Google OAuth Verification: Costs, Timelines, Process, and More
Everything you need to know about app verification & security review.
Tasia Potasinski | July 29, 2019
Updated September 15, 2020
NOTE: If you are a Nylas customer, you can use our Express Security Review to quickly complete the Google security review at the lowest cost possible.
Want a PDF of this article?
Share it with a friend or save it for later reading.
We'll send the PDF straight to your inbox!
First, let’s just clear the air: the details of the Google OAuth requirements can feel a little dry and confusing at times, but getting into the weeds is incredibly useful for anyone building products that access Google user data. Here, we’ve distilled the details for you.
When Google announced they were making sweeping changes to the way third-party apps can access Google user data, Google users and security proponents celebrated the enhanced security measures that protect user data — but developers were initially left with little detail about how to continue providing their services to Gmail users in compliance with the new regulations.
Today, we have much more detailed information about Google’s OAuth updates – everything from the third-party app verification process to the security assessment, costs, and timelines.
Let’s dive in.
How Do I Know if I Need to Submit My App For Verification?
Third-party applications that access certain types of Google user data need to undergo app verification – specifically, if your app uses “restricted scopes”, you’ll need to undergo app verification and a security assessment. Currently, Google lists restricted scopes as:
If your app only uses “sensitive scopes” (as defined by Google — essentially, any data that is not a restricted scope is considered a sensitive scope), you’ll need to undergo app verification only (no security assessment needed).
Sensitive scopes include, but are not limited to:
If your app has fewer than 100 users, you will not need to undergo app verification. Note – your users will still see the unverified app screen when they initially authenticate.
Google App Verification
Third-party apps (any web/desktop/mobile app) and APIs (like Nylas) that integrate with Gmail data to better serve their customers must undergo a four-step process to ensure their user’s data continues to sync smoothly:
- Create an unverified Google project for development for your test environment.
- Once you’ve tested the scopes and you’re ready for production, you can create a Google project for production with the same scopes.
- Submit your Google project for production for review: You’ll need a YouTube video that shows your app’s functionality – think of this is a very detailed product demo that proves to Google which scopes you need for your end-user’s benefit. For example, if you’re requesting a send email and modify email scope, you need to show both of these features in your platform. You’ll also need to describe in writing why you need each scope. For example, “My app will use https://www.googleapis.com/auth/calendar to show a user’s Google calendar data on the scheduling screen of my app, so that users can manage their schedules through my app and sync the changes with their Google calendar.”
- Complete a Google OAuth Security assessment (more on this below)
Creating a Google Project
To get your app verified, log in to the Google Developer Console. Enter your project name, organization, and parent organization:
Submit Your Application
Once you’ve created a project, submit your application for review on the GCP (Google Cloud Platform) Console OAuth consent screen here. It’ll look like this:
This verification process can take just a few days or as long as several weeks end-to-end. By clearly demonstrating the scopes you need access to and how you use them, you can drastically reduce the timeline. If Google has clarification questions based on your original submission, you’ll need to address those questions and resubmit your app, which could delay the review process.
As mentioned above, the review process becomes quicker with Nylas. We’ve created a handy and comprehensive guide for Nylas customers on how to create a Google project here.
What happens if I want to add more restricted scopes after my app is approved?
If you want to add a new scope to your Google project, you should follow these steps (note that if you are an existing Nylas customer, we will help expedite the resubmission process):
- After new restricted scopes have been tested on your unverified Google project for development, add the new restricted scopes to your Google project, and resubmit your project for review. (Users will still be able to sync the scopes that you’ve already received approval from Google for).
- Once the new scope is approved, users can use all approved scopes and will see that your app is verified!
Google OAuth Security Assessment
To start, how do you know if you need to undergo a security assessment in addition to app verification?
It’s pretty straightforward – if your app uses restricted scopes, you’ll need to undergo a security assessment. However, there are three ways you can be exempt from the security assessment:
- Internal use case: If your app is only used for internal company purposes (i.e. if you only allow access to users from your organization), you do not need to undergo app verification. We’ve created a guide for submitting your Google Project for review customers who have an internal use case here.
- If you’re using sensitive scopes only
- If you prefer to require the Super admins of each G Suite org to whitelist your application. Learn how in this blog.
If your app accesses what Google defines as “restricted scopes”, the next step after getting your app verified is the third-party a security assessment.
The process can take anywhere from a few weeks to (more commonly) multiple months, depending on the complexity of the application. If your application requires remediation testing (i.e. if you don’t pass the initial security assessment), the process can take longer, but these timelines are largely dependent on your company’s existing security policies and the complexity of your application.
At Nylas, it took us just two weeks to complete the security assessment, but we were already SOC 2, Type II certified, which helped reduce the timeline.
If you are not a Nylas customer, or if you’re considering becoming one, and your app access restricted scopes, you’ll need to complete the security assessment before going live with your Google integration. As of 12/31/2019, all Google apps that access sensitive scopes are required to complete the Google security review process.
Costs will vary depending on the complexity of your implementation and the state of security processes that already exist. The process can take anywhere from a few weeks to (more commonly) multiple months, depending on the complexity of the application, and costs anywhere from $15,000-$75,000.
If your company is already SOC 2, Type II certified, Google has noted that security assessment costs will be significantly reduced.
How Can I Speed Up the App Verification and Security Review Process?
Nylas’ Express Security Review offers Google-approved Leviathan Security Group’s expert services at the lowest available rates and with priority, white-glove service for applications subject to Google’s OAuth mandatory verification process and security assessment. Services include end-to-end security evaluations and high-end penetration tests that mimic the work of sophisticated attackers to ensure applications that integrate with Gmail data are fully-compliant with Google’s security policies. As a communications API leader, we knew it was our responsibility to make this process seamless for developers.
Nylas has already assisted with the approval of more than 30% of all Google applications. As an API provider, we’ve worked directly with hundreds of customers to get their Google integration up and running in a fraction of the time. Through this new partnership, our customers reap the benefits of Leviathan Security Group’s services and are guaranteed the lowest possible rate of $15K for their application review.
If you’d like to learn more, contact a Nylas Platform Specialist.
For more information on Google OAuth, visit their support page here.