Security of Published Google Workspace Add-on (GAS)
Mateus Mattos Varela
We have developed a Google Apps Script (GAS) add-on, which is officially published on the Google Workspace Marketplace. Since the code runs entirely inside Google Workspace and does not go through any external CI/CD pipelines, we want to better understand how secure the stored data and credentials are inside the script.
Currently, our add-on contains several hardcoded credentials, including:
• Amazon SP API keys
• Amazon Ads API keys
• Database (MySQL/Cloud SQL) access credentials
• Firestore authentication credentials
Since the add-on is hosted and managed by Google, we would like to clarify:
1. Is it necessary to encrypt or obfuscate sensitive data inside the script, or does Google already ensure its protection?
2. Can the source code of a published Google Workspace add-on be accessed, extracted, or reverse-engineered by end users in any way?
3. What are the best practices for securely storing secrets in a Google Apps Script add-on?
4. Is there a recommended way to integrate with Google Cloud Secrets Manager, Firestore, or any other secure storage solution for managing sensitive credentials within an add-on?
Additionally, we previously attempted to use Properties Service to store credentials instead of hardcoding them, but it introduced some issues:
• Difficulty in debugging when dealing with stored JSON.
• Unwanted data artifacts, making it unreliable.
Given these challenges, we are looking for secure and scalable best practices to handle sensitive credentials inside a Google Apps Script add-on.
Any insights, best practices, or official documentation references would be highly appreciated.
