Services_GP-Re-Asssessment-2020-1

WELCOME BACK TO THE
GOOGLE OAuth PARTNER PROGRAM 

We are pleased to collaborate with you again to improve your application security so that you can seamlessly integrate with the Google ecosystem.

Ready to start your annual security reassessment? 

Google has provided updates for annual 2020 re-certifications. The new deadlines for expiring Google Testing Letters (LOA) are:

  • March 30, 2021 - Google Testing Letter submission deadline
  • January 25, 2021 - App verification and signed SOW deadline

In order to be on track to meet the March 30, 2021 deadline, we recommend you to complete the following by January 25, 2021:

1. Complete and pass Step 1 below.

2. Begin Step 2 by signing your Statement of Work (SOW) with us after Google has confirmed      your app has been reverified and is eligible for a security assessment.

Any apps that do not meet these requirements by the January 25, 2021 key milestone will not be granted any additional extensions or exceptions on top of the March 30, 2021 deadline.

Steps to maintain access to your Restricted Scopes:

  • Step 1: Demonstrate continued compliance with our Additional Requirements for Specific Scopes and Limited Use requirements. To do this, follow the steps below listed under “ACTION REQUIRED: Demonstrate compliance”.
  • Step 2: Complete a security reassessment by one of the Google-designated 3rd party assessors. We will inform you once your project reaches this stage of the verification process. Until then, please do not pursue a reassessment until you have completed the previous requirement and receive further instructions from our team.
    • Note: If you complete your annual security reassessment within 5 months of your original deadline, the following reassessment deadline will be based on the original deadline rather than the date you actually completed your reassessment.  Eg. If your original deadline is March 30, 2021 and you complete a security reassessment on Feb 1, 2021 then your next re-assessment deadline will be March 30, 2022.

ACTION REQUIRED: Demonstrate compliance

Item 1. Add a disclosure to your app that complies with the below requirements:

  • The disclosure should clearly call out the app’s compliance/adherence to the Google API Services User Data Policy, including the Limited Use requirements. Example disclosure: “(App’s) use and transfer to any other app of information received from Google Accounts will adhere to Google API Services User Data Policy, including the Limited Use requirements.” 
  • The disclosure must be accessible on or one click away from the project’s verified homepage URL that is listed on the OAuth Consent Screen configuration page in your Cloud Console
  • The disclosure must be easily visible to all users.
  • The disclosure must be under 500 characters.
  • You must provide a link to the URL where the disclosure is hosted. 

Note that apps distributed on Google Play are subject to the Google Play Developer Distribution Agreement.

Item 2. Let us know of any changes to your app:

2a. If you have not made any changes to your app’s functionality and/or your app’s usage of Restricted scopes since your last compliance review, Please respond to this email to confirm your agreement with the following statement:

“I hereby confirm that there have been no changes to my app’s functionality in relation to Restricted Scopes and/or changes to my app’s usage of Restricted Scopes since completion of my last security assessment. 

I understand that my app may be randomly audited for continued compliance with the Google API Services User Data Policy. I understand that if my app falls out of compliance, then access to Restricted scopes will be revoked.”

2b. If you have made changes to your app’s functionality, then please respond to this email with a YouTube video link that meets all the below requirements:

  • Video is publicly accessible
  • OAuth Consent Screen is in English
  • OAuth Consent Screen shows the App Name
  • URL bar of the OAuth Consent Screen shows the Client ID containing the project number fully displayed (Note: this is not required for native Android and iOS apps)
  • Shows the OAuth grant process that users will experience
  • Shows how the data will be used by demonstrating functionality for each sensitive and restricted scope that are being requested
  • Shows how data is accessed on each OAuth client. This is required for every OAuth client in your project.

Once you respond to this email, we will review your app for compliance. In case we have further questions, our team will reach back out to you on this email thread. If we confirm your app is still compliant, we will respond to this email with next steps on reaching out to a qualified 3rd party security assessor to begin the reassessment process. Please do not pursue a reassessment until further instructions from our team.

 

You can find more information on the OAuth Application Verification FAQ

 

      
Bishop Fox was an outstanding partner for us. Under strict Google deadlines, they provided timely project quotes, reasonable prices, and excellent execution. The assessment was very well guided and communicated which made it smooth for us. The assessment was extremely helpful for our company.

 

Jeff Oberlander, VP of Engineering PipelineDeals

WE DESIGNED THE PROGRAM

Bishox Fox collaborated with Google to design the Partner Security Program. We know what's needed for you to pass the testing requirements.

WE DO ONE THING

Bishop Fox was founded on the principle that all we do is advise our clients so they can make the best possible security decision.

DEEP EXPERIENCE

Our Team's technical depth and expertise means we can tailor every solution or project to your unique requirements.

SENIOR EXPERTISE

Partners and senior consultants drive service delivery, and we are committed to every project’s success. You won’t be handed off to a junior team.

Get Started

FAQs


STILL HAVE QUESTIONS?

Email one of our Google security experts to learn how we can support your needs at googlepartners@bishopfox.com