2

I am fetching Gmail inbox to the web application by using Gmail API. I am using RestAPI to connect with the web application. Everything is working and ready to go live. But the app is rejected by Google and asks for a Security assessment which has around $75K expenses.

As we are only reading messages through API and users are also already permitted to perform the same activity.

My question is, How to avoid Security assessment as we are using restricted and sensitive scope like GMAIL API & PubSub. But without these scopes, we can't fetch the messages.

How to avoid Security assessment? Is there any other way to achieve this requirement?

Looking forward to the community help. It's a major blocker for us to go live. Thanks in advance.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
Vikas S
  • 21
  • 2
  • I have cleaned up your tags. not exactly sure what all those cloud tags had to do with your question. Please remember to only use tags that are relevant to your question. – Linda Lawton - DaImTo Jul 11 '22 at 09:08
  • @DalmTo OP is probably trying to do Gmail API Push Notifications (hence the pub/sub and GCP tags). – TheAddonDepot Jul 11 '22 at 11:00
  • @TheAddonDepot okay i will give you that. Not sure its relevant. If they are doing push notifications to users accounts. They are still going to need to be verified. – Linda Lawton - DaImTo Jul 11 '22 at 11:09
  • I know some developers still use GIMAP with an app password. And you have a couple more options if your users a G Suite users: 1. Their G Suite admin can whitelist your OAuth2 clientId if they trust your app. 2. Their G Suite admin can configure a service account with domain wide delegation for you ((this way https://docs.aurinko.io/article/21-setting-up-g-suite-service-account)) and you could use that service account. Again, this client should trust your app . – Alexey Jul 11 '22 at 23:28
  • Here is how clientId whitelisting works: https://docs.workato.com/connectors/gmail.html#whitelist-workato-gmail-connector – Alexey Jul 11 '22 at 23:29

1 Answers1

2

If you need to use a sensitive or restricted scope, and you are not exempt from verification.

There is no work around to the security assessment.

info from docs.

sensitive-scopes

Apps that request sensitive scopes must verify that they follow Google’s API Services User Data Policy and will not have to undergo an independent, third-party security assessment. This sensitive scopes verification process typically takes 3-5 business days to complete.

Option: don't request a sensitive scope.

restricted-scopes

Apps that request restricted scopes must also verify that they follow Google’s API Services User Data Policy, but they must also meet the Additional Requirements for Specific Scopes. One of these additional requirements is an independent, third-party security assessment. For this reason, this restricted scopes verification process can potentially take several weeks to complete.

Option: Dont request a restricted scope.

Exceptions to verification requirements

Could your app be exempt from the verification requirements.

enter image description here

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • 1
    I havn't looked into how much it's going to cost for my security assessment, but after reading a couple of these posts, I'm pretty much ready to throw in the towel on something I've spent way too much time on – Adam James Jul 20 '22 at 03:20
  • 1
    @AdamJames That's a good call – Vikas S Jul 25 '22 at 11:21
  • Security assessment costs between 15k and 75k from what i know its yearly. – Linda Lawton - DaImTo Jul 25 '22 at 14:38
  • Does connect with Google cloud paid support will resolve this issue? Can expect any help from their end? What you think? – Vikas S Aug 03 '22 at 15:09
  • Not sure why it would. You still need to go though the same verification process. If you are accessing private user data, with a sensitive or restricted scope. its not a single user app, its not a workspace app. You need to be verified. If its gmail scope yoru going to need to pay for the security assessment. – Linda Lawton - DaImTo Aug 03 '22 at 15:58