Google is strengthening security requirements for 3rd party apps using GMail API, revoking access to GMail API on February 22nd, 2019. To continue using GMail API, apps have to pass a permitted use review and a cyber-security assessment. A 3rd party software security expert organization has to be hired to conduct technical security reviews, and generate audit materials for submission to Google assessors.
What’s going on?
Following a Google+ security breach, to protect it’s business, Google shared an update to GMail user data policy and announced a forthcoming new policy requiring all apps using Google API (specifically, GMail API) to pass a permitted use review and a technical cyber-security assessment.
All applications using using Google API – web, mobile, and native – that operate on non-GSuite accounts (i.e. @gmail.com), fall under the new rules.
More specifically, these rules apply on a per-Client ID basis, and separate reviews need to be conducted for each Google Client ID a company uses.
To understand if your app is affected by these new rules, below are the specific covered Gmail API Scopes (the “Restricted Scopes”):
How to comply?
Google laid out 2 sets of requirements, with differing deadlines.
Permitted use review – Feb 15, 2019 deadline
This review will be done by Google based on developer provided documentation and Google’s own review of the application. Specific policies that a developer needs to ensure they meet and document are:
1. Appropriate Access: Only permitted Application Types may access these APIs.
2. How Data May Not Be Used: User data must be used to provide user-facing features and may not be transferred or sold for other purposes.
3. Security: It is critical that 3rd-party apps handling Gmail data meet minimum security standards to minimize the risk of data breach. Apps will be asked to demonstrate secure data handling with a number of different assessments (see “Cyber-security assessment” below).
4. Accessing Only Information You Need: During application review, we will be tightening compliance with our existing policy on limiting API access to only the information necessary to implement your application.
Cyber-security assessment – 2019 EOY deadline
Google prescribes 6 specific review types, of which 3 are technical security assessments:
• application penetration testing – to ensure the apps are protected against targeted security attacks;
• external network penetration testing – to ensure companies don’t have vulnerable systems sticking out into the wild Internet;
• account deletion verification – to ensure that when a user initiates account deletion, no data of their remains in the system.
Another 3 reviews relate to organizational policies and procedures:
• reviews of incident response plans – to ensure organizations know what to do when they get breached;
• vulnerability disclosure programs – to ensure there’s an established way for white-hat hackers to disclose in good will the security issues they identified to the developers;
• general information security policies – ensure organizations have policies to guide them in broader information security matters.
Who can help?
Google estimates the reviews performed by their dedicated assessor to cost between $15,000 and $75,000 (or more), which is about 3 times more than such engagements usually cost – it pays to be “Google approved” assessor.
However, you don’t have to shell out this much to get compliant. Per Google’s own publication:
If your app has completed a similar security assessment, you will be able to provide a letter of assessment to the assessor as an alternative.
How not to break the bank?
In order to optimize the expenses of getting apps compliant with the new Google’s rules, SoftSeq has developed internal procedures and materials. Being specifically targeted at the new GMail API security policy, they can be reused across engagements and presented to Google’s assessors, significantly lowering compliance costs.
This service comes with a guarantee – should Google’s security assessors require additional security work to be done, that wasn’t initially scoped by SoftSeq, it will be performed free of charge.
SoftSeq is an Application Security consulting company that routinely audits web applications, helping software companies comply with regulatory and customer security requirements.