This post is in response to a question on Stack overflow. The question in question was titled How do I determine which gmail permission is causing Google to send my clients ‘Limiting access to data in your Google Account’ emails?. Unfortunately you can only read this question if you have a high enough ranking on Stack overflow because it keeps being deleted as being off topic which in my opinion it is not. So I have chosen to cross post the text from it and my answer here in order to help others.
My clients are receiving emails like this (I quote the text, but it is an html email):
From: Google Accounts
Subject: Limiting access to data in your Google Account
To: <[OMITTED my client's email address]>
Although you don’t need to do anything, we wanted to let you know that the following apps may no longer be able to access some data in your Google Account, including your Gmail content. If these apps are unable to meet the deadline to comply with our updated data policy requirements, they’ll lose access to your Account starting July 15th, 2019.
[OMITTED my company’s name]
We are making this change as part of ongoing efforts to make sure your data is protected and private.
You can always view, manage and remove apps you’ve given access to your account by visiting your Google Account.
The Google Accounts team
I operate a webapp that uses the following gmail API methods:
As far as I know I am following all of the rules. I have searched through the Google APIs Console, but I cannot see what data policy I am violating.
How can I determine the data policy I am violating? Why hasn’t Google reached out to me about this?
Is this a convincing phishing scam? These emails are being sent to my clients, so I don’t have access to see if they are signed properly, but from what I can tell from the forwarded emails they appear to be authentic.
The answer and expiation
You are not violating any security policy. This is a standard mail that comes when ever a user connects their account to a new application containing high risk scopes (note as far as I know not all scopes will result in this mail but I haven’t actually tested all scopes). This most often comes with the Gmail scopes in applications.
I would double check that your application has been verified it may help to remove some of the notifications your users are getting. Users should be informed by Google when they are accessing third party applications and warned about what that could mean.
The following scope is one of the most critical as far as Google is concerned this is most likely the one that will mean your users will always get this email when they authenticate your application. I wouldn’t be surprised if all the Gmail scopes would result in that mail but I haven’t tested it.
This email is most likely related to the fact that this application has not been verified to use the gmail scopes. Gmail scopes are one of the most sensitive scopes as far as Google is concerned as the chance that they could be abused by malicious developers is even greater.
You should apply for verification as soon as you can google may contact you and ask for a video of your application running.
In most cases it does NOT cost anything to be verified. In some cases, for particularly sensitive APIs, Google may require an outside audit of your code to make sure it does not put users of your program at risk.
After several hours of piecing together information across multiple sites along with a friend while waiting for further clarification from Google the following information was found which I hope will help developers in the future.
additional reading piecing together information available
- Elevating user trust in our API ecosystem while this page does mention “All fees are paid directly to the assessor and not to Google.” it does not state an amount. Again i have never heard
of anyone having to pay for this. However I have contacted Google and requested that the page be updated with more accurate information as to what the fee entails.
- Additional Requirements for Specific API Scopes
- Why fee clearly states why a fee is charged. These assessments are done by a third party company that must be paid. It would be unrealistic IMO for a company wishing to develop an application using Googles API to expect Google to pay for this: IMO it makes perfect sense that the cost would be transferred to the company developing the application. they will after all be making money on the application.