We are in the process of going through this but have not yet received the confirmation that our scope is approved.

This process was a huge surprise for us. We are a bootstrapped startup that spent a significant amount of time building the Gmail integration last year before this was announced. We are launching shortly and have had to remove the entire integration. We have no idea how much it is going to cost or if we will be approved.

We are launching a product in a mature market with lots of competitors (hence the long initial development time), one of those being Google. According to Wikipedia, Gmail has ‎1.4 billion customers. I don't understand how this got past their lawyers - 1) monopoly in e-mail space, 2) create other products tightly integrated, 3) charge a $15k - $75k fee to any new competitors in your space.

When we asked to use another security company for the assessment Google responded: "We understand your concern but you will have to request a security assessment from one of the following independent third-party assessors: Leviathan Security, Bishop Fox".

For what it's worth, Leviathan and Bishop Fox are both strong firms.

Related: I am going through Google's OAuth verification for a simple "sign up with google" function plus a non-restricted scope access. They say that the application is approved, the console has a green check mark and says "published" and I got an email saying that the application has been approved.

However, whenever a user actually tries to sign up, it says that the app is not verified. So I can't submit anything for review, because everything has been reviewed and approved, but it still doesn't work.

The practice is pretty common when dealing with a large enterprise. Pen tests vary wildly, in quality and scope. Typically, you require 3rd party pen tests, a little more common is to review the report and methodology. However, it's not uncommon to specify that it has to be a Big4 type firm or from an approved vendor list.

It's pricey, especially for small firms. However, most companies don't know what their security posture is - this is all part of managing risk.

Yes, and it's about time. The reality is that email is a huge attack vector for corporations and it's not practical for Google to bear the burden of review as part of their ecosystem. It was tested and failed.

They've only approved two vendors, blargh. More will come in time. Be patient, or raise money.

It's very common for developers to mess up authentication. It requires a fundamental understanding of protocols. What makes it worse is that an incorrectly implemented protocol doesn't break the integration, it just breaks the security benefits.

A pen test mitigates that risk.

This seems to be new as of January 15, 2019.

https://developers.google.com/terms/api-services-user-data-p...

https://cloud.google.com/blog/products/g-suite/elevating-use...

It's an optional step[1] if you list your app as a G Suite marketplace app with domain only install. Of course, it makes sense if your app targets only G Suite customers and not general Gmail customers. It also limits the market reach.

[1] https://developers.google.com/gsuite/marketplace/security-as...

It appears to be a CYA move by google. A penetration test, clear detailed information about usage of user data, and it is done by separate contractors. I would hope they allow more contractors in the future.

Its all just another another moat around those sweet sweet enterprise $$