Google Security Review

aj11 · September 9, 2021, 6:23pm

We’re about to start the Google Security Review process for powrlineapp.com so we can utilize some of the restricted scopes for Gmail/Calendar API.

We’re doing this through Nylas.

Has anyone else done this previously?

Google wants a security firm to go through our source code for vulnerabilities, but that’s obviously not really how things work when you’re building on Bubble. I’m wondering if this will make the process easier or harder, or possibly help us avoiding paying for the security review entirely (it’s ~$15k).

Anyone have experience with this?

aj11 · October 8, 2021, 3:06am

@b.demontecler do you have any insight or experience with this?

b.demontecler · October 8, 2021, 6:55am

I have never use the Gmail API, only the Calendar API directly with bubble without Security Audit. But the Gmail API is more protected by Google than others.

mewans86 · October 8, 2021, 7:50am

Have you tried to reach out to Bubble directly with this question? I remember watching a video where they were discussing a cyber security of no-code apps, and this is about the platform - they already invest in their security to make all apps built on it cyber-secure. Maybe Bubble already has it covered?

aj11 · October 8, 2021, 11:17am

Yes, at length.

Google wants to have a team comb through the source code for security flaws (regardless of the work Bubble has done on security) before they will allow us to use their API. Bubble support told me they are unable to work with the Google Security team in any way on this, or give them access beyond what is possible with my Bubble login. This might be enough, but $15k is quite a bit to risk for “might be enough”.

Google does not guarantee the $15k gets you access to their API, it only pays for the security review. So if the Bubble team won’t work with them it could cause the review to fail and the money to be wasted.

Currently planning to wait until our revenue is higher and we can take the risk. It’s a key feature for us that we need to grow our userbase.

louis2 · July 8, 2022, 7:10am

Hey AJ,

I’m starting the process with Google, how did you succeed to go through this ?

I used 2 restricted scopes :

calendar
send emails

I might find an alternative for the emails but not for the calendar. Do you know if the audit is necessary with the calendar or they “just” have a stronger look for the emails only ?

aj11 · July 8, 2022, 2:39pm

I did not go through with it.

I don’t believe it is necessary for calendar or email sending.