Google API Security Audit: Any experiences?
Has anyone else done the Google Security Audit for "restricted" APIs, like the Gmail ones? How much did you end up paying, and was it worth it to you?
Google requires a $15 000 (or less) to $50 000 (or more) yearly security audit for using their Gmail APIs for anything but some very specific use cases. (as per https://support.google.com/cloud/answer/9110914?hl=en )
I'm currently using them in my app Receipt Runner, with an exemption as long the app is local (runs on the desktop and doesn't interact with any non-Gmail servers). However, keeping the app local is holding it back - and I'm considering coughing up the money to run the audit and test if I can get a better market fit with a webapp - or if I should start focusing my energy elsewhere.
We're actually doing the audit for Mailflow, our startup, as we speak. Can hopefully tell you a bit more about the full experience in a month or so when we have completed it.
We shopped around and contacted multiple firms to get a nice price. The offers we got we're in the range of "or-less" to $15.000.
I wish there was a way of using the Gmail API without completing the audit, but sadly there isn't. We tried to "hack" around it for almost a year, but ultimately, decided that we need access to the API to deliver the features our users need.
Feel free to email me at henning (at) getmailflow.com if you have any specific questions :)
Thank you so much Henning!
I'll drop you an email. :)
This audit is famously an expensive, zero value added, crappy process. I don't personally know anyone who has gone through it, but the voice of the community has been that it's a waste of time and money.
I've heard numerous bootstrappers talk about this point on podcasts.
Mike Taber talked a lot about this process over the last few years on Startups for the rest of us and how stupid and low value it was. Derrick Reimer talked about how he considered submitting to it for SavvyCal but ultimately just asks the user to accept the app rather than engage with google for this approval.
I don't have the link for you, but do some searching for Derrick Reimer and the gmail integration- maybe that will give you some ideas of a slightly compromised UX in favour of being able to move forward.
Great tips! Thank you!
For others who might be reading and want to listen in, I think the first episode you are talking about might be this one, though I see Mike has been talking about it a lot in his archives: https://www.startupsfortherestofus.com/episodes/episode-448-lets-talk-about-bluetick
As for SavvyCal, I'm not sure if they are using any of the restricted scopes - only the normal verification ones?
Hmm... I can't remember. The topic came up on art of product but sadly the podcast website doesn't have transcripts, so finding the particular discussions about it might a bit of effort.
You could always see if the transcripts exist elsewhere or ping Derrick on twitter and get it straight from the horses mouth.
Have the same blocker with this thing for my small chrome addon (requesting 'gmail.settings.basic' which is restricted scope).
I'm considering asking users to generate their own personal API key and enter it into my App if it is possible.