Google is locking down API access to Gmail data (and later, Drive data) soon, and some of your favorite third-party apps might find themselves locked out of your Google account data. The new API policy was announced back in October, but this week Google started emailing individual users of these apps, telling them the apps will no longer work starting July 15.
The new policy closes off OAuth access to Gmail data, and while we by no means have a comprehensive list of what isn’t affected yet, so far we’ve seen users of Microsoft’s SwiftKey and the open source app SMS Backup+ receive notification emails.
Google’s OAuth APIs have been around for years as a way for apps to get access to and control your Google data. A third-party email app, for instance, would want access to your Gmail account and the ability to send, read, and delete emails so it could control everything remotely. An IM app might just want access to your contacts and profile picture. For years this was purely an agreement between the user and the developer—the app would say what it wanted access to, and the user could deny or allow it.
In the October blog post, Google announced a major change to Gmail data access—Google would now be legislating what uses are and are not allowed. Only “appropriate” access will be allowed for some APIs, strict data-handling rules will be enacted, and access to APIs would be limited to “only the information necessary to implement your application.” It sounds like Google will also be subjecting all of these apps to human review, app-store style.
One absolute doozy of a requirement kicks in if the app stores user data on a third-party server. Google will now require those apps to pass a third-party security audit, which the app developer must pay for. According to the company, the cost “may range from $15,000 to $75,000 (or more) depending on the size and complexity of the application.” The message here seems to be “Don’t store Google user data on your server.”
After the October announcement, Google gave developers until yesterday, June 26, to comply with the new rules. Users of apps that haven’t complied are starting to get emails directly from Google, informing them that those apps will stop working July 15. “We wanted to let you know that the following apps may no longer be able to access some data in your Google Account, including your Gmail content,” the email reads. “If these apps are unable to meet the deadline to comply with our updated data policy requirements, they’ll lose access to your Account starting July 15th, 2019.”
It sounds like the “appropriate access” requirement will be responsible for killing a lot of edge-case apps. SMS Backup+ would upload your text messages to your Gmail account, where they were searchable along with all your other mail. Naturally this required it to ask for permissions like the ability to create and send email, but it’s not exactly an email app. SMS Backup+ developer jberkel responded to questions about the email on Github, saying, “I’m sorry about this situation, SMS Backup+ will no longer have access to Gmail, mainly because it’s not an email reading app. I applied for an exception but it was declined, as expected.” It doesn’t make a ton of sense to shut down a fully open source app due to privacy concerns, since anyone can look at what the app does and how it handles data, but this is what the Google corporate machine is doing.
We’ve also seen reports that users of the “Nine” email app on Android have gotten “this will stop working” emails from Google, but Nine has started responding to Play Store reviews saying it is confident it can fix the problem. Again, it seems like Nine is falling on the “ok” side of “appropriate access” policy—an email and calendar app is allowed access to your email.
That brings us to SwiftKey, which is not an email app. SwiftKey is a learning keyboard with an auto-suggest algorithm built from your existing typing history. You feed it your entire email history through the Gmail API and it claims to learn how you type and offer better suggestions. That does not sound like something that would be supported by the “appropriate access” requirement, but we have asked SwiftKey for a comment and will update this article if they get back to us.
This is just the beginning of Google’s OAuth lockdown. Early next year apps that access Drive will fall under new restrictions, too.