Everything you need to know about app verification & security review.
Updated June 4, 2021
First, let’s just clear the air: the details of the Google OAuth requirements can feel a little dry and confusing at times, but getting into the weeds is incredibly useful for anyone building products that access Google user data. Here, we’ve distilled the details for you.
When Google announced they were making sweeping changes to the way third-party apps can access Google user data, Google users and security proponents celebrated the enhanced security measures that protect user data — but developers were initially left with little detail about how to continue providing their services to Gmail users in compliance with the new regulations.
Today, we have much more detailed information about Google’s OAuth updates – everything from the third-party app verification process to the security assessment, costs, and timelines.
Let’s dive in.
How Do I Know if I Need to Submit My App For Verification?
For third-party applications that access certain types of Google user data (Sensitive and Restricted Scopes) it’s recommended and sometimes required to undergo app verification.
If your app uses “sensitive scopes” it’s considered a best practice to undergo app verification.
If your app uses “restricted scopes”, you’ll need to undergo app verification and a security assessment. Currently, Google lists restricted scopes as:
If your app only uses “sensitive scopes” (as defined by Google — essentially, any data that is not a restricted scope is considered a sensitive scope), you’ll need to undergo app verification only (no security assessment needed).
Sensitive scopes include, but are not limited to:
Exemptions to App Verification
If your application has fewer than 100 users, you will not need to undergo app verification until that threshold is hit. However we recommend initiating the process well before you reach 100 users to ensure all users are able to access the integration.
Is in development, testing,or staging and not production
Uses only service-owned data
Is used only by people in your Google Workspace or Cloud Identity organization.
Is used only by Google Workspace enterprise users with access depending on permission being granted by the domain administrator
Is used to send emails through WordPress, or similar single-account SMTP plugins.
Google App Verification
Third-party apps (any web/desktop/mobile app) and APIs (like Nylas) that integrate with Gmail data to better serve their customers must undergo a four-step process to ensure their user’s data continues to sync smoothly:
Create an unverified Google project for development for your test environment.
Once you’ve tested the scopes and you’re ready for production, you can create a Google project for production with the same scopes.
Submit your Google project for production for review: You’ll need a YouTube video that shows your app’s functionality in a production environment. Think of this as a very detailed product demo that proves to Google which scopes you need for your users’ benefit. For example, if you’re requesting a send email and modify email scope, you need to show both of these features in your platform. You must demonstrate the scopes in the application as well as the functionality achieved on the provider email client.
You’ll also need to describe in writing why you need each scope. For example, “My app will use https://www.googleapis.com/auth/calendar to show a user’s Google calendar data on the scheduling screen of my app, so that users can manage their schedules through my app and sync the changes with their Google calendar.”
Complete a Google OAuth Security assessment (more on this below)
Creating a Google Project
To get your app verified, log in to the Google Developer Console. Enter your project name, organization, and parent organization:
Submit Your Application
Once you’ve created a project, submit your application for review on the GCP (Google Cloud Platform) Console OAuth consent screen here. It’ll look like this:
This verification process can take just a few days or as long as several weeks end-to-end. By clearly demonstrating the scopes you need access to and how you use them, you can drastically reduce the timeline. If Google has clarification questions based on your original submission, you’ll need to address those questions and resubmit your app, which could delay the review process.
As mentioned above, the review process becomes quicker with Nylas. We’ve created a handy and comprehensive guide for Nylas customers on how to create a Google project here.
What happens if I want to add new sensitive or restricted scopes after my app is approved?
When adding new sensitive scopes, you simply need to undergo app re-verification, complete all the steps for your new scope and re-submit for verification at no cost. This typically takes 2-4 weeks and for Nylas customers, your Customer Service Manager can assist you through the process.
When adding new restricted scopes to your Google project, it’s recommended you follow these steps (note that if you are an existing Nylas customer, we will help expedite the resubmission process):
After new restricted scopes have been tested on your unverified Google project for development, add the new restricted scopes to your Google project, and resubmit your project for review. (Users will still be able to sync the scopes that you’ve already received approval from Google for).
Once the new scope is approved, users can use all approved scopes and will see that your app is verified!
Google OAuth Security Assessment
To start, how do you know if you need to undergo a security assessment in addition to app verification?
It’s pretty straightforward – if your app uses restricted scopes, you’ll need to undergo a security assessment. The same exemptions apply here as for app verification.
The process can take anywhere from a few weeks to (more commonly) multiple months, depending on the complexity of the application. If your application requires remediation testing (i.e. if you don’t pass the initial security assessment), the process can take longer, but these timelines are largely dependent on your company’s existing security policies and the complexity of your application.
At Nylas, it took us just two weeks to complete the security assessment, but we were already SOC 2, Type II certified, which helped reduce the timeline.
Costs vary depending on the complexity of your implementation and the state of security processes that already exist. The process can take anywhere from a few weeks to (more commonly) multiple months, depending on the complexity of your application. Google references a range from $15,000-$75,000.
How Can I Speed Up the App Verification and Security Review Process?
Nylas has partnered with Google-approved firms Bishop Fox and Leviathan Security Group to offer the Nylas Express Security Review. This ensures Nylas customers receive expert services at the lowest applicable rates as well as priority, white-glove customer service for applications subject to Google’s OAuth mandatory verification process and security assessment. Services include end-to-end security evaluations and high-end penetration tests that mimic the work of sophisticated attackers to ensure applications that integrate with Gmail data are fully-compliant with Google’s security policies. As a communications API leader, we knew it was our responsibility to make this process seamless for developers.
Nylas has already assisted with the approval of hundreds of Google applications. As an API provider, we’ve worked directly with 500+ customers to get their Google integration up and running in a fraction of the time. Through this new partnership, our customers benefit from the experience of Bishop Fox and Leviathan Security Group and are guaranteed the lowest applicable rate for their application review – starting at just $15,000.
If you’re a current Nylas customer and would like more information about the Google OAuth or the Nylas Express Security Review, please contact your customer success representative or reach out to us at firstname.lastname@example.org.