2018 has been the year of sweeping security enhancements (hello, GDPR) and Google OAuth is the latest addition.
In October of this year, Google announced new security measures to give Gmail users more control over what data is synced and shared with 3rd-party developer applications. This includes a more stringent app-verification process for products built on Google’s platform that request access to data like email, calendar, and contacts from Gmail accounts. In addition to a more time consuming app verification process, Google app developers will be required to be more transparent about the Gmail data they access with clear and prominent privacy disclosures.
These new security measures will give users more control over what types of Gmail data they sync and share with other platforms. They require companies to be transparent about the Gmail data they access with clear and prominent privacy disclosures.
What does this mean for developers building applications that integrate with Gmail?
Today, the new security requirements and the more stringent application verification process only apply to applications syncing mail through the Google APIs for personal “Gmail” accounts. If you’re using the Google APIs to sync data from a GSuite organization, the level of access is controlled by the GSuite Admin.
Most of the changes are meant to be applied for new accounts being connected. If your user’s have already connected their Gmail account to your application, they will continue to work as long as your application stays in good verification standing and does not fall into a restricted scope category (more on that below).
How can data be used?
Your application should be approved so long as you are collecting user’s data for their direct benefit. For example, if you access a user’s emails for them into your application in order to show them which emails have received the highest open rates, click through rates, or reply rates, your application should be in good standing with Google (this is what we do at Nylas).
How should data not be used?
You should not access a user’s inbox to leverage this data to sell them ads, or to sell data to others about email open rates, click through rates, and reply rates as market research (since this doesn’t directly benefit the user).
The new application verification process
Google is selecting a third-party vendor to conduct verifications. The verification costs fall on the applications requesting approval, and range anywhere from $15,000-$75,000 or more.
For independent developers with complex applications, this could unfortunately be prohibitively expensive. Luckily, companies that have already completed security assessments SOC 2 (read Nylas’s guide to SOC 2 compliance) or GDPR compliance might not need to be reviewed if the security assessor determines this as an adequate security assessment, but Google hasn’t provided more information than this yet.
If you’re syncing anything that Google considers a “restricted scopes” you’ll need to go through a stringent verification process that will take the better part of 2019 and beyond. Google has been light on details, but so far it looks like the third-party vendors conducting review will make sure your app follows common processes like only requesting necessary scopes and deleting user data upon request.
Restricted scopes include link sensitive scopes such as:
Further, the way Google defines restricted scopes is subject to change, so if Google one day decides that Google Calendars should be a restricted scope, you’ll have to go through the app verification process again if your application is syncs or interacts with that data. Today, the only restricted scopes are for mail data.
Best practices to ensure your application gets verified
- Before making an API call, check to see if the user has already granted permission to your app. This will help you avoid insufficient permission errors which could lead to unexpected app errors and a bad user experience. Learn more about this by referring to documentation on your platform below
- Request permissions only when you need them. You'll be able to stage when each permission is requested, and we recommend being thoughtful about doing this in context. You should avoid asking for multiple scopes at sign-in, when users may be using your app for the first time and are unfamiliar with the app's features.
- Provide justification before asking for access. Clearly explain why you need access, what you'll do with a user's data, and how they will benefit from providing access. Our research indicates that these explanations increase user trust and engagement.