Have you been asked to undergo a security assessment for any of your GAS Apps or Add-ons?

[Faustino Rodriguez]

I got a security assessment request for an unlisted add-on using some limited Gmail scopes, see a fragment of the message below,

"We reviewed your project and it appears to be in compliance with the Google API Services User Data Policy.

However, as part of this review, we concluded that your application is sending Google user data from a Restricted Scope to a developer’s or third party’s servers. This usage requires that your app undergo a security assessment to demonstrate a minimum level of capability in handling data securely and deleting user data upon user request ..."

I believe there was a confusion somewhere, because we are only using Google servers, and as I understand from this page, under the "Security Assessment" section

Security Assessment

To help keep user data safe, we are requiring apps that store data on non-Google servers to demonstrate a minimum level of capability in handling data securely and deleting user data upon user request.

Does anybody has some experience or advice on how to deal with this situation?

I already replied that message with more details and explanations, but no answer yet

Thanks

[Eric Koleda]

Does your script make any UrlFetchApp calls to non-Google servers? Or load client-side resources (images, scripts) from them?

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-script-community.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/14eee6af-9ccf-4afe-95ef-4504a1e8e844%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bruce Mcpherson]

Eric

If I understand you correctly, this would move pretty much any app that used non google APIs or included any <scripts> from non-google cdn into this category. This seems a little extreme. There would virtually be no client  apps that don't do some of this.

On Thursday, 28 March 2019 15:14:38 UTC, Eric Koleda wrote:

Does your script make any UrlFetchApp calls to non-Google servers? Or load client-side resources (images, scripts) from them?

On Thu, Mar 28, 2019 at 10:56 AM Faustino Rodriguez <fau...@thexs.ca> wrote:

I got a security assessment request for an unlisted add-on using some limited Gmail scopes, see a fragment of the message below,

"We reviewed your project and it appears to be in compliance with the Google API Services User Data Policy.

However, as part of this review, we concluded that your application is sending Google user data from a Restricted Scope to a developer’s or third party’s servers. This usage requires that your app undergo a security assessment to demonstrate a minimum level of capability in handling data securely and deleting user data upon user request ..."

I believe there was a confusion somewhere, because we are only using Google servers, and as I understand from this page, under the "Security Assessment" section

Security Assessment

Why is the security assessment needed?

To help keep user data safe, we are requiring apps that store data on non-Google servers to demonstrate a minimum level of capability in handling data securely and deleting user data upon user request.

Does anybody has some experience or advice on how to deal with this situation?

I already replied that message with more details and explanations, but no answer yet

Thanks

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-community+unsub...@googlegroups.com.

[Faustino Rodriguez]

That's a great question ... I am checking ...

+ I found one of those, it was a leftover from a test I did and it is not actually in use, but that might be the culprit

- I was testing the postmarkapp service as an alternative, but we decided not to use, it was this line

UrlFetchApp.fetch('https://api.postmarkapp.com/email', options);

- I just removed that code and redeploy the add-on

Let's see how it goes now

Thanks a lot Eric !!

[Eric Koleda]

To be clear, I don't know exactly what the criteria is for "non-Google" servers, or how it's measured. I'll ask around and see if I can get more information on that.

- Eric

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-script-community.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/c2c96cc8-cc62-4172-8fd4-09fb8f074d58%40googlegroups.com.

[Stéphane Giron]

Hello

On my side I also experienced the new process which seems more precise.

Initially I requested the scope :

https://www.googleapis.com/auth/drive

https://www.googleapis.com/auth/drive.metadata.readonly

https://www.googleapis.com/auth/script.external_request

https://www.googleapis.com/auth/drive.activity

For the review I had to provide this :

To proceed with the approval process, please reply to this email and provide a YouTube link to a demo video, in English, that showcases in detail:

1. How to log into your project (ensuring that the URL bar with the client ID is clearly visible)
2. How to request an OAuth token (OAuth Consent Screen/Permissions Page)
3. How your project's functionality utilizes the requested scopes:

After first video it was not sufficient so I go in details and show my app script code and the application and explain what do the app and what code do. Not a big video but around 2 minutes.

I also remove the scope drive.activity as in fact it was a pre request for v2 of application but code was not finalized. Usually I do that for users don't have to accept scope multiple times.

It was just for sharing my experience :-) It take more time but more secure for users if all applications are checked like that.

Stéphane 

[Faustino Rodriguez]

Hi @Eric 

It looks like @Bruce concern about a too broad restriction might be even worst

- Like just by using the UrlFetchApp.fetch() function, might take you to the security assessment scenario

After a few exchanges on the verification process for this add-on, I got the following message from the "Google Cloud Platform/API Trust & Safety" (from api-oauth-dev...@google.com):

"Since your application has external request scope for appscript, it uses server storage and will require security assessment."

I don't know exactly what they mean with "it uses server storage"

- but definitely the add-on only uses the Google ecosystem, nothing out of it

@Eric, could you provide some help on this topic?

@everyone:

Am I the only lucky GAS developer facing a "security assessment" requirement or do I have some company?

Thanks Fausto

[Steve Webster]

@Fausto and Eric,

Interesting that on this Google web page the security assessment is "optional".

https://developers.google.com/gsuite/marketplace/security-assessment

However, Google reviewers are NOT making it optional. The referred web page should be updated that it may be "required".

Since the cost varies based on complexity the cost has a range of $15,000 to $75,000 USD.

It would be ideal if Google could consider the following, before I consider paying for this. 

1. A contract that list scopes that flags a security assessment guaranteed for 1 year (not allowed to add more scopes during that year unless Google pays for the additional security assessment).

2. Any updated versions to the developer's add-on or app listed on G Suite Marketplace do NOT require a new assessment, unless a new sensitive scope is used in the code (see #1 above).

3. Google provides the necessary requirements that a third-party auditing firm needs AND allow developers (organizations) to shop for their own auditing firm, instead of the current two firms listed -- not enough competition to lower prices.

Kind Regards,

Steve Webster

SW gApps, President 

Google Product Expert in: Google Apps Script, Drive, and Docs 

Google Vendor (2012-2013) || Google Apps Developer Blog Guest Blogger 

Add-ons: Text gBlaster and Remove Blank Rows

--

You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-script-community.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/67b66437-e7ce-4df8-8fba-5b1581bfd52c%40googlegroups.com.

[Stéphane Giron]

What url you call in your urlfetch() ?

Stéphane

[Steve Webster]

@ Stéphane, I'm thinking of all those add-ons and apps that use a third-party payment collector like Stripe. Another is Twilio that can send both SMS and email. To justify the cost, up to a 30% of revenue may be acceptable. For example, if someone generates $25,000 a year in revenue and if the security assessment costs $7,500, that's 30%. 

However, with only two auditing firms to choose from they state the cost is $15,000 to $75,000. I would hope increasing the number of auditing firms to choose from could lower prices. As of now, one would need to generate $50,000 per year to justify $15,000 fee ($50k x .30). Or, $250,000 per year revenue to justify $75,000 fee ($250k x .30).

Kind Regards,

Steve Webster

SW gApps, President 

Google Product Expert in: Google Apps Script, Drive, and Docs 

Google Vendor (2012-2013) || Google Apps Developer Blog Guest Blogger 

Add-ons: Text gBlaster and Remove Blank Rows

On Wed, Apr 17, 2019 at 3:26 PM Stéphane Giron <stephan...@gmail.com> wrote:

What url you call in your urlfetch() ?

Stéphane

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-script-community.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/e4e9c2ad-5652-4f45-8b98-96a67ab056fc%40googlegroups.com.

[Stéphane Giron]

On my side as I said in my cumment I made a review and had to show my code in a video but the url called was a Google API.

My point for a urlfetch if url called is a specific personal URL may be Google need assessment to confirm security. If you use a Google/gcp /firebase database Google know security is respected.

Stéphane

You received this message because you are subscribed to a topic in the Google Groups "Google Apps Script Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-script-community/NiilOIJABE4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-script-c...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-script-community.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/CA%2BV5gQ495xX73t1GfzxK-jM30vzUXGEhsp93Dodm6C-LM00TOA%40mail.gmail.com.

[Faustino Rodriguez]

- I believe the UrlFetchApp.fetch() becomes a problem when the script is using any Gmail scope

- In this add-on it is just gmail.readonly and gmail.send (it is a custom unlisted mail merge add-on that uses Gmail drafts as templates)

- UrlFetchApp.fetch() is calling a Google Form Url that post error messages in a Google Spreadsheet

so everything is within Google servers as they mentioned in the page included in the first message

I am already planing on removing the UrlFetchApp.fetch() calls altogether for this add-on, in case that would avoid the assessment

- But, we need to know what are the actual rules about the security assessment requirement, so we can work within those limits

[Alan Wells]

It has nothing to do with UrlFetchApp.fetch() calls.  You are using a restricted scope.  The "gmail.readonly" scope IS a restricted scope.  You might think that it shouldn't be, but that doesn't matter.  See the following list.

https://support.google.com/cloud/answer/9110914#restricted-scopes

[Faustino Rodriguez]

I understand it is a restricted scope, 

- but that doesn't force the security assessment requirement

- as they said in the FAQ: 

"To help keep user data safe, we are requiring apps that store data on non-Google servers to demonstrate a minimum level of capability in handling data securely and deleting user data upon user request." (the bold is mine)

Or I am missing something else?

[Steven Bazyl]

From https://developers.google.com/terms/api-services-user-data-policy#additional-requirements-for-specific-api-scopes

Secure Data Handling: Applications accessing Restricted Scopes must demonstrate that they adhere to certain security practices. These applications must pass an annual security assessment and obtain a Letter of Assessment from a Google-designated third party. Local client applications that only allow user-configured transmissions of Restricted Scope data from the device may be exempt from this requirement.

As Alan said, using that scope by itself requires an assessment. Using UrlFetch in combination with that is also a red flag and likely triggered the language in the original message on this thread. Using it means the add-on is potentially transmitting information contained in the email.  The FAQ you linked to also contains the language (emphasis added):

Security assessment
If your application is sending or has the ability to send Google user data from a Restricted Scope to remote servers, then our verification process requires that your app undergo a security assessment to demonstrate a minimum level of capability in handling data securely and deleting user data upon user request. Depending on the scope and complexity of your app, the cost for the third-party assessment might vary from $15,000 to $75,000.

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-script-community.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/91608e3e-e2f0-41c4-9d2a-9f15cdd5c497%40googlegroups.com.

[Faustino Rodriguez]

Thanks @Steven for pointing that out 

- I did overlook that section on "has the ability to send" (the collapsible texts are not searchable, I had to open all of them to see it now)

- I will start by removing the UrlFetchApp.fetch() calls (and the corresponding scope)

-  I guess by removing the UrlFetchApp.fetch scope, the script will lose "the ability to send", am I right on that? 

p.s. I believe, so far the restricted scopes are only for Gmail, but I am afraid that might expand in the coming future

[Alan Wells]

I think that gmail.readonly does force the security assessment requirement.  I have a Forms addon that takes payments from stripe and PayPal and makes UrlFetchApp.fetch(url) calls to my Google spreadsheet in my account, and I haven't been asked to go through a security assessment.  But the only email scope that I use is:

googleapis.com/auth/script.send_mail

Using MailApp

[Stéphane Giron]

To go on the AJ side I removed from all my script add-on the Gmail service and replace by the MailApp service. If you just need to read emails for me it is first things to do.

Stéphane