Since the beginning of the year, Google has worked on Project Strobe, an extensive review of third-party developers' access to data on their Google account and Android device. The operation also analyzed the underlying philosophy of the company on how information is used by other applications. As part of its findings and changes, it determined that users grant third-party access to their Gmail with only specific intentions. As a result, limits will be implemented for which use cases will be allowed.
The User Data Policy for the Consumer Gmail API has been updated to reflect the strictest standard. In the future, only applications that "directly improve the functionality of email" will be able to use the data. In addition, there are new restrictions on how these data can be handled and it is possible that some applications should undergo security assessments, which developers must pay on their own.
There has been a lot of misinformation about the handling of email data, especially in the United States Congress, to which Google has responded. Ultimately, users have voluntarily provided access to their information, but the company is taking further steps to ensure that developers do not abuse it. According to the new policy, native and webmail clients and applications are allowed to automatically backup the email. The new policy will also allow services such as CRM, mail merge or report services such as package delivery updates. They can use the covered scope for Gmail, which are APIs that allow reading, creating or modifying messages, and controlling the access and configuration of the mailbox.
Other applications may use these covered Scores provided they limit the use of data. to provide only the functions that a user expects and can not transfer information to advertise. Google explicitly prohibits human access to data, except in specific scenarios that include security purposes and compliance with applicable laws. In particular, the limits also apply to anonymous data or the information that comes from it.
These changes follow the introduction of Gmail add-ons that allow developers to integrate their services into Gmail. To improve security when interacting with these features, Gmail is introducing granular permissions, so users are asked to give access to an application for each individually as needed.
The application review process and external security evaluation will begin next year. On January 9, 2019, developers using Covered Scopes will be able to send their programs to Google for the first stage of the process. The deadline to submit the review is February 15, 2019. If it is not delivered, the company will begin to revoke user access. This process will ensure compliance with the new policies regarding limited use, adequate access and minimum reach.
Next, a third party will complete the security assessment. Google estimates that the rate for this will range between $ 15,000 and $ 75,000, and possibly more, although it depends on the specificity of the application. Alternatively, developers can provide a pre-inspection certification if they have gone through a similar one.
Google has published a lot of information about the new procedures. Developers who use the Gmail APIs should read the new policies carefully before ensuring compliance with their applications.