| I invested a lot of time trying to publish a Gmail add-on and failed miserably [1][4] because of this lockdown. Here are some notes that may be of interest: The lock down is for the Gmail API especially for API that allows reading user’s email. Any App has to get OAuth 2 token to get access to the API. The user has to explicitly provide access . The approval screen will show each type of access the app is asking. See an example here [2] In addition, Google will send an email to the user immediately after the approval, with a scary warning. The user can withdraw the app access anytime, from Google account page. The data access concern Google is projecting is that the APP can read user’s email (Remember, the app can read only those who explicitly gave the app the permission to read their email).
The “lockdown” is a direct reply to the media frenzy that “Gmail allows any app to read anyone's email” [5]. Gmail does not allow reading email automatically. The user has to allow explicitly. In order to get Gmail API access, the app has to go through a Google review process where Google will ask the developer to justify each type of API access the app is requesting in addition to explaining (with videos) what the app does and how the API is used.
The first level of approval process demands you to publish a comprehensive privacy policy and in my experience, anything like “marketing” or “research” in the privacy policy will get you disapproval. [3] Such a strict approval process is good and fine, and well appreciated till this point. The issue comes for the last part of the approval process. Those Apps that requires read access to Gmail has to get themselves assessed, through Google appointed third party security assessors paying $75000 USD annually. This is the main blocker. This will kick out any app or add-on that small scale developers create. It will block new entrants. What remains will be established apps that are generating huge revenue to justify the “protection money”. They get an added advantage that there will no longer be any new competition. It is not the restrictions, or the intention to protect the end user that is in question but the “first save my back” attitude in the process, and the bait and switch - that is the problem. In summary it happened like this: Hey developers come, build apps using our platform, show your innovation!
Developers start investing time and effort on the platform, approval process is smooth and fare
Somewhere else, someone misuses someone’s system, huge media attention
Sorry developers, you go to Mr X , keep paying him and we will keep you here. If not, trash your product and go away. [1] https://medium.com/@prasanthmj/lessons-learned-developing-an... [2] https://www.youtube.com/watch?v=GGXFQUmZTf4 [3] https://blog.gsmart.in/applying-for-g-suite-api-approvals/ [4] https://medium.com/@prasanthmj/google-restricted-api-scopes-... [5] https://www.wsj.com/articles/techs-dirty-secret-the-app-deve... |