Live updates on Google API OAuth Verification Process

We are actively working with Google to get SigParser verified by the Google security team based on their new requirements.

We’ve spent a lot of time this year going thru the process and trying to get responses from the Google team. We are doing everything we can to get thru this with them but a lot of it has been out of our hands as we wait for their responses.

The following should give you some insight into where we are with the process.

Background

SigParser had been a verified application for years under the previous policies. We’d submit to Google for review any time we needed to change which data we needed access to, needed to change our product branding or as Google requested.

In October 2018 Google announced new policies for any application using certain data access scopes like gmail access, contacts and calendars. This includes a more in depth review than in the past where they examine the usage of the scopes in more detail and they look at the privacy policy in depth.

For apps which were already approved like SigParser, we have until the end of 2019 to conduct a security audit with one of two third party security vendors. This is expected to cost between $15K to $75K annually. Many other email products have shut down due to this requirement but we’re going to pay this so we can continue to service our Google based customers.

Latest Updates

June 5 - Warning screen still active

We’re not sure why but the warning screen is still active when users go to connect their accounts.

We’ve emailed Google to get them to take it down now that we’ve passed their policy review and our application was approved prior to January 2019.

June 4 - Policy Review Success, Security Review Next

Google replied today.

We reviewed your project and it appears to be in compliance with the Google API Services User Data Policy. 

If you were previously informed that your consumer accounts will be notified about your app's non-compliance, this will no longer be the case.

...

If your application was verified prior to January 15, 2019, this assessment must be completed by December 31, 2019. 

Otherwise, public users from your application will not have access to Restricted Scope APIs.

Our application was approved prior to Jan 15, 2019 so users should no longer see an “Unverified” warning when connecting their email accounts.

We will be working hard to make sure we get our security assessment completed by Dec 31, 2019.

May 31

Pinged Google again about watching the whole video we sent. No response.

May 30 - Google apologizes for miscommunication with templated email

Google sent a generic email to us informing us we’re in the final stages of the review and they’re sorry for any miscommunication.

One of the Google approved security vendors sent us a quote for the audit. We’re working with the other one to get a quote. We must complete the audit by the end of the year.

May 29

Pinged Google again. No response.

May 28

Pinged Google again. No response.

May 22 - Google didn’t watch the entire video we sent 6 days ago

Google’s verification team watched our video from May 16th but didn’t watch the entire video and missed our Client ID in the URL which is 1 minute and 10 seconds into the video. Not sure if they listened to the audio on the video which explains it. They requested we send them another video.

We responded to their request by requesting they watch the entire video (only 4 minutes long) and included the timestamp in the video where they can see what they need to see if they want to skip ahead and also a screenshot of the section of the video.

May 20 - Possible warning email soon from Google

We expect emails from Google will be going out to GSuite administrators today who have users connected to SigParser or have connected in the past. It will be warning them that our app is currently unverified. We don’t know what these emails will look like or what they will say exactly. If your administrator asks, you can refer them to this page.

We’re happy to provide a security whitepaper for SigParser detailing our security practices. It is 15 pages long and very technical. Contact us for more information.

May 16 - Sent the video with better scopes

We responded to the email Google sent us asking for the video and testing details and we also resubmitted our scopes request.

Our new scopes don’t require as much access to give us a better chance of getting thru the security review. For example, we used to require read and edit permissions for email and calendars but were able to reduce the required scopes to just read only. Unfortunately this meant we had to submit a new request due to the changes. We also replied to their original email thread as we’re not sure how everything for our project is linked on their backend.

Google has warned us that if we don’t get thru this process with them by June 27th they’ll disallow new email connections and revoke grants by July 15th. If this happens we will refund any recent SigParser payments for Google users impacted by this.

May 15 - Google’s going to notify our customers

Google notified us they were going to start emailing our enterprise customers and users notifying them that our app was non-compliant in 5 days and normal consumer accounts in 10 days. It doesn’t seem to matter than we’ve spent months of time waiting for responses from them.

May 14 - Another video request

Google’s OAuth API verification team responded to our email quickly this time and provided the list of 2 security vendors and asked for another video and more details for how to test the application. This seems to be a pretty standard templated response.

We contacted the third party security vendors. We heard back from both of them within 6 hours of contacting them. One we’ve got a meeting setup with for next week. The other we need to fill out a detailed security form and submit that to them.

May 13 - Google Cloud Support response

Google cloud support (not OAuth verification team) team finally responded after another request from us and told us to respond to one of the original request threads the OAuth verification team had sent. We did that immediately.

May 10 - No response still

A week after the Twitter response no one contacted us from Google.

Tried reaching out to the support contact on Twitter again but heard nothing back.

We submitted a new request via Twitter

May 4 - Went to Twitter

After nearly a month of waiting and after getting no response from anyone on the OAuth team our CEO finally went to Twitter to see if we could get anyone to respond.

Within 15 minutes someone contacted us and let us know they’d reach out to Google’s teams. But nothing came of that.

April 16 - No response

We emailed the OAuth verification team directly for the list of security vendors but didn’t get a response.

April 15 - No response

We got a non-useful response from Google cloud support (not the OAuth verification team). They are supposed to respond to these support requests within 4 business days or 24 hour hours for critical issues based on the support plan we pay for. They took longer than both those times. Their response didn’t have much information to help us.

April 8 - No response, submitted Google Cloud Support request

Since our app was now showing a giant warning when connecting a Google email account, this became much more urgent for us. We submitted a Google support case via our paid Google Cloud support plan to see if we could get anyone to talk with us.

April 7th - Submitted new Privacy Policy to Google

We completed our Privacy Policy review. We made it more clear that we never give away or sell the data we extract from email accounts, contacts or CRM systems.

We submitted our application once again as instructed. This means we had to start the process all over again.

Google has a requirement to get a Google approved third party auditor to conduct a security audit by the end of 2019. This will cost between $15,000 and $75,000. There isn’t a list anywhere with the list third party vendors they accept. So we asked for the security vendor list at this time so we could get started on the process.

April 5th - Lost Verified Status over Privacy Policy

Google responded back saying they were denying our request due to concerns with our privacy policy and not fitting their new rules.

At this point our application was toggled from verified to unverified and we were told to reapply once the problem was resolved. Later we learned this might have actually been a bad instruction as it seems they use the same email thread to track a customer but none of that is visible to us.

April 1 - Started working on more restrictive scopes

We started working on more restrictive scopes for SigParser so SigParser doesn’t need permission to delete emails or modify the calendar. It only needs read access to those things in a future update. This should be completed in the next couple months.

March 27th - Google requests video of OAuth flow

After a month of waiting we heard back from OAuth verification team. They requested we create a video showing how the app worked. We responded to the request 2 hours later.

At the time we required read and delete permission on email because we were using IMAP for email access. We were working on moving towards the API for email access but the API is very different than IMAP for accessing email. We told them we were working to move towards the API for a reduced scope set.

February 28th - Submitted verification request

We submitted another verification request when we realized our October verification wasn’t going to be good enough.

November 2018 - Google details more about new policies

Google notified us we needed to submit our application in the new year in January or February. We weren’t sure if we needed to or not since we’d already passed after the prior announcement. We knew we’d need to get a security audit done by one of their third party contracts by the end of 2019 but we couldn’t find those details on their website.

October 2018 - Goolge annouces new policy review

In late 2018 (October 8th) Google announced a new security review process for any applications requesting access to email. At the time there weren’t many details.

We immediately submitted a verification request to make sure we were in compliance on October 10th. We passed that review. Our project ID for SigParser is “dragnettech”

Conclusion

We’re working hard to get our application approved thru the Google process. We are responding as fast as we can to them but there isn’t much we can do to make them move faster. We pay for Google cloud support but that doesn’t seem to have helped this process.

As we have any new updates, we’ll post those here.