This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Google Marketplace hosted public add-on security assessment fee.

Posted on 07-27-2021 09:30 PM
DarrenDmello
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have developed a public addon to Download email messages and file attachments from Gmail to Google Drive, automatically.  Emails are saved as PDF and attachments are archived in eml formats to the users Google Drive.

Currently it has the scopes below,

See, edit, create, and delete all of your Google Drive files

See, edit, create, and delete all your Google Sheets spreadsheets

Read, compose, and send emails from your Gmail account

Display and run third-party web content in prompts and sidebars inside Google applications

Allow this application to run when you are not present

See your primary Google Account email address

See your personal info, including any personal info you've made publicly available

 

Do I need to undergo a security assessment and pay the fees to a third party assessor?
My addon does not use external sources, hence my addon will not send data to a server.
I have read the documentation about https://support.google.com/cloud/answer/9110914?hl=en But I am still not clear whether I need to undergo a security assessment.

Please advise.

0 4 498
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
sbazyl
Staff
Reply posted on --/--/---- --:-- AM

Probably yes. It's a little hard since I'm relying on the scope descriptions instead of the actual scope codes, but it sounds like the app is requesting access to all of Gmail and all of Drive instead of the narrower per-message or per-file scopes. Those broad scopes are the ones the trigger more scrutiny and likely will require an assessment.


Posted on --/--/---- --:-- AM
Stephane_fr
Google Developer Expert
Google Developer Expert
Reply posted on --/--/---- --:-- AM

Hi

Same answer as steven, full gmail and full dive trigger security audit.

If you are app is targeted for Workspace only domain and not consumer users (gmail.com), you can turn your app in Admin Install only but that means it will not be discoverable in the marketplace by end user and only super admn will be able to view it and install it. But in this case you can't stay with your consent screen not validated as it is only admin install.

 

In terms of public exposure it will be really low but the app can be publish like that.

 

Stรฉphane

Posted on --/--/---- --:-- AM
DarrenDmello
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Thanks. The question is more concerned about a security assessment and not a review assessment.

 

The addon is public addon and not a domain controlled. 

 

My concern is whether I am asked before we step ahead for a security assessment of we are simply given the final bill?

0 Likes

Posted on --/--/---- --:-- AM
Stephane_fr
Google Developer Expert
Google Developer Expert
Reply posted on --/--/---- --:-- AM

Hi

 

No you have to submit your app for Marketplace publication and Google will guide you in the process and designate a third party for the assessment.

https://support.google.com/cloud/answer/9110914?hl=en#zippy=%2Chow-will-the-security-assessment-work

 

Now if your app is ready you have to submit it and Google will guide you.

 

Stรฉphane 

0 Likes
Top Labels in this Space