Query on Data integrity usind Third party scripts

[Anshul Jain]

Hi,

This may be one of the basic question in this community.I have recently started using Google ads script (With NO knowledge of Codes).  Some of these scripts are through third party too which request for authorization to fetch data from your adwords account into a spread sheet.

My concern is with the data integrity of my Adwords account. Can a third party script can steal data from my Adwords account?

Thanks in advance.

Regards

Anshul

[Alan Wells]

A third party script (or any script) can do anything that the user has granted permissions to.  I don't know your specific case, so it's not really possible to give you a totally definitive answer.  But, I can definitely tell you that many third party scripts do have very broad access to user data, and could absolutely do something malicious.  That's why Google is currently requiring developers to either greatly restrict what their app can do with user's data, or go through a verification process.  The new restrictions haven't been fully implemented yet.  It's important to be able to identify the developer, and decide whether you can trust them or not.  When I developed my first add-on, I used very broad "scopes" (a setting for what the app has access to) because that's all there was available.  Apps Script now has more restrictive scopes that can be used.  This is an issue that most developers probably don't want to talk about, because they want people to trust them and use their app, and don't want to scare users away.  I don't want users scared away either, so I don't like stating that third party apps with broad access to user data have the potential to do something malicious, but that's the truth.  So, it's the responsibility of the app provider to give some assurance that they can be trusted.  If you want to give specific information about the app, and the permissions that you authorized, then maybe someone could give an opinion about the level of trust that you can have.

[Matthew Hynes]

This is something we have all been concerned with for a long time. I think the solution is to separate out the developer code from the execution. Give us an option to run the code on our google domain, and not the domain of the developer that way we can ensure data never leaves our domains. I wrote up a feature request on the cloud community for this, but it has only 8 up votes

https://www.cloudconnectcommunity.com/ccc/ls/community/g-suite-chrome-feature-ideas/post/4636148746158080

[Alan Wells]

The code would need to be prohibited from making an external request from the server, or the client; or sending an email; or any possible means of transferring data outside of the account that the code was running in.  I would think that it would be possible for Google engineers to do this.  But the developer needs a way to get paid.  And getting paid means making an external request.  Plus the code needs a way to determine whether the user has paid, and if the subscription is current.  Google would need to provide a payment system, instead of the developer implementing their own payment system.