Live Updates on the Google OAuth verification process and security audit

Earlier I wrote about my feelings on Google’s new verification process for sensitive and restricted Gmail API scopes, and here I’ll be posting live updates of GMass’s journey through the process. We’re doing this for the benefit of the thousands of developers that have yet to begin the process, are thinking about the process, or are frustrated with the process.

5/28/19

I email Bishop Fox to ask about the approval status of the SAQ (Self Assessment Questionnaire), because it’s been a couple weeks and I haven’t heard anything. If Google approves their use of the SAQ, it lessens my cost of the security assessment.

5/16/19 (update from Google)

Google sent the below email, informing me that if I don’t go through with the security assessment, I’ll lose access to the restricted scopes. It also clarifies one of the prior points of confusion — that if my app is to be used within G Suite domains only, then I don’t have to go through the security assessment. Meaning, if I don’t care about taking on @gmail.com users, then I don’t need to go through with the assessment. The email also asks for confirmation of whether I will be proceeding or not. I have replied confirming my intention to go through with the assessment.

5/9/19 (two quotes arrive from Bishop Fox)

Bishop Fox explains that they are attempting to get approval from Google to satisfy one portion of the requirements via a “Self Assessment Questionnaire” rather than a full deployment review, and policy and procedure review. Of course, I welcome the simpler approach, and I’m waiting to see if this approach is approved.

5/3/19 (later that day)

Bishop Fox acknowledges receipt of the scoping survey.

5/3/19 (I respond to Bishop Fox’s scoping survey)

It took a while to fill out, because of the detailed questions in it.

5/2/19 (Proposal arrives from Leviathan)

I’m impressed with the speed at which Leviathan handles communication. It was just 15 minutes before I got a response to my initial inquiry, and I have a proposal the very next day after our phone call. I’ve been asked not to disclose pricing information, so out of respect for Leviathan, I won’t mention that here.

5/1/19 (Call with Leviathan and follow-up)

I have a short phone call with a rep from Leviathan, where I describe the nature of GMass, its public facing interfaces, and a little about its underlying architecture. Given that GMass does not have an API and is only usable as a Chrome extension, the rep indicates that this will be one of their simpler security assessments and would require 2-3 days of work. After the call, he sends me some information to verify and an NDA, which I send back the next morning.

4/29/19 (several hours later)

Bishop Fox responds within several hours of my email.

4/29/19 (15 minutes later)

Leviathan responds within 15 minutes of my email. We eventually schedule a phone call for mid-next week.

4/29/19 (later in the day)

I reach out to both of the security firms, Leviathan Security and Bishop Fox, that have been approved to conduct the security assessment.

4/29/19 (earlier in the day)

Google denies my request to skip the security assessment.

4/22/19

I respond to the notice asking if I can skip the security assessment if I reduce the Gmail API scopes I’m using for GMass.

4/20/19

I receive a notice from Google that the fun is only now beginning (proceed with security assessment).

4/1/19

(April Fool’s Day — maybe they’ll let me know this has all been a joke?)
I’m told I’m in the final stages of verification.

3/31/19

I respond with my agreement.

3/26/19

Google emails asking me to confirm my agreement with a statement.

3/23/19

I responded with another video.

3/21/19 (a few hours later)

I received an additional request deeming the first video as insufficient.

3/21/19

I receive this request from Google for an additional video.

3/18/19

I respond, letting Google know I’ve made the branding changes they suggested.

3/15/19

After Google presumably watches my video, they respond, asking them to conform to their branding guidelines.

3/9/19
I respond with the requested YouTube video.

3/6/19

Google responds with their request for a YouTube video.

2/15/19
I responded to the ambiguous request from Google.

2/15/19

Received this email with no project ID listed, and given that I manage multiple apps built for Gmail, I didn’t know if this pertained to GMass or not.

2/9/19

I respond to Google’s request for the scope explanation.

2/7/19

Email received from Google asking for an explanation of the need for the full mail.google.com scope

7 Replies to “Live Updates on the Google OAuth verification process and security audit”

  1. Vinay

    Hi Ajay & team, came across GMass. Looking for information on data security. Per this blog it seems like you are still working through being approved for Google’s new security requirements. If yes, do I need to wait before I use Gmass as there may be a threat to my gmail data if I connect to GMass today?

  2. Andrew

    Great write up! waiting for the next update!
    It’s also not clear how long this assessment is good for, will it be an annual review and what happens when you change the code accessing the gmail api?

  3. Kit

    This is a wonderful write up, thanks for taking the time to do this.

    Like you, I’ve had to go through the verification process and my heart sank when I first read the obtuse and confusing documentation and came across the 75k fee.

    Fortunately my business falls under the local device only and I managed to get out of the security assessment and only do the video. But I can see how frustrating the whole thing is, you have my sympathies.

  4. HeavyMod

    I appreciate you taking the time to write this up – it is a frustrating experience to say the least.

    I am curious about the email you received on 4-29. They say “Your callback URL is server (not restricted through users devices ) , and not managed by Google”. That seems to imply if you were using google servers, there would not be a problem.

    And what does the ( not restricted through users devices ) mean? How would a server callback work that was “restricted” and therefor permissible?

    My biggest complaint about this entire new process? Google doesn’t seem to give a fuck. The OAuth board on google is shut down, and you are pushed to stack exchange. Which I guess is fine if you have a code question – but it means you cannot even discuss the security audit or Google’s process – those are all Customer Relations issues. Everytime I’ve tried to discuss the issue there, my posts are closed.

    We pay for gold tier GCP support – who will not answer any OAuth questions, much less provide advice or support on how to navigate this maze. I’m just a bit surprised at how quickly Google just kicked all the indie devs to the curb.

Leave a Reply

Your email address will not be published. Required fields are marked *