Advanced Protection Program prevent our app from oauth signed in

Question

Our app works fine without problems during the OAuth flow, that is, the following URL: https://accounts.google.com/o/oauth2/auth

However, if the account is under the Advanced Protected Program, then the OAuth will failed with the following messages: (assume XXX is the name of our app)

Access blocked: XXX is not approved by Advanced Protection

The Advanced Protection Program performs additional security checks to safeguard your account data, and it hasn't approved this app. If you want to allow XXX access to your data, you can reach out to the app developer and encourage them to submit the app for verification. Learn more about this error If you are a developer of XXX, see error details.

Error 400: policy_enforced

We have checked the Common questions with Advanced Protection Program article, and there seems to be only 4 kinds of apps are allowed to access:

• All Google apps and services
• Apple Mail, Calendar, and Contacts apps on iOS and macOS
• Mozilla Thunderbird
• Desktop email clients that access Gmail directly

Since the above error messages said that "encourage them to submit the app for verification", we think there maybe some way to submit the verification. However, there's no other information about the app verification submission for Advanced Protection Program in the article.

We found out that for Google Workspace accounts, admin can configure whitelist to bypass the advanced protection issue, but for Google's account (ex: gmail.com), no such way is available.

By the way, our app already passed the app verification for sensitive/restricted API scope:
We don't know whether the app verification for Advanced Protection Program is related to the above app verification progress or not. (For example, click the verify again and maybe there will be a new option for Advanced Protection Program during the verification form?)

We would like to know if there's a way to submit the app verification for Advanced Protection Program, or any alternative way to bypass this error (except for temporarily turn off the Advanced Protected Program).

Thank you!

Answer 1

You have to read a little between the lines for a few things, but all documentation online points to the following conclusions:

• The Advanced Protection program is meant to block pretty much all third-party access to sensitive scopes, with the exception of certain apps hand picked by Google.
• Google Workspace users can bypass the Advanced Protection third-party app restrictions by having their admins add the apps to their domain's allowlist.
• Free Gmail users have more limited tools to manage third-party application access. They can review and remove them, but they cannot pre-emptively allow them. They can approve them when the app requests access but this is where the Advanced Protection stops them. Hence, they have no way to bypass the restrictions.
• Currently there doesn't seem to be a publicly available way to apply to verify your app for Advanced Protection. In the roughly 5 years since its release, only the Apple iOS apps and a couple email clients have been added to the default trusted apps list, aside from the official Google apps.

What exactly does Advanced Protection do?

This is a tier of security reserved for a narrow subset of users with maximum security needs or maximum paranoia. It has some additional 2SV restrictions and in regards to third-party apps, Google's launch blog post in 2017 explains it best:

Sometimes people inadvertently grant malicious applications access to their Google data. Advanced Protection prevents this by automatically limiting full access to your Gmail and Drive to specific apps. For now, these will only be Google apps, but we expect to expand these in the future.

So at launch only Google apps were allowed, and there's no mention of allowing developers to verify their apps for Advanced Protection. A few months later they posted an update for iOS apps:

Today we’re announcing that Advanced Protection now supports Apple’s native applications on iOS devices, including Apple Mail, Calendar, and Contacts. (...) Before today, (...) only Google applications were able to access your data if you were enrolled in the program. (...) We’ll continue to expand the list of trusted applications that can access Google data in the future.

After that they've added a couple more mail clients like Thunderbird and the MacOS mail app in the past 5 years, but you'll notice a trend that these are well-known mail clients that people commonly use and they are specifically choosing them and listing them one by one. There's no mention of apps that have gone through OAuth verification at all.

But what about OAuth verification?

OAuth verification is a different process. You probably already know since you already went through it, but if your app uses restricted scopes (Commonly Drive or Gmail), you need to go through a security assessment to make sure that your app handles data securely and deletes it upon user request. This is all well and good, but the Advanced Protection is aimed at people who feel at risk and really don't want to share any of their data with anyone:

These users may be journalists, activists, business leaders, political campaign teams, and others who feel especially vulnerable.

Users like these are usually well-known and rather than just receiving generic phishing emails they may be targeted by more sophisticated attacks which are more difficult to distinguish from genuine apps. So Google decided that regular verification for this tier is not enough and they have chosen just a few trusted apps at their discretion.

So what can I do?

If your app had to go through verification then it means that it already uses some sensitive or restricted scopes, so for free Gmail users you cannot do anything other than maybe create a version of the app that doesn't use any of these scopes. Google Workspace users can have their admins whitelist your app.

You may want to keep in mind that few users will have this setting enabled since it heavily restricts what their Gmail accounts can do. Usually if someone has this then they know that they won't be connecting any third party apps to their accounts.

You can test this with an account that has Advanced Protection. Even common apps that are definitely OAuth verified will return the same error message. There's only one detail in your post that gives me pause, which is part of the error:

you can reach out to the app developer and encourage them to submit the app for verification

My guess based on everything I mentioned above is that this may be an inaccuracy and the error message is shared with the one shown when you try to access non-OAuth verified apps or maybe Google plans to have an extra verification process in the future. I'll try to dig a little bit deeper with some Google sources to see if there's a very well hidden way to request this and edit my post when I have an update, but given that we still only have a handful of apps allowed under Advanced Protection I doubt it.

Answer 2

My verified Gmail app ran into the same error and just heard back from Google support. The response I received below was fairly succinct.

Thank you for bringing this to our attention!

This error message needs to be updated, and you should see an updated message in the near future. Accounts that are part of the Advanced Protection Program can only use Google apps and a few non-Google mail apps today. There's no action required from app developers; Advanced Protection account cannot access the app today, even though it is verified.

In other words, unfortunately there is no process for third party apps to become one of the "few non-Google mail apps" that are approved for the Advanced Protection program.