for caution

DeepL Translate 

• Category: Workflow & Planning
• Overall Risk: Low
• Business Risk: Low
• Security Risk: Medium
• Compliance Risk: Low
• Permissions: Access to all URLs for translating text, with additional scripting and storage permissions
• Why It Matters: Facilitates language translation but requires broad website access, emphasizing the importance of user trust in handling data

Tag Assistant Companion

• Category: Developer Tools
• Overall Risk: Low
• Business Risk: Low
• Security Risk: Medium
• Compliance Risk: Low
• Permissions: Scripting and web navigation across all websites
• Why It Matters: Helps with managing and verifying website tags, with permissions that could potentially access sensitive website data

Floorplanner

• Category: Unknown
• Overall Risk: Low
• Business Risk: Medium
• Security Risk: Low
• Compliance Risk: Low
• Permissions: Notifications
• Why It Matters: Assists in designing floor plans with minimal permissions, focusing on a specific functionality with low privacy impact

DuckDuckGo Privacy Essentials

• Category: Privacy & Security
• Overall Risk: Low
• Business Risk: Medium
• Security Risk: Medium
• Compliance Risk: Low
• Permissions: Broad permissions to enhance privacy across all websites, including web request blocking and browsing data management
• Why It Matters: It aims to improve online privacy, but it requires extensive access to block trackers and secure searches effectively

Endpoint Verification

• Category: Workflow & Planning
• Overall Risk: Low
• Business Risk: Low
• Security Risk: Medium
• Compliance Risk: Low
• Permissions: Involves messaging, data storage, and device information access, focused on verifying device security and compliance
• Why It Matters: Supports IT in securing endpoints, with permissions that highlight the need for trustworthy security practices

Similarweb – Traffic Rank & Website Analysis

• Category: Developer Tools
• Overall Risk: Low
• Business Risk: Low
• Security Risk: Medium
• Compliance Risk: Low
• Permissions: Web request management and data storage across all websites for analyzing web traffic and metrics
• Why It Matters: Offers insights into website popularity and user engagement

Speechify for Chrome

• Category: Education
• Overall Risk: Low
• Business Risk: Low
• Security Risk: Medium
• Compliance Risk: Low
• Permissions: Scripting and storage across all websites for converting text to speech
• Why It Matters: Enhances accessibility by reading text aloud, necessitating data access that users should be aware of

Dark Theme for Google Chrome

• Category: Dark & Black
• Overall Risk: Low
• Business Risk: Medium
• Security Risk: Low
• Compliance Risk: Low
• Permissions: Minimal, focused on applying a dark theme to web browsing
• Why It Matters: Improves user experience by offering a visually comfortable browsing mode, with limited privacy or security concerns

Top 5 High-risk browser extensions 

Docs

• Category: Developer Tools
• Overall Risk: High
• Business Risk: High
• Security Risk: Medium
• Compliance Risk: High
• Developer: Individual person (with a gmail.com email) instead of a company
• Permissions: Access to specific documentation sites and tab management
• Why It Matters: Access to tabs and specific URLs creates a risk of data leakage or unauthorized data access, especially if the extension is compromised

Adblock for Youtube™

• Category: Workflow & Planning
• Overall Risk: High
• Business Risk: High
• Security Risk: Medium
• Compliance Risk: High
• Permissions: Blocking web requests, accessing storage, and permissions for all URLs
• Why It Matters: While intended to block ads, the extension’s capabilities could be misused to block or modify legitimate web requests, potentially leading to data integrity issues

QuillBot for Chrome

• Category: Communication
• Overall Risk: High
• Business Risk: Medium
• Security Risk: High
• Compliance Risk: High
• Permissions: Scripting on specific sites, alarms, storage, cookies, and notifications
• Why It Matters: The scripting and storage access can be exploited for unauthorized actions within the browser, posing significant security and privacy risks

SEO META in 1 CLICK

• Category: Developer Tools
• Overall Risk: High
• Business Risk: Medium
• Security Risk: Medium
• Compliance Risk: High
• Permissions: Access to the current tab
• Why It Matters: Access to the current tab can reveal sensitive information about the user’s browsing activity and data on visited websites, potentially leading to privacy breaches

Edge: The Web Ruler

• Category: Productivity
• Overall Risk: High
• Business Risk: High
• Security Risk: High
• Compliance Risk: High
• Developer: Individual person (with no contact email), instead of a company
• Permissions: Keeping app window always on top and storage access
• Why It Matters: The ability to keep the app window always on top and access storage poses risks to user privacy and data security, as it could interfere with normal browser operation and access stored data without explicit user consent

Recent examples of security breaches due to SaaS apps and extensions

The real-world implications of SaaS security are far-reaching. Note the following recent examples of SaaS security incidents affecting a large number of users:

• Malicious ChatGPT Extensions: A fraudulent extension mimicking “ChatGPT for Google” hijacked Facebook accounts and stole login credentials from at least 6,000 corporate accounts and 7,000 VPN accounts. The rapid expansion of unregulated ChatGPT extensions poses a growing threat.
• Okta Security Breach: A recent incident involving OKTA, a well-known authentication platform, potentially exposed sensitive information of thousands of users across various services. This breach highlights the importance of securing identity and access management platforms and respective SaaS apps, as these are an important part of the security posture of numerous organizations globally. Such breaches can lead to widespread access to corporate systems, data leakage, and severe consequences to organizational security.
• OpenSea API Breach: OpenSea, a leading NFT marketplace, was involved in a security breach through one of its third-party vendors. The breach resulted in the exposure of user API keys. This exposure allowed unauthorized use of these keys’ allocated rate limits, highlighting vulnerabilities in SaaS cybersecurity frameworks.

How can organizations protect their data? 

Organizations must take a layered approach to secure SaaS environments, encompassing the following strategies:

• Inventory: Maintain an up-to-date catalog of all SaaS applications and browser extensions integrated with their SaaS environment. This inventory process allows for understanding the various risks introduced in terms of operations, security, privacy, and compliance.
• Continuous Risk Evaluation: Continual risk evaluation is needed for applications and extensions. This helps to understand the changing SaaS landscape and identify and address security vulnerabilities as they arise.
• Policy Development and Enforcement: Controls are needed to enforce policies introduced by third-party risk management frameworks. These policies consider the evolving nature and operational demands of extensions and applications in the SaaS environment. It also helps to understand their unique business risks and requirements. Automation of these policies not only eases the burden on security teams but also ensures SaaS security is applied consistently and effectively.

Organizations must embrace an end-to-end risk management strategy to protect against ongoing threats posed by SaaS applications and browser extensions. This strategy includes the initial discovery of all SaaS solutions and extensions within their network, continuing and proactive risk assessments of these apps and extensions, and using automated systems and contemporary cybersecurity technologies.

Spin.AI’s approach to SaaS risk assessment

Spin.AI’s platform, SpinOne, uses machine learning (ML) technology to gather and evaluate data for the risk assessment of each browser extension and SaaS application. This evaluation process results in a comprehensive security score. The score is created from several factors analyzed in the automated risk assessment. Note the following factors that are analyzed:

• The extent of permissions requested by the extension or application within the cloud environment
• The potential for operational disruptions or risks to business processes
• The security risk introduced by the application or extension
• Compliance and regulatory risk implications

In practical terms, an extension or application might be deemed high-risk if it displays certain characteristics, including:

• Requesting broad permissions beyond what its functionality would reasonably require
• Being developed by a limited number of contributors, potentially a single developer, which could increase the risk of unresolved issues due to limited support or development capacity
• Lacking frequent updates, which can leave the application vulnerable to security threats
• Receiving poor feedback or ratings on digital marketplaces or stores
• The developer’s failure to submit to an independent security or compliance verification
• Past data breaches associated with the application or extension
• The application or extension is associated with a developer of unknown reputation, possibly identified only by a generic email address

This approach emphasizes the importance of a detailed analysis of several risk factors influencing the risk profile of SaaS applications and browser extensions.

SpinOne is a cybersecurity solution that is flexible, customizable, and versatile for app risk assessment and security automation with robust policies and approval processes. It can adapt to fit the app restriction needs of various organizations. If businesses want to be very conservative and block all SaaS apps and browser extensions, or if they are more open to a wide range of allowed SaaS apps for users, SpinOne can be tailored to fit any company’s security protocols for these scenarios and anything in between.

Learn more about SpinOne and SaaS security

To learn more, sign up for a free 15-day trial of SpinOne or request a demo. With SpinOne, you’ll get instant visibility into your environment’s third-party applications and browser extensions in a single dashboard. You’ll see each app, the extension’s risk score, and all the users accessing these apps. You can allowlist/blocklist using configurable automated policies and customized alerts.

To find out more about Google’s integration of the Spin.AI Risk Assessment with the Google Workspace Admin Console, read the Google Cloud Blog article. 

For more research from the Spin.AI Research Team, explore the latest reports:

• Spin.AI Application Risk Report
• Spin.AI Browser Extension Risk Report
• ChatGPT or FakeGPT

Download Report

DISCLAIMER

This document is an informatory report on cybersecurity and cyber risk and should not be misconstrued as professional consultancy. No warranty or representation, expressed or implied, is made by Spin.AI on the content and information shared in this report. In no event shall Spin.AI or any of its employees, officers, directors, consultants or agents become liable to users of this report for the use of the data contained herein, or for any loss or damage, consequential or otherwise.