Google sets new rules for third-party apps to access Gmail data

All Gmail third-party apps with full access to Gmail user data will need to re-submit for a review by February 15, 2019, or be removed.

Google will roll out stricter rules for third-party apps that want to access users' Gmail inboxes. The new rules are scheduled to enter into effect next year, January 9, 2019.

This is Google's response after the company came under criticism in July for letting third-party apps roam free and access users' Gmail data, including the content of Gmail emails.

Google says that starting next year, only Gmail apps "directly enhancing email functionality--such as email clients, email backup services and productivity services (e.g., CRM and mail merge services)" will be authorized to access inbox data.

App developers will need to rewrite their apps with these new rules in mind. Gmail third-party apps that have full access over a Gmail user's data but only require "send capabilities" will need to re-scope their permissions appropriately because they won't be allowed to read users' emails starting next year.

Google says all app developers will have to re-submit their app for a review by February 15, 2019. Apps with broad access to Gmail user data that have not applied for a new review by that date will be removed after February 22, 2019.

Besides applying to a new app review process, Google also plans to subject the apps to security assessments on how developers store Gmail user data collected through the app.

Apps will be asked to demonstrate secure data handling with assessments that include: application penetration testing, external network penetration testing, account deletion verification, reviews of incident response plans, vulnerability disclosure programs, and information security policies. Applications that only store user data on end-user devices will not need to complete the full assessment but will need to be verified as non-malicious software.

When applying for a new review, Gmail app developers will also have to agree to a new Google policy that prohibits them from selling data harvested via their app.

The new Gmail policy and security assessment process is just Google protecting its back. Earlier this year, Facebook was unjustly considered guilty after a misbehaving third-party app developed by Cambridge Analytica collected troves of user data, which was later used in political campaigns.

Google's new policy and Gmail API access rules won't safeguard Gmail users from having their inboxes pilfered for data, but it will make it harder for an app to gain access to such data in the first place.

The company hopes these new API access rules will curb the practice of developing simplistic Gmail add-ons that use intrusive permissions to perform machine analysis on emails' texts, harvest user data for ad targeting, track the success of email campaigns, or other nefarious purposes.

Google announced the new Gmail access rules today in a blog post in which the company also announced it was shutting down the Google+ social network after an API bug exposed the private details of over 500,000 users. More on these new rules, here.

Related coverage: