Since the beginning of the year, Google has worked on Project Strobe, an extensive review of third-party developer access to the data of your Google Account and Android device. The operation also analyzed the company’s underlying philosophy of how information is used by other apps. As part of its findings and changes, it determined that users give third-party access to their Gmail with only specific intentions. Consequently, limits will be implemented for which use cases will be permitted.
The User Data Policy for the consumer Gmail API has been updated to reflect the stricter standard. Going forward, only apps "directly enhancing email functionality" will be allowed to use the data. Furthermore, there are new restrictions on how that data can be handled and some apps may have to undergo security assessments, which developers must pay for on their own.
There’s been a lot of misinformation about the handling of email data, especially in the U.S. Congress, which Google has responded to. Ultimately, users have willingly provided access to their information, but the company is taking more steps to ensure developers don’t abuse it. According to the new policy, both native and webmail clients and apps for backing up email automatically are permitted. Services such as CRM, mail merge, or reporting services like package delivery updates will also be allowed under the new policy. These can use the Covered Scopes for Gmail, which are APIs that allow the reading, creating, or modification of messages, and controlling mailbox access and settings.
Other apps may use these Covered Scopes as long as they limit the use of data to only provide the features that a user expects, and may not transfer information to serve ads. Google explicitly prohibits human access to the data except in specific scenarios including security purposes and complying with applicable laws. Notably, the limits also apply to anonymized data or information that comes from it.
These changes follow the introduction of Gmail Add-ons which allow developers to integrate their services into Gmail. To enhance security while interfacing with these features, Gmail is introducing granular permissions, whereby users are asked to give an app access for each one individually as they are needed.
An app review and external security assessment process will begin next year. On January 9th, 2019, developers using Covered Scopes will be able to submit their programs to Google for the first stage of the process. The deadline for submitting the review is February 15th, 2019. If one is not turned in, the company will begin to revoke user access. This process will ensure compliance with the new policies regarding limited use, appropriate access, and minimum scope.
Following this, a third party will complete the security assessment. Google estimates that the fee for this will range from $15,000 – $75,000, and possibly more, although it depends on the specific of the app. Alternatively, developers may provide a certification of previous inspection if it has gone through a similar one.
Google has published a wealth of information regarding the new procedures. Developers who make use of Gmail APIs should thoroughly read through the new policies before ensuring the compliance of their apps.