-7

My clients are receiving emails like this (I quote the text, but it is an html email):

From: Google Accounts

Date: [OMITTED]

Subject: Limiting access to data in your Google Account

To: <[OMITTED my client's email address]>

Hi,

Although you don’t need to do anything, we wanted to let you know that the following apps may no longer be able to access some data in your Google Account, including your Gmail content. If these apps are unable to meet the deadline to comply with our updated data policy requirements, they'll lose access to your Account starting July 15th, 2019.

[OMITTED my company's name]

We are making this change as part of ongoing efforts to make sure your data is protected and private.

You can always view, manage and remove apps you’ve given access to your account by visiting your Google Account.

Thanks,

The Google Accounts team

I operate a webapp that uses the following gmail API methods:

gmail.users.getProfile
gmail.users.messages.send
gmail.users.threads.get

As far as I know I am following all of the rules. I have searched through the Google APIs Console, but I cannot see what data policy I am violating.

How can I determine the data policy I am violating? Why hasn't Google reached out to me about this?

Is this a convincing phishing scam? These emails are being sent to my clients, so I don't have access to see if they are signed properly, but from what I can tell from the forwarded emails they appear to be authentic.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
b2154845
  • 1
  • 5
  • this is a very good question and may in the future help other developers I hope that you reconsider containing to try and deleting it. While i understand your frustration it does not change the way things are. Your question may save another developer time in trying to understand the documentation and by contacting google we may get them to upgrade there documentation to fix the confusion issues. – Linda Lawton - DaImTo Jul 10 '19 at 17:29
  • @b2154845 Do not vandalize your question. https://meta.stackoverflow.com/questions/372007/should-we-say-vandalizing-to-refer-to-defaced-content – Josh Lee Jul 10 '19 at 17:41
  • 1
    Please don't make more work for others by vandalizing your posts. By posting on the Stack Exchange (SE) network, you've granted a non-revocable right, under the [CC BY-SA 3.0 license](//creativecommons.org/licenses/by-sa/3.0), for SE to distribute the content (i.e. regardless of your future choices). By SE policy, the non-vandalized version is distributed. Thus, any vandalism will be reverted. Please see: [How does deleting work? …](//meta.stackexchange.com/q/5221). If permitted to delete, there's a "delete" button below the post, on the left, but it's only in browsers, not the mobile app. – Makyen Aug 02 '19 at 21:45
  • If you feel something needs to be removed for privacy reasons, then you should raise a custom moderator flag asking for that information to be "redacted", which is a specific process where information is actually removed from the post, including edit logs, so that it is no longer publicly available. Note: I'm not seeing any personally identifiable information in the post, in any revision, but maybe I'm missing it, or it's already been redacted. – Makyen Aug 02 '19 at 21:59
  • 3
    I'm voting to close this question as off-topic because it concerns the policies and procedures of app distribution services, rather than programming. Please refer to: [Are developer-centric questions about application stores on topic?‍](//meta.stackoverflow.com/q/272165), [Why can't I ask customer service-related questions?](//meta.stackoverflow.com/a/255746) – Makyen Aug 03 '19 at 02:05

1 Answers1

6

You are not violating any security policy. This is a standard mail that comes when ever a user connects their account to a new application containing high risk scopes (note as far as I know not all scopes will result in this mail but I haven't actually tested all scopes). This most often comes with the Gmail scopes in applications.

I would double check that your application has been verified it may help to remove some of the notifications your users are getting. Users should be informed by Google when they are accessing third party applications and warned about what that could mean.

The following scope is one of the most critical as far as Google is concerned this is most likely the one that will mean your users will always get this email when they authenticate your application. I wouldn't be surprised if all the Gmail scopes would result in that mail but I haven't tested it.

https://www.googleapis.com/auth/gmail.send

verification

This email is most likely related to the fact that this application has not been verified to use the gmail scopes. Gmail scopes are one of the most sensitive scopes as far as Google is concerned as the chance that they could be abused by malicious developers is even greater.

You should apply for verification as soon as you can google may contact you and ask for a video of your application running.

Unverified apps

In most cases it does NOT cost anything to be verified. In some cases, for particularly sensitive APIs, Google may require an outside audit of your code to make sure it does not put users of your program at risk.

After several hours of piecing together information across multiple sites along with a friend while waiting for further clarification from Google the following information was found which I hope will help developers in the future.

additional reading piecing together information available:

  • Elevating user trust in our API ecosystem while this page does mention "All fees are paid directly to the assessor and not to Google." it does not state an amount. Again i have never heard of anyone having to pay for this. However I have contacted Google and requested that the page be updated with more accurate information as to what the fee entails.
  • Additional Requirements for Specific API Scopes
  • Why fee clearly states why a fee is charged. These assessments are done by a third party company that must be paid. It would be unrealistic IMO for a company wishing to develop an application using Googles API to expect Google to pay for this: IMO it makes perfect sense that the cost would be transferred to the company developing the application. they will after all be making money on the application.
Prisoner
  • 49,922
  • 7
  • 53
  • 105
Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • Thanks for your edit and reply. I am still confused by this part excerpt from their email: "If these apps are unable to meet the deadline to comply with our updated data policy requirements, they'll lose access to your Account starting July 15th, 2019." This seems to suggest that my app is (or maybe just potentially is?) in violation of some updated data policy requirements. If the email is just a warning, then why include this language? Thanks again for your help, I'll definitely confirm my app is verified. – b2154845 Jun 27 '19 at 16:01
  • Let me ping someone on the team. If you are verfied then it seems strange – Linda Lawton - DaImTo Jun 27 '19 at 17:15
  • 1
    The recent change to GMail restricted scopes means that you need a third part letter of assessment to use them. These third party assessments are likely to cost something. https://cloud.google.com/blog/products/g-suite/elevating-user-trust-in-our-api-ecosystems – Mitch Pomery Jul 10 '19 at 08:03
  • Awesome link thanks added it to my answer. – Linda Lawton - DaImTo Jul 10 '19 at 08:09