Gmail API updates and how SDKs can ensure compliance
As we move nearer the middle of this year, sales teams will be ramping up their need for real-time communications. This is where the G Suite developer steps to plate. With the new Gmail API updates of 2019, your DevOps team is equipping for the bigger picture of business management in the Cloud. To play by the rules, you’ll have to submit security audits for all new apps. Do it right, and save yourself money and time.
Many major tech companies, Google included, were urged to update data security following the Cambridge Analytica scandal. This awareness contributed to the detection of a bug in March 2019 that had weakened many Google API kits. When the bug was detected, nearly 500k Gmail users were potentially affected. No developers were implicated with preconceived knowledge of the issue. Still, the margin of potential error was enough to cause in-depth consumer issues at Google headquarters.
For this reason, in October 2018, Google began to create a series of updates that would crack down on data share security for G-Suite developers.
Updates in 2019:
Gmail API launched Gmail Add-ons in late 2018. Since then, updates for SDK publishers stem from this place. Gmail Add-ons allow developers to integrate their apps and tools across Gmail platforms.
Google Apps Script
Google has been updating the Google Apps Script features for the past few months. Google Apps Script makes it seamless and straightforward to integrate functionality for Gmail. This is one of 30 headlining features of the previous week’s security announcements. Some of these also include near-to-real time log features called Access Transparency.
Access Transparency will improve internal log controls for Google Support tickets. It will also improve the speed and dexterity with which Cloud teams can access and manage data audits. Access Transparency logs will make compliance a far simpler task.
This is an excellent move for convenience, but what does it do to compliance? How can developers ensure tighter compliance enforcement?
Policies Effective Post January 2019
Gmail API instated policies for the new API suite that have gone into effect post-January this year. These policies are GDPR compliant. Gmail developers must read the non-disclosure summaries for data. For example, no Gmail users personal data may be used for post-January ads.
- Privacy disclosures - It is essential to note you will have to give full-disclosure for all the data you collect. You must provide clear, concise representation for your digital identity and the data-interaction intent.
- Access only what is necessary - Don’t collect a surplus of data. The official Google statement states that the company will be tightening existing policies on limiting API access. You will only be allowed to collect the data you specifically need to implement your applications. You will be required to narrow your request scopes to meet this new standard.
- Be mindful of deadlines - You will only have to submit your application for review if your app is ready for public use. In that case, you will have a deadline to submit for review. This year, that final deadline was in February.
- Know the hierarchy - Only the project owner or the editors can submit an app to the review team at GSuite. Being upfront about the hierarchy of “owners,” “editors” and just general team members is likely to make the review process smoother.
Staying secure in Gmail: Basic IT Practices
In addition to the security checklist, Google released a statement for IT developers to keep a tight procedural process on Gmail security practices. Some of those points include the following:
- Validate email with SPF, DKIM, and DMARC
- Set up inbound email gateways that can work with SPF
- Enforce partner domain TLS
- Authenticate all senders
- Configure MX records
- Disable IMAP and POP access
- Disable auto-forwarding
- Enable comprehensive mail storage
- Avoiding bypassing spam filters for internal senders
- Add spam headers to each default routing rule
- Enable enhanced pre-delivery message scans
- Enable external recipient warnings
- Enable additional attachment protection
- Enable external content protections
- Enable spoofing, link, other protections
- Be selective when overriding spam filters
- Do not include domains in approved sender queues
- Do not whitelist IP addresses
In addition to the above basic practices, Google has developed a Gmail-centric email auditing API. This Gmail SDK suite is available to help developers handle all stages of the email monitoring process. This can help SDK developer teams to work together to test the products they are publishing in a real end-user environment. The more compliance you exercise in the workroom, the more likely you are to pass final checks and balances when you go to file an application for audit and approval.
All GSuite developers and SDK publishers are encouraged to follow these basic protocols to stay secure. These are not exactly compliance requisites, but you run the risk of opening up little compliance breaches when you stray from the standard protocols.
On April 10, 2019, Google hosted a conference on automated security products that followed the GSuite API products. The Google team stated that 91% of all online attacks come from phishing attacks_which typically affect email users and email user apps.
As security automates, many compliance checks will also be automated. You will have to keep an eye on your process to make sure you are not auto-filling integral pieces of information.
Basically, you need to have a human observing the automated workloads to make sure everything is passing compliance checks. Some of these issues are situational, and the bots can breeze over them without supervision.
How it affects different user status
The recent Gmail updates have only impacted consumer accounts. This means that G-Suite administrators and Cloud Identity administrators will still have control access to end-user accounts.
Multiple apps equal individual reviews:
If you have more than one app, they have to be reviewed individually. These reviews register on a Client ID basis. Each app using the covered APIs must be submitted for review.
Why Mighty Signal?
Why take our word for it? MightySignal compares tens of thousands of SDKs with their competitors and provides a real-time look into which apps are installing or uninstalling them. Take a look at our list of the top Android SDKs in the top 200 apps, or contact us here to start your free two-week trial.