If you look at the service that want access to all your gmail data - many promise something "free" but then mine that data (in the fine print) to send you offers, alert you to "savings" etc.
I automatically turn down apps that say they need access to my entire google drive and all email. Why not just ask for permissions for a single app specific folder? Ie, fax apps -> they should just store inbound faxes into one folder rather than asking for full drive access.
Basically because Gmail A) doesn't have folders B) doesn't have permissions based on tags. Otherwise most Gmail API apps would have this option.
The same thing is a problem when you want to delegate access to an email account, where there should be a way to delegate access based on tags, but there just isn't.
What you can now do is create Gmail Add-Ons, which only have access to this specific thread that's open when you click to activate the add-on. E.g. this is how we created https://www.prettyfwd.com
One other comment, there seems to be a spammer on the review page...
That's not possible. Many people and apps have been asking for more fine-grained permissions from Google APIs for years. It hasn't been done other than a few changes on Android.
This is common with most large providers that have big 3rd party ecosystems but very poor permissions that only offer all-or-nothing access.
Dropbox lets apps work on either a single app specific folder, or on your entire dropbox.
But the app has to be one type or the other, the user cannot choose what access they want to give out.
Disclosure: I work at dropbox, previously on the api-platform team.
I'm a big fan of Google watching out for their users. I know of at least one very sketchy company that has shut down because of this new policy, which is great.
But after three months, they basically told me: "Your desktop app makes a network request to a third party server, you must pay $15,000 for a security audit." Their process has been vague and I wish they'd make an effort to understand whether an audit is really necessary. Their security contractors are going to be laughing all the way to the bank as they review my web service that never sees Gmail data in the first place.
Thankfully, Mailspring makes a bit of money and I can afford to do this to keep it alive. But fast-forward a few years and this is going to devastate innovation and development of third party mail clients. (And I think Google prefers it this way.) If the app didn't already have critical mass, or if I was just starting a mail app now, I'd probably throw my hands up and give up rather than emailing them dozens of times and coughing up $15k.
The idea of a verification process itself is great, and I applaud that effort. But some of these barriers seems put in place solely to kill competition and prevent startups from filling the personal data needs before Google comes up with its own plan.
These exorbitant fees of $15,000 and $75,000 are completely unjustifiable.
The weird thing is how quickly the sentiment turned from my perspective. I felt like one day most technical people applauded the ability to have total real-time access to your data, to be able to write code or use open source code to plug into these systems and augment them for better. To be able to have a startup or small company write software that can work with your google/facebook/apple/whatever account and use the information there in new ways.
Then all of a sudden (I feel like it was between 1-2 years ago, but I can also barely remember what I had for lunch yesterday so don't quote me on that!), technical people started slamming companies for "allowing someone to access their data", I saw lots of headlines about how it was unethical for Facebook to allow users to share their information with other companies (don't get me wrong, facebook does plenty wrong, but to call out the ability to share info specifically seemed so wrong). Then APIs started shutting down, access is now only allowed for other big players, and it's getting harder and harder to integrate outside of a single player's walled garden.
I get why the companies are doing it (someone told them the only ethical thing was to lock users in!?), but I don't get why HN and other technical circles are applauding it. Maybe i'm on the wrong side of history here, but I just feel like it's never a bad thing to allow me to share my information if I want. I think it should be clearly defined what i'm sharing, I think it should be obvious that i'm sharing it, and I think that some auditing and controls are obviously a good thing, but not this almost absolute shutdown of any ability for me to export or use information from these services on my own.
But maybe I'm really in a bubble, and maybe users really shouldn't be given the choice to share their personal information, but it just feels so wrong and so "holier than thou" to make that choice for them.
Facebook shared data on millions of users to Cambridge Analytica. I never gave my consent, you never did.
It is a different matter than having open APIs that allow you to get your own data out of Facebook.
I want to be able to get my own data on Facebook through open APIs. What I don't want is for Facebook to give away my data to other people without my consent. You can advocate for those 2 things at the same time.
[1] https://ec.europa.eu/info/law/payment-services-psd-2-directi...
Consistency of the process aside, I'm really not sure what people would expect.
(I work at Google, yadda yadda, but have nothing to do with this.)
Goal #2: Don't have a solution that requires an army of people to manage.
If no one's willing to help fund your idea, you're out of luck. That seems... really understandable, given that every major government is literally investing millions trying to hack into Google's user data.
I guess I need to bug them more, I haven't heard anything in weeks (busy with implementation).
One warning: choose the email address for your Google developer account carefully, there doesn't seem to be a way to change it later. It is forever tied to your permissions and approvals, afaict.
We've gone through app review processes at other companies like Facebook, and it's all the same - plenty of time wasted with mostly ineptitude on the reviewer's side. Sometimes it feels like there's just one person working in Google/Facebook's basement doing these app reviews for minimum wage.
I understand the need to be thorough on these app reviews especially if the app touches sensitive user data, but when the reviewer doesn't even read the instructions provided to them properly, would you trust them to be thorough when it comes to ensuring the apps aren't malicious?
A $15-75k fee is something that's hard to stomach at our stage. We have about 10 Gmail users excited to try our product and they might not have an issue accepting the "Unverified App" screen because we have earned some of their trust through phone calls and meetings. However, converting people that come across the app organically will be difficult.
We aren't sure when the right time will be to pay the fee and become verified. Anyone have ideas on strategy here? It could help us and other developers in the same position. We'd like to avoid raising money but this might be a good reason to - investors may see Google verification as a competitive advantage.
Basically google just went dark on me altogether. Has been months since their last reply and I kept trying to follow up. The feature I needed elevated permissions on was the ability to add filters, which unfortunately is buried with a bunch of other more dangerous permissions.
Looks like I’ll never get to launch the product :(
On the plus side, it works fine for just me! So, I just built a tool only I can use.
Also, for people who are pushing for more government regulation of service providers - this is the lite version of what you are asking for.
I'd say this is the heavy version. A new startup can put together and run a GDPR compliant web app for over a year for far less than $15,000.
But you can't prove it for under $15k and if you are successful eventually you'll need to prove it.
Anyway, I'm not talking about the GDPR. That's just bureaucrats testing the water. The US congress is starting to look for ways to get their cut as well.
It will get to the point where you need to prove compliance with multiple conflicting regulations first, before launching. Now you need to spend $100,000 on auditors before your first push to heroku.
Most people in software, especially startups, have never had any contact with a regulated industry and don't know what they are in for.
It would be a waste to use any services attached to it in my opinion. Otherwise oauth is a great technology, but interests may make it not worthwhile.
And the optimized JMAP protocol too.
The fact that I am getting voted down proves how absolute the groupthink is... If you work in Google's ecosystem, however, the only possible exit is being bought by Google... Get bought by a competitor and they'll just turn you off.
