Google Oauth verification

[maswa]

I am using this plugin to get steps data and distance data (only read access) in my Android app and now google has asked to verify the consent screen. I entered all details and removed all scopes we don't need. Now in the next step of the verification process Google says i need to complete a security assessment for my application :

_**Thank you for your patience while we reviewed your submission for project ...... We need you to address the following items for us to continue your app’s verification:

You are required to complete a CASA security assessment for your application (project number: .......... by the following date: 2024-04-16. This assessment is required annually; to learn more, please visit the CASA website.**_

Has anyone ever needed to do this for using this plugin ? Or is Google sending us on the wrong track somehow?

[MrJustreborn]

Unfortunately, that is correct. If you request scopes that google considers trustworthy (everything that is fitness) you have to go through this. We are currently going through the process ourselves at CASA. But as long as issue #304 persists, I can't switch to the new system.

[dariosalvi78]

I strongly suggest to use HealthConnect instead of Google Fit, especially for simple things like steps and distance. As for the bug @MrJustreborn mentions, I still need to dig into it, I am having busy days at work, but it's on my TODO

[maswa]

Thanks for the answers, assumed i take that approach and use the latest version of the plugin with HealthConnect, then Google will require to send the Developer Declaration Form, how many time will Google need to review the form ? Are we talking about days or weeks? And is issue #304 only happening on ionic / capacitor or does it also happen with Cordova builds?

[BenLaKnet]

Hi @maswa,

Between the email from Google and the CASA confirmation, it took between 6 weeks to 3 months.

[dariosalvi78]

Hi, I don't have direct experience submitting an HealthConnect app yet, but someone I have collaborated with said that it was easy and quick to get approval (<1 month). However, they've been having problems with the published app, and it's not clear why yet, it may well be an issue from Google and not from them, it's still being investigated.

[MrJustreborn]

We got approved for HealthConnect in 5 days. And it's really easy, just fill out the google from and wait, nothing compared to the old process with oauth...

[maswa]

@MrJustreborn , that sounds not too bad, but can we send in the declaration form and ask for approval for Health Connect while our current app stil used the 2.1 plugin version with Google Fit? Or is it required to first send in an update where we use Health Connect?

[MrJustreborn]

We did the same, we're currently using the old plugin and going through the CASA process. We have a second branch with updated plugin.

[TeoMastro]

Hello, anyone got any insights about the CASA verification process?? 1 - Tier 2 Self Scan Using CASA Portal Built-in Scanning Register or log-in to the CASA portal and initiate your security assessment Follow the instruction on the portal to package your application for scanning Fix all CWEs flagged by your scan Fill out the CASA questionnaire on the portal Receive the results and validation report in the CASA portal The CASA portal will automatically share the Letter of Validation with Google

2 - Tier 2 Self Scan Using Open Source Tools Register or log-in to the CASA portal and initiate your security assessment Follow the CASA Tier 2 procedures to self scan your application Fix all CWEs flagged by your scan Submit your scan results and fill out the CASA questionnaire on the portal Receive the results and validation report in the CASA portal The CASA portal will automatically share the Letter of Validation with Google

3 - Tier 2 Self Scan Using Commercial Tools Register or log-in to the CASA portal and initiate your security assessment Follow the CASA Tier 2 procedures to self scan your application using commercial pre-approved tools Fix all CWEs flagged by your scan Submit your scan results and fill out the CASA questionnaire on the portal Receive the results and validation report in the CASA portal The CASA portal will automatically share the Letter of Validation with Google. You can use any CWE-compatible app scanning tool(s) that meet the CASA scan requirements.

This is part of the email I got, and as I can imagine many of you also got. I tried the 1st way, registering to the platform and providing anything I can. Now as I wait, I am going to attempt the 2nd way, which is scan with open source tools.

Has anyone gone through this? And if yes what path did you follow? Sorry if this message does not belong to this conversation, but I am very confused with what google makes us go through just to use the Fitness API. Also I could not understand why we, by ourselves, have to make this scan instead of Google or the Play Store.

Thanks in advance!

[maswa]

Hi TeoMastro,

I started the verification process using CASA Portal built-in Scanning, but i quit after the first scan. It's not just fixing the CWEs from the scan but they also ask tons of questions in that questionnaire. I then also read that the whole procedure can take weeks to months and thought it wouldn't be worth to go trough it as Google announced FIT api will be deprecated end of this year anyway. Asking permissions for Health Connect was much easier ( at least for my needs , read : steps, activity and distance) It was approved in a few days by filling i the Developer declaration form and making a short video about how i will use these permissions in my app. So i'm now making necessary changes to use latest the version of this plugin which uses Health Connect.

[TeoMastro]

Hi maswa,

I have a question. Why do these two have to differ in terms of verification process? (I mean Google Fit and Health Connect). I would expect that both of these APIs would require somehow the same form of verification since the things they provide are very similar. Do you or anyone else know anything about this? (I really could not find anything online about that, at least for now). Thanks for your time and the insightful answers.

[dariosalvi78]

I can answer that: Google Fit is first and foremost an online API (though it's not visible to the programmer, but it was born as such), which requires additional security. HealthConnect is a local API, it stays in the phone (though data is backed up by Google, like HealthKit is backed up on iCloud).

My warm and strong suggestion: do not use Google Fit, it's very cumbersome to get an approval and, before you have finished the process, the API will be shut down. Doesn't make any sense to waste time on it.

Besides, if you are planning to use this plugin, I have no interest in continuing supporting the Google Fit API, so you'll be on your own.

[Fenil15]

@TeoMastro Seems to have raised a valid point regarding same verification process by google for both google fit and health connect. @maswa @dariosalvi78 In case your app is sending user data out of device, Google will ask you to go through similar process as that that of Google Fit. Check Secure Data Handling section in this link

Do share your thoughts if its otherwise or did I interpret incorrectly?

[dariosalvi78]

This is my interpretation, so take it with an abundant dose of scepticism:

the difference is that, when accessing Google Fit, Google is responsible for ensuring that the data is treated legally and responsibly. This is because the user may not be involved in the process, because the API is served online (even though we use it locally, so it's a bit nonsense).

When accessing HealthConnet, it's the user responsibility to give access to the data, not Google. In this case Google simply checks that the app does not doing anything evil or blatantly deceitful, which is probably not even needed, and leaves the decision to the user. It's a big difference legally speaking. I think that Google realised that the Google Fit API was a mistake and went the Apple way (local API), and I can only be happy about it.

The checks that Google does for HealthConnect are much, much simpler than the ones for Google Fit, as it can be witnessed from the comments here, regardless of if you send the data somewhere or not. The conditions the list in the webpage you have linked are not verified, at least not all of them and not thoroughly, because it's impossible to do it reliably, and, most importantly, because they don't need to. It's a way for them to kick you out if they discover that you're doing something bad.

[juanmaldonadodev]

Somes questions here: We are using google fit plugin implementation. Google asked us to review the oauth screen. Based on your comments, as we are just using steps the idea would be to migrate to healthConnect plugin version. At this point. What should we add in the oauth screen validation now that we are not using Google Fit api? Old versions will still use the Fir Api. Google is waiting the answer for our previous validation of the oauth screen. We have received the email requesting us to follow CASA verification process.

So, if we prepare a new version with new plugin. What happen with the old versions?

[dariosalvi78]

@juanico18 I don't understand your question. If you move to HealthConnect all the Oauth stuff just becomes irrelevant. You can simply close the whole project on the Google Console. However, if you have an app that uses the Fit API and that app has been downloaded and is being used, you'd better wait until all your users have updated to the newer version of your app before closing the Fit API integration.

[juanmaldonadodev]

@juanico18 I don't understand your question. If you move to HealthConnect all the Oauth stuff just becomes irrelevant. You can simply close the whole project on the Google Console. However, if you have an app that uses the Fit API and that app has been downloaded and is being used, you'd better wait until all your users have updated to the newer version of your app before closing the Fit API integration.

Thanks, In fact you have solved my doubts.

• If we implement HealthConnect we do not need oauth. (This was one of the questions)
• I think we need to fill this form before publish a version using healthConnect: https://docs.google.com/forms/d/1LFjbq1MOCZySpP5eIVkoyzXTanpcGTYQH26lKcrQUJo/viewform?edit_requested=true Right?
• Old versions using Google Fit. Oauth screen is still necessary until users install new version.

[dariosalvi78]

yes to all