Elevating user trust in our API ecosystem

I&#x27;ve been caught by this change. Google have requested that my app be audited by one of the suggested security firms. The lowest quote I have right now is $22k.<p>We&#x27;re a bootstrapped business with nowhere near this kind of cash, so this effectively means Google are shutting our service down.<p>What&#x27;s crazy is that while this might help protect from negligent developers accidentally losing a few user keys, it doesn&#x27;t really solve the real problems like it&#x27;s claiming to. It in no way protects you from the worst offenders, the Cambridge Analytica&#x27;s out there, the ones with plenty of cash, from still stealing or abusing your data. They can just pay to make this go away.<p>This is seriously bad news for any independent developers or small companies who are building apps on top of Google&#x27;s API.

Well, that&#x27;s a no-go. We&#x27;re a small startup that&#x27;s scraping by and only recently we&#x27;re starting to get some traction on our GMail integration. If we&#x27;re asked to undergo such a review, we don&#x27;t have the $15k+ to spare, so we&#x27;ll likely say goodbye to the ecosystem. Like someone else said in this story, we&#x27;re probably just going to focus on Microsoft which is much more developer friendly.<p>Worst of all, this won&#x27;t stop intentional bad actors from stealing user data for whatever purposes they have in mind. Big pockets are going to laugh even at a $75k fee.

What an awful choice of a title. (Used to be something like &quot;New Google policy charges devs $15k to access Gmail API&quot;)<p>Also, this isn&#x27;t a bad move AFAICT (tightening policies and access to a very important API), but it&#x27;s evidently a reaction to the backlash from that WSJ &quot;exposé&quot; about the scandalous fact that email providers allow third parties to read&#x2F;manage your inbox... if you give the third parties permissions and access tokens. That was just dirty reporting and intentionally misleading average readers--the comments on that article were all akin to &quot;I knew Google was reading my emails!&quot;. And I don&#x27;t see this change mattering much to those people.

I like this initiative of Google. Currently, I am very cautious about giving apps access to gmail, and I would be much happier, if I knew that the app was evaluated by security professionals.

I think this could be improved by carving out some minor exceptions for applications under development or starting off, perhaps with a low user limit to prevent abuse. Their FAQ says you can avoid reviews if you only have a single user, but it doesn&#x27;t seem unreasonable that you could have a team of 2 or 3 people working on something. Once you have something working you&#x27;d probably invite close friends and family as well. Although you can work around that by using G Suite accounts, it kinda sucks that you&#x27;re forced to pay.<p>A scaling system based on number of users and other factors would probably be better. Look at the list of requirements for a security audit [0]. I&#x27;d imagine many small businesses would struggle to sort out everything listed there.<p>I&#x27;m not a fan of removing user choice. If someone has established trust out-of-band then they should be able to opt-in after acknowledging that they accept and understand the risks. But I guess we need big daddy Google to step in and protect us, since we&#x27;re too dumb to critically asses the situation.<p>Something that nobody seems to be mentioning is that you need to perform these security assessments on a yearly basis. Talk about drastically raising the barrier to entry...<p>[0] <a href="https:&#x2F;&#x2F;support.google.com&#x2F;cloud&#x2F;answer&#x2F;9110914#assessment-includes" rel="nofollow">https:&#x2F;&#x2F;support.google.com&#x2F;cloud&#x2F;answer&#x2F;9110914#assessment-i...</a>

Whatever one&#x27;s view of this approach, it seems to justify a FAQ entry like &quot;My app doesn&#x27;t charge money. How does Google recommend I proceed?&quot;<p>Even if the answer is that Google is indeed shutting out free&#x2F;not-for-profit and pre-revenue apps (collateral damage), it should at least be stated explicitly.

I have a few convenience scripts that access the Gmail API for my own inbox, and only my own account. Does anybody know if there is some kind of &quot;under development&quot; flag I can set so that I don&#x27;t have to undergo this review? Am I going to need to convert them to directly using IMAP or something similar?<p>I&#x27;m not horribly against this policy, email is pretty central to a lot of peoples&#x27; world, and I suspect there&#x27;s lots of really really scummy actors out there. In an ideal world I&#x27;d be able to say &quot;hey this is my email and I personally wrote the code accessing it, so let it do what it wants&quot;.

Would something like gmailieer[0][1] be affected? (Or, in general, FOSS software for syncing with one&#x27;s gmail data.)<p>It uses some of the &quot;restricted&quot; scopes[2].<p>Also, what does the verification as &quot;non-malicious software&quot; entail?<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;gauteh&#x2F;gmailieer&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;gauteh&#x2F;gmailieer&#x2F;</a><p>[1] A cli program that downloads one&#x27;s (i.e. the user&#x27;s) gmail e-mails onto one&#x27;s computer (without touching any third-party servers on the way) — it&#x27;s effectively a better offlineimap for gmail, for use with notmuch.[3]<p>[2] <a href="https:&#x2F;&#x2F;support.google.com&#x2F;cloud&#x2F;answer&#x2F;9110914#restricted-scopes" rel="nofollow">https:&#x2F;&#x2F;support.google.com&#x2F;cloud&#x2F;answer&#x2F;9110914#restricted-s...</a><p>[3] <a href="http:&#x2F;&#x2F;notmuchmail.org&#x2F;" rel="nofollow">http:&#x2F;&#x2F;notmuchmail.org&#x2F;</a>

I am actually very happy about this. For too long, private data has been viewed as an easy business opportunity. Now we are getting to the point where private data is being viewed as a liability.

We just got blindsided with a $16,500 charge from Experian for a security audit. Previously they accepted out PCI letter now they insist on selecting an auditor and sending them onsite for us to continue using their API. Maybe this will become the norm gong forward? Any vendor you get PII from will insist on you paying for an audit of their choice?

I don&#x27;t get the scope. So, an app I&#x27;ve made within the company which is reading company inbox (located on a server) using Gmail API, does this policy apply for e.g.? Or it&#x27;s related to some kind of oauth rather?

Ouch, this is likely to affect us as well. We ask our users to give us access to their contacts and calendars. This is opt in and helps us help them. This all completely optional, opt in, we comply with GDPR, and use common sense.<p>Having a whole lot of bureaucracy and cost from Google is not going to help and is going to cause us a lot of hassle.<p>To me this sounds very much like an anti competitive measure aimed at shutting down the vast majority of third party software currently accessing their APIs and forcing users to use their official apps to access their email.<p>Linkedin did a similar move a few years ago where they basically shut down their entire API ecosystem in favor of tightly controlled partnerships with selected partners. Twitter killed the market for third party UIs as well.

I would love to know what connection the &quot;industry leading assessors&quot; have to any Google employees at all. Surely they are completely impartial and unrelated, when 15 to 75 thousand dollars is on the line!

Google Cloud Blog article title: Elevating user trust in our API ecosystem<p>$15k+ barrier refers to a mandatory security assessment fee -- see &quot;How will the security assessment work?&quot; on the FAQ