'How do I determine which gmail permission is causing Google to send my clients 'Limiting access to data in your Google Account' emails? [closed]

My clients are receiving emails like this (I quote the text, but it is an html email):

From: Google Accounts

Date: [OMITTED]

Subject: Limiting access to data in your Google Account

To: <[OMITTED my client's email address]>

Hi,

Although you don’t need to do anything, we wanted to let you know that the following apps may no longer be able to access some data in your Google Account, including your Gmail content. If these apps are unable to meet the deadline to comply with our updated data policy requirements, they'll lose access to your Account starting July 15th, 2019.

[OMITTED my company's name]

We are making this change as part of ongoing efforts to make sure your data is protected and private.

You can always view, manage and remove apps you’ve given access to your account by visiting your Google Account.

Thanks,

The Google Accounts team

I operate a webapp that uses the following gmail API methods:

gmail.users.getProfile
gmail.users.messages.send
gmail.users.threads.get

As far as I know I am following all of the rules. I have searched through the Google APIs Console, but I cannot see what data policy I am violating.

How can I determine the data policy I am violating? Why hasn't Google reached out to me about this?

Is this a convincing phishing scam? These emails are being sent to my clients, so I don't have access to see if they are signed properly, but from what I can tell from the forwarded emails they appear to be authentic.

google-apigmailgmail-apigoogle-developers-console


Solution 1:[1]

You are not violating any security policy. This is a standard mail that comes when ever a user connects their account to a new application containing high risk scopes (note as far as I know not all scopes will result in this mail but I haven't actually tested all scopes). This most often comes with the Gmail scopes in applications.

I would double check that your application has been verified it may help to remove some of the notifications your users are getting. Users should be informed by Google when they are accessing third party applications and warned about what that could mean.

The following scope is one of the most critical as far as Google is concerned this is most likely the one that will mean your users will always get this email when they authenticate your application. I wouldn't be surprised if all the Gmail scopes would result in that mail but I haven't tested it.

https://www.googleapis.com/auth/gmail.send

verification

This email is most likely related to the fact that this application has not been verified to use the gmail scopes. Gmail scopes are one of the most sensitive scopes as far as Google is concerned as the chance that they could be abused by malicious developers is even greater.

You should apply for verification as soon as you can google may contact you and ask for a video of your application running.

Unverified apps

In most cases it does NOT cost anything to be verified. In some cases, for particularly sensitive APIs, Google may require an outside audit of your code to make sure it does not put users of your program at risk.

After several hours of piecing together information across multiple sites along with a friend while waiting for further clarification from Google the following information was found which I hope will help developers in the future.

additional reading piecing together information available:

  • Elevating user trust in our API ecosystem while this page does mention "All fees are paid directly to the assessor and not to Google." it does not state an amount. Again i have never heard of anyone having to pay for this. However I have contacted Google and requested that the page be updated with more accurate information as to what the fee entails.
  • Additional Requirements for Specific API Scopes
  • Why fee clearly states why a fee is charged. These assessments are done by a third party company that must be paid. It would be unrealistic IMO for a company wishing to develop an application using Googles API to expect Google to pay for this: IMO it makes perfect sense that the cost would be transferred to the company developing the application. they will after all be making money on the application.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Prisoner

Related Questions

Google Maps API not returning some postal codes (French cities)

How to integrate Google Picker with new Google Identity Services JavaScript library

Google's "define: " through an API?

How to access Google calendar in Android

How do I access (read, write) Google Sheets spreadsheets with Python?

How to MODIFY a Google Docs document via API using search-and-replace?

Android 5.0 IllegalArgumentException: Service Intent must be explicit: on com.google.android.location.internal.GoogleLocationManagerService.START

jest unit test mock google oauthClient in nestjs

Svelte how to import

People API - QUOTA_EXCEEDED / FBS quota limit exceeded

Decode integrity token using Google PlayIntegrity API

How to use Google API credentials json on Heroku?

Batch request Google Calendar php API

Batch request Google Calendar php API

Using Python to do basic Google Drive operations without web server authentication