2018 has been the year of sweeping security enhancements (hello, GDPR) and Google OAuth is the latest addition.
2018 was the year of sweeping security enhancements (hello, GDPR) and the Google OAuth scopes added heightened security for developer apps integrating with Google user data.
In October of 2018, Google announced new security measures to give Gmail users more control over what data is synced and shared with 3rd-party applications. This includes a more stringent app-verification process and more transparency requirements for products that integrate with Gmail accounts.
These new security measures will give users more control over what types of Gmail data they sync and share with other platforms. In this blog, we’ll cover:
Let’s dive in!
Today, the new security requirements apply to applications that sync mail through the Google APIs for personal Gmail accounts and GSuite. Under the new policy, applications that integrate with any part of Gmail need to undergo the new Google app verification process.
Even if your app is only syncing email from GSuite, you’ll need to submit your app for verification. If you’re only syncing Gsuite data for internal purposes, you may not need to submit your app for verification.
Most of the changes are meant to be applied for new user accounts being connected. If your users have already connected their Gmail account to your application, they will continue to work as long as your application stays in good verification standing and does not fall into a restricted scope category (more on that below).
Your application is more likely to be approved if you are collecting user’s data for their direct benefit. For example, if you access a user’s email for them and sync that data into your application to help reduce context switching and boost productivity, your application should be in good standing with Google (this is what we do at Nylas).
You should not access a user’s inbox to leverage this data to sell them ads, or to sell data to others about email open rates, click through rates, and reply rates as market research (since this doesn’t directly benefit the user).
Google is selecting a third-party vendor to conduct app verifications. The verification costs fall on the applications requesting approval and range anywhere from $15,000-$75,000 or more. Learn how you can avoid the security assessment fee in this blog.
If you’re syncing anything that Google considers a “restricted scope” (i.e. sensitive data or data containing personally identifiable information), you’ll need to go through a stringent verification process that may take the better part of 2019 and beyond. Google has been light on details, but so far it looks like the third-party vendors conducting reviews will want to see that your app follows common processes like only requesting necessary scopes and deleting user data upon request.
Restricted scopes include link sensitive scopes such as:
Further, the way Google defines restricted scopes is subject to change. If Google decides that they want Google Calendars to become a restricted scope, you’ll have to go through the app verification process again if your application syncs or interacts with Google Calendar data. Today, the only restricted scopes are for mail data.
For more information, please review Google’s full policy and OAuth FAQ.
Tasia is the Director of Product Marketing at Nylas. She's passionate about communications and helping connect the world through APIs. In her free time, she writes and produces music.
E-Commerce
Sales & Marketing (CRM)
Insurance/Fintech
Recruiting
Human Resources
Customer Service
PropTech
Enterprise Solutions
SMB Solutions
Blog
Guides
Events
Infographics
Changelog
SDKS
Tutorials
API Status
