Overcome Gmail security assessment for GAS apps

[Hari Shankar Das]

Hello everybody,

I have GAS app which uses Gmail API. I have been instructed to go for security assessment.

I don't send any secure data to 3rd party server. I read somewhere that Apps Script apps doesn't need to have security assessment unless I use URlFetchApp. Is that true ?

There are so many information flooding here are there. I am confused which is true. Is there any way I can overcome the security assessment ? Anybody here any experience with these assessments ?

Many thanks in advance.

[Eric Koleda]

Hi there,

As per the user data policy:

Local client applications that only allow user-configured transmissions of Restricted Scope data from the device may be exempt from this requirement.

I've heard from another Googler working closely with the verification team that an Apps Script project that doesn't have any scopes that allow it to transmit user data will be considered a "local client" as per above.

- Eric

[Romain Vialard]

Indeed, here's what I received for an app using Gmail scopes + UrlFetchApp:

No Restricted Scope(s) Requested: You can update your project so that it does not request any restricted scopes, thereby avoiding the security assessment requirement.
Update Scope Type: Upon further review of your request, we noticed that you have selected the following scope in the OAuth Google Cloud Console, which is a scope causing your application to require a security assessment: https://www.googleapis.com/auth/script.external_request

Note that storing data in each user Google account (eg: in a spreadsheet or in Google Drive) seems to be accepted but sending data away via UrlFetch is not.

[Hari Shankar Das]

Thanks Eric  for the information.

[Faustino Rodriguez]

same happened to me, however

when I removed the external scope (script.external_request), the add-on OAuth verification was granted the following day