On the page https://developers.google.com/fit/policy?hl=en#appropriate_access_to_and_use_of_google_fit_apis it says the following:
Do not use Google Fit APIs for applications, services, or features designed to collect or combine user data for human subjects research, medical research, or any other similar research overseen by an Institutional Research Board or Ethics Commission unless you receive prior written approval to such use from Google. Select a "Medical Research" use case during the scope access request process and you will receive additional information on how to proceed.
I'd like to use the Google Fit API for a medical research purpose, but I cannot find where I'd select the "Medical Research" use case. Can anyone show me where I can find this?
I'd be using the Google Fit API to start tracking steps on the user's Android device and read these steps.
Scope = Purpose of your medical research and used API scopes
I think it is rather misleading, in fact when Google documentation talks about medical research scope, they do not mean it at the API level.
What they mean is that you have to state in your app registration application that you would be using your app for a "medical research purpose", along with the fit API scopes that you would be using for your medical research.
You can read the following link that describes the authorization process intended by Google, but I will will detail below how to proceed:
Enable Fitness API and create credentials
After enabling Fitness API in your Google API Console for your project (create a new one if you haven't already) then you have to apply for verification and submit the relevant supporting information for why your app needs "Medical Research" scope (basically documents related to the purpose of your medical research, which University or Lab you are working for etc). This choice happens right after adding credentials to your project when you have to set up OAuth consent screen:
Filling the app registration form
Filling accurately will speed up the verification process
On the first tab, you will likely have to provide a very solid application privacy policy link (stating which data you access and for which purpose):
Select your API scopes
Then you will have to add the scopes (scopes as API) that you would need for the purpose of your medical research:
The one you will need to read the steps is:
scopes your app needs to request.
https://www.googleapis.com/auth/fitness.location.read | Read location data from the Google Fit platform. | Restricted
Enter your Medical Research "Scope"
Finally, and this is where you provide all information related to your medical research, in the optional info - meaning optional for most users, but not so optional for medical research - already briefly stated in your privacy policy link: Its purpose, how it is financed, by which entity, what data your will be using etc. Be as clear as possible as it will speed up the review process.
Provide links about your university or company website, research papers that you have already published, or by yours peers related to the scope of your medical research:
Related
Questions regarding billing for Google API's or more specifically the places and maps Google API's.
We have an app which is part of a SAAS package. When clients use our Software we have maps and place's API built it, however we want to offset the cost of the bill using these API's to that particular client using the software.
Currently we have a single Google Project we created and enabled the API's on our own google account however this means we will foot the bill as its using our token.
Can clients somehow connect to our google project etc or do we simply need them to create their own google project and pass that token through? Is there a streamlined approach that covers this...
When we did for our multi tenant application we did create only one google project and billing was getting accumulated into a single account. We looked at what you're talked about but since google does not allow to bill separately without having separate google project. Google API billing works on google project id. We decided to bill our clients separately and handled all calls to Places API on a single google project.
Long story short - it was not easy to have our clients connect to our project without having them create their own google project we ended up with one google api project.
edit: also missed another important point - Google My Business API needed whitelisting for each project id so it was another reason to keep it as a single project
Passing the token to the application is a probably very bad idea and will result in a security risk for your client and their token if it is intercepted.
As a developer for the client they should create a token on their account and then they will be charged. They can then give it to you as the developer for use. This is however a gray area as technically you are not allowed to share your tokens with anyone TOC However i believe that client and developer relationship should be secure enough for sharing the token.
Ideally you should give the client the code they can then use their own token and run the application themselves.
I'm a hobbyist student developer playing around with the Actions on Google to create a simple "text adventure" game on Google Home. Since Google Home will be speaking to the player rather than the player reading the text, I'm hoping this will create an experience similar to the "Dungeons and Dragons" roleplaying game, with the computer working as the "Dungeon Master." With the natural language assistance offered by API.AI and Actions on Google, it seemed like a good fit, since the player can respond "naturally." Here's an example of an Amazon Alexa skill that does essentially what I'm going for.
However, every time I boot up the game, it's always a new game. I'd like to store a savegame with the user's previous state in a JSON file hosted on the user's Google Drive -- Since I'm just a student doing this for fun, I don't actually have an official website or anything beyond a free Heroku server I'm running the app from, making storing saves on my end pretty much out of the question.
I've walked through the Google Drive REST quickstart for Node.js, and I've gotten that working in the console just fine. The only problem is in that quickstart, the user has to click a link to authorize the application to read the stuff in their Google Drive account, and I'm not sure how I'd be able to "click a link" and give back an access token via voice on Google Home.
Is there a way to do this via Google Drive? Or is there a better way to provide persistent data between sessions? I don't normally work in web development, so any help would be appreciated.
The bad news is you won't be able to get away from the need for a user to use his web browser to authorise your app to access his Drive.
The good news is that you only need to do this once. When your app requests authoirsation, it should specify "offline", which will result in you being given a refresh token. You should save this somewhere in your database of users. Whenever you need to access the user's Drive, you can use the saved refresh token to request an access token and you're good to go.
You have a few problems that you need to solve here, and while they seem related, they're not as related as you might hope:
You need to get authorization to access a user's Drive space
You need to authenticate the user's Home (so you know this person has come back)
You have to connect the two relationships - so you know what Drive space to use for the Home device that is talking to you
You've found the answers to (1) already, and as noted, you'll need to use a browser for them to authorize you to access their Drive. You'll then store the refresh token and will be able to access it in the future.
But that is only part of the problem. Home does not provide you access to the user's Google account directly, so you'll have to manage your own account mechanism and tie it to Home. There are a few solutions here:
Home provides anonymous user identity in the JSON sent to your webhook. You can access this using getUser().user_id if you're using the Actions API library, or access this in the data.user.user_id field in the JSON. While this is similar to a browser cookie, it only stores the user ID and can't store additional data. There is also no concept of "local storage". On the plus side, this ID is consistent across devices.
You can request user information such as their name and address. But it doesn't have anything unique or account information, so this probably isn't useful to you.
You can implement an OAuth2 server and do account linking. Note that this is the other side from what you need to do with Google Drive - you'll be providing the access and refresh tokens to authenticate and authorize access to your account and the Google Home device will send these tokens back to you so you can determine who the user is. You don't actually need to store account information - you can provide token information using JSON Web Tokens (JWT) or other methods and have them store account information in a secure way. Users will use the Google Home app to actually sign-in to your service as a one-time event.
In order to handle (3), you may be thinking that (1) lets you get tokens and the OAuth solution for (2) requires you to hand out tokens. Can the two be combined? Well... probably, but it isn't as straightforward. You can't just give the Google OAuth2 endpoints to Home - they explicitly block that and you need to control your OAuth2 endpoints. You may, however, be able to build proxy endpoints - but I haven't explored the security implications of doing so.
I think you're on the right track - using Drive is a good place to store users' information. Using Home's account linking gives you a place where they have to come to your web site to authenticate and authorize their Home, and you can use this to do the same for their Drive.
How can I (as a vendor contracted to develop an app for an enterprise) publish an app to the Google Play Store on behalf of an enterprise?
They don't have a Google Play account set up but want the app to appear under their brand in the Google Play Store.
What's the correct technical (and legal) process I should follow to set up their account and give my own company access to publish on their behalf?
The bare minimum requirement that I am aware of is that your company should get a written consent from your client, authorizing your company to use their company's name, logo, brand, etc for the expressed purpose of being displayed in Google Play.
My company had done something similar, we publish branded apps for clients, though our company's name is used as the vendor name. One of those apps got removed because some zealous legal guy in one of our client companies found the app and, unaware of the cooperation between the companies, filed a complaint to Google. The app was reinstated without much fuzz after getting that guy to send another email to Google requesting the app to be reinstated, so it looks like Google doesn't have anything against this (assuming your client doesn't reside in a sanctioned country).
You can give them advance notice by providing legal documents via this link
https://support.google.com/googleplay/android-developer/answer/6320428
From the page itself...
The Google Play App Review team accepts advance notice about your
upcoming app or store listing publishing event.
We only accept advance notice in the following scenario(s):
You have written documentation proving that you have permission to use
a 3rd party's intellectual property in your app or store listing (e.g.
Brand names and logos, graphic assets, audio, etc.). You have gambling
or casino-style elements in your game, and need to provide your Korean
Game Rating and Administrative Committee (GRAC) rating certificate to
Google so your game can be distributed in Korea.
Lesson learn by one suspended app. Hope this will help others. If your app suspended for such reason you can also contact them via link in the suspension email.
Is there any option to save updated contact details provided by Rapportive to google contacts ?
Any greasemonkey script or Firefox plugins ?
I've never seen that sort of Greasemonkey script of Firefox plugin, but conceivably it would be doable to rig up something to that effect. It all depends on Rapportive's Terms of Service, however.
Programmatically, Rapportive doesn't currently offer an outbound API - they currently only offer a way to programmatically send info to them regarding contacts. So you'd have to go about it another way. Scraping the info that's displayed could be an option - but I'd do due diligence first & be sure to read their policies. They might prohibit that sort of thing (they're owned by LinkedIn, whose TOS are known to be very restrictive).
You could also accomplish this sort of thing using FullContact (disclosure - my company). Our Address Book app (in beta) adds photos, social profile links, titles, etc. - the same sort of data returned by Rapportive - to Google Contacts and syncs in real-time.
We don't use Rapportive's data - the data is all public social profile data, returned by our social profile APIs - but the Address Book should help you do exactly what you're looking to do.
We are deciding on standards for APIs at my work.
I've seen some APIs use API keys. I've seen others use full authentication with username and password (eg oAuth2).
Is there generally a good time to use one over the other?
OAuth is great for the scenario of "3-party authentication" (1st party: your API server, 2nd party: an app using your API, 3rd party: user on whose behalf the API is used). For example, imagine the Instagram application (2nd party) uploading a photo to the Facebook API (1st party) on behalf of user John Doe (3rd party) to appear on his Facebook wall.
However, many APIs don't have this 3-party scenario - there's just an API and an app, not tied to any end-user-specific information. For example, if a brokerage is providing a stock quote API, it's a two-party scenario because stock quotes are not specific to an end user. (However, if there's an API to access someone's stock portfolio, it's a 3-party scenario).
For 3-party scenarios, OAuth has pretty much become standard at this point. For 2-party scenarios, even though it's possible to use OAuth, in practice simpler authentication schemes are often used (e.g. just an API key in the URL, and use HTTPS to hide the URL from intermediaries).