
Tell HN: Google halts Gmail and Drive apps and forces them to do security audits - redm
I found our Google App&#x27;s OAuth permissions were decertified today after seeing some users receiving permissions errors. Google did this without so much as an email to us. Upon digging in further, I discovered that they changed their policy on February 7th, effectively revoking our existing app permissions, and requiring anyone requesting those permissions go through a 3rd party security audit (3P) at the cost of (in their estimation) $15,000 to $75,000 before getting permissions back. They also state this process will take 4-6 weeks. This is not specific to us, as noted in the post below:<p>https:&#x2F;&#x2F;support.google.com&#x2F;cloud&#x2F;answer&#x2F;9110914?authuser=2<p>As of now, we are limited to 100 users connecting accounts before we will no longer be able to accept additional users. Maybe we&#x27;ll get a helpful response from Google, but considering the lack of notice, I doubt it.<p>This is why you can&#x27;t build on a platform like Google; you never know when they will suddenly change policy (or shutdown) without notice and shut you down. No company can stop accepting users for 4-6 weeks while a security audit goes on and stay in business.
======
epc
This was announced last year:
[https://www.theregister.co.uk/2019/02/11/google_gmail_develo...](https://www.theregister.co.uk/2019/02/11/google_gmail_developer/)

It was a reaction to apps & extensions abusing access to users’ email.

~~~
redm
I remember that happening. If this is the same thing, its even worse as we
never got any notice that this was coming or going to impact us.

~~~
mtmail
Just curious, did the audit cost as much as they estimated? $15k is a serious
expense for small companies.

~~~
epc
A startup I was advising budgeted $75k for their audit, they folded at the end
of the year unrelated to the audit, though it didn’t help that they had to
pour resources into that while trying to raise more funding.

------
leshokunin
Has anyone got recommendations on completing this while being an early stage
startup? Besides lowering the API scope.

------
Reggi55
Maybe you sent their emails to spam it was planned ages ago

~~~
redm
I doubt that. We even have emails from Google tied to Pagerduty so we never
miss one. Were also using GSuite for email.

