Google OAuth Updates: 2019 Timeline and Everything Else You Need to Know

2018 has been the year of sweeping security enhancements (hello, GDPR) and the Google OAuth scopes are the latest addition.

In October of 2018, Google announced new security measures to give Gmail users more control over what data is synced and shared with 3rd-party applications. This includes a more stringent app-verification process and more transparency requirements for products that integrate with Gmail accounts.

These new security measures will give users more control over what types of Gmail data they sync and share with other platforms. In this blog, we’ll cover:

• How the OAuth Updates Impact Apps that Integrate with Gmail
• How Gmail Data Can Be Used
• How Gmail Data Should Not Be Used
• The New Application Verification Process
• Restricted Scopes and Their Impact
• Best Practices for Getting Your App Verified

Let’s dive in!

How Will the OAuth Updates Impact Apps that Integrate With Gmail?

Today, the new security requirements apply to applications that sync mail through the Google APIs for personal Gmail accounts and GSuite.  Under the new policy, applications that integrate with any part of Gmail need to undergo the new Google app verification process.

Even if your app is only syncing email from GSuite, you’ll need to submit your app for verification.  If you’re only syncing Gsuite data for internal purposes, you may not need to submit your app for verification.

Most of the changes are meant to be applied for new user accounts being connected. If your users have already connected their Gmail account to your application, they will continue to work as long as your application stays in good verification standing and does not fall into a restricted scope category (more on that below).

How Can Gmail Data Be Used?

Your application is more likely to be approved if you are collecting user’s data for their direct benefit. For example, if you access a user’s email for them and sync that data into your application to help reduce context switching and boost productivity, your application should be in good standing with Google (this is what we do at Nylas).

How Should Data Not Be Used?

You should not access a user’s inbox to leverage this data to sell them ads, or to sell data to others about email open rates, click through rates, and reply rates as market research (since this doesn’t directly benefit the user).

The New Application Verification Process

Google is selecting a third-party vendor to conduct app verifications. The verification costs fall on the applications requesting approval and range anywhere from $15,000-$75,000 or more. Learn how you can avoid the security assessment fee in this blog.

Restricted Scopes

If you’re syncing anything that Google considers a “restricted scope” (i.e. sensitive data or data containing personally identifiable information), you’ll need to go through a stringent verification process that may take the better part of 2019 and beyond.  Google has been light on details, but so far it looks like the third-party vendors conducting reviews will want to see that your app follows common processes like only requesting necessary scopes and deleting user data upon request.

Restricted scopes include link sensitive scopes such as:

• https://mail.google.com/
• https://www.googleapis.com/auth/gmail.readonly
• https://www.googleapis.com/auth/gmail.metadata
• https://www.googleapis.com/auth/gmail.modify
• https://www.googleapis.com/auth/gmail.insert
• https://www.googleapis.com/auth/gmail.compose
• https://www.googleapis.com/auth/gmail.settings.basic
• https://www.googleapis.com/auth/gmail.settings.sharing

Further, the way Google defines restricted scopes is subject to change. If Google decides that they want Google Calendars to become a restricted scope, you’ll have to go through the app verification process again if your application syncs or interacts with Google Calendar data. Today, the only restricted scopes are for mail data.

Best Practices to Ensure Your Application Gets Verified

1. Before making an API call, check to see if the user has already granted permission to your app. This will help you avoid insufficient permission errors which could lead to unexpected app errors and a bad user experience. Learn more about this by referring to documentation on your platform below
2. Request permissions only when you need them. You’ll be able to stage when each permission is requested, and we recommend being thoughtful about doing this in context. You should avoid asking for multiple scopes at sign-in when users may be using your app for the first time and are unfamiliar with the app’s features.
3. Provide justification before asking for access. Clearly explain why you need access, what you’ll do with a user’s data, and how they will benefit from providing access. Our research indicates that these explanations increase user trust and engagement.

For more information, please review Google’s full policy and OAuth FAQ.