If your app requests access to sensitive user data using restricted scopes, it must complete a verification process. Most scopes for the Google Health API are restricted, which means you must complete verification before your app is publicly available.
During this process, Google verifies that your app complies with the API Services User Data Policy and any other applicable policies.
If your app isn't verified, it's limited to 100 users. To support more users, you must complete the verification process. This verification is separate from any app review process required by app stores like Google Play. An app that hasn't completed this verification might be listed on the Google Play store, but is still limited to 100 users. For more information, see OAuth App Verification Help Center
The verification process has two parts:
- OAuth app verification: Google's Trust and Safety team reviews your app's identity, scopes, and other information you provide in the Google Cloud console. See Verification Requirements for more information.
- Security assessment: Your application must undergo a third-party security assessment to ensure it handles user data securely.
OAuth app verification
To prepare for verification, review and follow the OAuth 2.0 Restricted Scopes guide. This guide outlines the steps to prepare for and request verification in the Google Cloud console.
Be specific when explaining why your app needs each scope. Vague or duplicate justifications for different scopes can cause delays in the verification process.
In-app disclosure requirements
You must prominently disclose to your users how your app accesses, uses, and shares their health and fitness data.
The in-app disclosure:
- Must be within the app itself, not only in the app description or on a website.
- Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings.
- Must describe the data being accessed or collected.
- Must explain how the data is used or shared.
- Cannot only be placed in a privacy policy or terms of service.
- Cannot be included with other disclosures unrelated to Google Health API data collection.
Here is a recommended format for the disclosure statement: "{App name} collects health and fitness data to enable {feature}, {feature}, and {feature}."
For example: "Fitness Coach collects activity data to enable analytics and personalized coaching."
Security assessment (CASA)
In addition to OAuth verification, apps using restricted scopes must also complete an annual security assessment based on the Cloud App Security Assessment framework (CASA). Google's Trust and Safety team notifies you with instructions when this needs to be completed.
A third-party security firm performs this assessment to confirm that your app handles user data securely and can delete user data upon request. CASA uses the industry-recognized OWASP Application Security Verification Standard (ASVS). After you pass the assessment, your app receives a Letter of Validation (LOV) from the security assessor.
For more details on the CASA program and to find authorized security assessors, visit the Cloud Application Security Assessment website.
If you have existing security certifications or recent penetration test results that align with accepted industry standards, you might be able to expedite the CASA process. CASA offers an Accelerator program that lets assessors use existing valid documentation from Accepted Security Frameworks to reduce redundant checks and potentially lower assessment costs.
The security assessment can take 2-3 weeks for tier-2 applications and 4-6 weeks for tier-3 applications to complete and involves fees payable to the third-party assessor, ranging from $500 to $4,500 USD, depending on your app's complexity. Trust and Safety will tell the developer when to start the CASA process.
After you get your Letter of Validation (LOV), submit the letter to Google's Trust and Safety team to complete your security assessment.
Escalations
The CASA assessment is performed by a third party, and Google does not have control over this assessment process. Any issues with the assessment should be raised directly with your chosen security assessor.