As a gmail user - good to hear this. In the long run trust is going to be a much more important commodity that letting a spam app into your gmail.<p>If you look at the service that want access to all your gmail data - many promise something "free" but then mine that data (in the fine print) to send you offers, alert you to "savings" etc.<p>I automatically turn down apps that say they need access to my entire google drive and all email. Why not just ask for permissions for a single app specific folder? Ie, fax apps -> they should just store inbound faxes into one folder rather than asking for full drive access.
I'm the author of the Mailspring email client and I've been dealing with this Oauth verification process for the last three months. Mailspring has "pro" features that leverage a small backend API, but it syncs your mail on your computer and your mail data, passwords, tokens, etc. never leave your machine. I care very much about data privacy and I wouldn't use the app myself if it was sending mail data to the cloud.<p>I'm a big fan of Google watching out for their users. I know of at least one very sketchy company that has shut down because of this new policy, which is great.<p>But after three months, they basically told me: "Your desktop app makes a network request to a third party server, you must pay $15,000 for a security audit." Their process has been vague and I wish they'd make an effort to understand whether an audit is really necessary. Their security contractors are going to be laughing all the way to the bank as they review my web service that never sees Gmail data in the first place.<p>Thankfully, Mailspring makes a bit of money and I can afford to do this to keep it alive. But fast-forward a few years and this is going to devastate innovation and development of third party mail clients. (And I think Google prefers it this way.) If the app didn't already have critical mass, or if I was just starting a mail app now, I'd probably throw my hands up and give up rather than emailing them dozens of times and coughing up $15k.
As both a gmail user and developer interested in applications to help me manage my personal information, this is incredibly depressing to hear.<p>The idea of a verification process itself is great, and I applaud that effort. But some of these barriers seems put in place solely to kill competition and prevent startups from filling the personal data needs before Google comes up with its own plan.<p>These exorbitant fees of $15,000 and $75,000 are completely unjustifiable.
This all makes sense to me. If you're not providing enough value to users to cover the >$15k fee, you're just an attack vector for user data.<p>Consistency of the process aside, I'm really not sure what people would expect.<p>(I work at Google, yadda yadda, but have nothing to do with this.)
Even for non-Gmail apps, this process is incredibly painful. I have an app that has been stuck in the process for weeks. Once you have read through the incredibly confusing and out of date documentation and submit what you think is the correct set of setting to comply with their policy, you then have to deal with the reviewer who will email you once every week if you are lucky. Usually to understand what they are asking you to fix you have to email them back and forth a few times. I love the platform, but they need to fix this aspect of it.
A friend and I have been working on a side project that depends on Google Auth to send emails on a user's behalf. It's one of the app's two critical features. We're not necessarily deterred by this story, but we'll start rethinking our dependence on Google.<p>A $15-75k fee is something that's hard to stomach at our stage. We have about 10 Gmail users excited to try our product and they might not have an issue accepting the "Unverified App" screen because we have earned some of their trust through phone calls and meetings. However, converting people that come across the app organically will be difficult.<p>We aren't sure when the right time will be to pay the fee and become verified. Anyone have ideas on strategy here? It could help us and other developers in the same position. We'd like to avoid raising money but this might be a good reason to - investors may see Google verification as a competitive advantage.
As someone who tried to develop a tool to help pause their box to improve focus throughout the day, I got bit by this process as well.<p>Basically google just went dark on me altogether. Has been months since their last reply and I kept trying to follow up. The feature I needed elevated permissions on was the ability to add filters, which unfortunately is buried with a bunch of other more dangerous permissions.<p>Looks like I’ll never get to launch the product :(<p>On the plus side, it works fine for just me! So, I just built a tool only I can use.
Someone needs to make it trivial to host your own email, and sell it as reliable. I think you could probably sell more than just techies on it, given how your email is a <i></i>critical<i></i> system to many people in modern times.
This terrible, but building a business based on third party api's is always a tremendous risk. This isn't the first time a bunch of small apps have been killed off by some company making their api's inaccessible.<p>Also, for people who are pushing for more government regulation of service providers - this is the lite version of what you are asking for.
It is not too hard to understand them trying to leverage the potential market of identity providers. Facebooks Libra basically tries to do the same.<p>It would be a waste to use any services attached to it in my opinion. Otherwise oauth is a great technology, but interests may make it not worthwhile.
This is very helpful to see, along with the gmass blog mentioned within. We've been going through this process for months and it's definitely a moving target with no clear path to resolution. The whole process feels a bit Kafkaesque.