Experience going through the Gmail security assessment

[Robert Gagliano]

Hi

Did anyone go through the Gmail scope security assessment earlier this year? If so:

• What type of application were you seeking approval for (add-on, web app, etc)?
• What was involved?
• What did it cost you?
• Would you do it again?
• Any tips you could provide others?

Thanks in advance.

Robert

[Faustino Rodriguez]

I was asked to do that, but avoid it by removing the auth/script.external_request scope from the add-on

That scope, in combination with a gmail scope, triggered the security assessment requirement in my case

p.s. I wouldn't go that path anyway

[Robert Gagliano]

Thanks Faustino. The script.external_request is a very difficult one for us to remove.

We have a paid add-on that stores subscription and usage data externally. The data needs to be multi-user / domain based so I am not sure it is possible to use the PropertiesService or Drive for that...

[Steve Webster]

@Robert Gagliano  I'm hoping the "script.external_request" only applies if the Gmail or Drive sensitive scopes are also used. In fact, that is what Faustino stated, "... That scope, in combination with a gmail scope, ..".

Kind Regards,

Steve Webster

SW gApps, President 

Google Product Expert in: Google Apps Script, Drive, and Docs 

Google Vendor (2012-2013) || Google Apps Developer Blog Guest Blogger 

Add-ons: Text gBlaster and Remove Blank Rows

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-script-community.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/401ab938-e10a-4ce7-abd3-edaf10f42653%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Robert Gagliano]

Thanks Steve. Yeah, I use Drive today so it would have been a good option to remove the external request scope (if it were possible).

On Friday, May 31, 2019 at 7:52:48 AM UTC-7, Steve Webster wrote:

...@Robert Gagliano  I'm hoping the "script.external_request" only applies if the Gmail or Drive sensitive scopes are also used. In fact, that is what Faustino stated, "... That scope, in combination with a gmail scope, ..".

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-community+unsub...@googlegroups.com.

[Dimu Designs]

From my understanding, the "script.external_request" scope triggers a security assessment for apps that use it to store data on servers external to Google.

If that's the case, then if I store data using a Google based storage solution, like Cloud Datastore/Firestore, would that be sufficient to avoid the security assessment process altogether?

[Robert Gagliano]

I don't think the qualification is Google vs non-Google. Although, I wish that were the case!

From an earlier post by Eric, it is when the application sends and retrieves data locally without transmitting externally.

Local client applications that only allow user-configured transmissions of Restricted Scope data from the device may be exempt from this requirement.

 

I've heard from another Googler working closely with the verification team that an Apps Script project that doesn't have any scopes that allow it to transmit user data will be considered a "local client" as per above. 

Here was the original thread: https://groups.google.com/d/topic/google-apps-script-community/LODyY26RhnA/discussion

On Fri, May 31, 2019 at 12:02 PM Dimu Designs <dimud...@gmail.com> wrote:

From my understanding, the "script.external_request" scope triggers a security assessment for apps that use it to store data on servers external to Google.

If that's the case, then if I store data using a Google based storage solution, like Cloud Datastore/Firestore, would that be sufficient to avoid security assessment altogether?

--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Script Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-script-community/GdsKA3f2nNM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-script-c...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-script-community.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/33817a4b-804a-48ba-8b73-f3ffa85368c8%40googlegroups.com.

[Romain Vialard]

Ajay Goel, the author of GMass (an app using the Gmail API but not really linked to Apps Script) started a live post of his own security assessment (still at early stage):

https://www.gmass.co/blog/live-updates-google-oauth-verification-security/

[Robert Gagliano]

Thank you Romain. Interesting read so far. Sounds like a slow process.

On Sun, Jun 2, 2019, 2:12 AM Romain Vialard <romain....@gmail.com> wrote:

Ajay Goel, the author of GMass (an app using the Gmail API but not really linked to Apps Script) started a live post of his own security assessment (still at early stage):

https://www.gmass.co/blog/live-updates-google-oauth-verification-security/

--

You received this message because you are subscribed to a topic in the Google Groups "Google Apps Script Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-script-community/GdsKA3f2nNM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-script-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-script-community.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/55b13058-f546-4aab-9065-fa012e8c4ce8%40googlegroups.com.

[Hoang Trinh]

I'm using Firestore and I can confirm that even if I use "script.external_request" scope, Google verified it quickly (just about 1 week)

[Dimu Designs]

Good to know!