How can I (as a vendor contracted to develop an app for an enterprise) publish an app to the Google Play Store on behalf of an enterprise?
They don't have a Google Play account set up but want the app to appear under their brand in the Google Play Store.
What's the correct technical (and legal) process I should follow to set up their account and give my own company access to publish on their behalf?
The bare minimum requirement that I am aware of is that your company should get a written consent from your client, authorizing your company to use their company's name, logo, brand, etc for the expressed purpose of being displayed in Google Play.
My company had done something similar, we publish branded apps for clients, though our company's name is used as the vendor name. One of those apps got removed because some zealous legal guy in one of our client companies found the app and, unaware of the cooperation between the companies, filed a complaint to Google. The app was reinstated without much fuzz after getting that guy to send another email to Google requesting the app to be reinstated, so it looks like Google doesn't have anything against this (assuming your client doesn't reside in a sanctioned country).
You can give them advance notice by providing legal documents via this link
https://support.google.com/googleplay/android-developer/answer/6320428
From the page itself...
The Google Play App Review team accepts advance notice about your
upcoming app or store listing publishing event.
We only accept advance notice in the following scenario(s):
You have written documentation proving that you have permission to use
a 3rd party's intellectual property in your app or store listing (e.g.
Brand names and logos, graphic assets, audio, etc.). You have gambling
or casino-style elements in your game, and need to provide your Korean
Game Rating and Administrative Committee (GRAC) rating certificate to
Google so your game can be distributed in Korea.
Lesson learn by one suspended app. Hope this will help others. If your app suspended for such reason you can also contact them via link in the suspension email.
Related
On the page https://developers.google.com/fit/policy?hl=en#appropriate_access_to_and_use_of_google_fit_apis it says the following:
Do not use Google Fit APIs for applications, services, or features designed to collect or combine user data for human subjects research, medical research, or any other similar research overseen by an Institutional Research Board or Ethics Commission unless you receive prior written approval to such use from Google. Select a "Medical Research" use case during the scope access request process and you will receive additional information on how to proceed.
I'd like to use the Google Fit API for a medical research purpose, but I cannot find where I'd select the "Medical Research" use case. Can anyone show me where I can find this?
I'd be using the Google Fit API to start tracking steps on the user's Android device and read these steps.
Scope = Purpose of your medical research and used API scopes
I think it is rather misleading, in fact when Google documentation talks about medical research scope, they do not mean it at the API level.
What they mean is that you have to state in your app registration application that you would be using your app for a "medical research purpose", along with the fit API scopes that you would be using for your medical research.
You can read the following link that describes the authorization process intended by Google, but I will will detail below how to proceed:
Enable Fitness API and create credentials
After enabling Fitness API in your Google API Console for your project (create a new one if you haven't already) then you have to apply for verification and submit the relevant supporting information for why your app needs "Medical Research" scope (basically documents related to the purpose of your medical research, which University or Lab you are working for etc). This choice happens right after adding credentials to your project when you have to set up OAuth consent screen:
Filling the app registration form
Filling accurately will speed up the verification process
On the first tab, you will likely have to provide a very solid application privacy policy link (stating which data you access and for which purpose):
Select your API scopes
Then you will have to add the scopes (scopes as API) that you would need for the purpose of your medical research:
The one you will need to read the steps is:
scopes your app needs to request.
https://www.googleapis.com/auth/fitness.location.read | Read location data from the Google Fit platform. | Restricted
Enter your Medical Research "Scope"
Finally, and this is where you provide all information related to your medical research, in the optional info - meaning optional for most users, but not so optional for medical research - already briefly stated in your privacy policy link: Its purpose, how it is financed, by which entity, what data your will be using etc. Be as clear as possible as it will speed up the review process.
Provide links about your university or company website, research papers that you have already published, or by yours peers related to the scope of your medical research:
I have received email from Google with subject: [Action Required] Submit your app(s) for Restricted Scopes OAuth verification,
same as many of you.
I'm using GAS only for developing applications for my personal use - not for public. Applications such as sending summary emails to my clients, when they buy a product from my web pages.
Do I have to go through the whole process of verification?
Do I have to create public Terms of Service?
Is there any way how I can explain to google, that my applications are not used by anybody else then by
me?
How to get to know for sure that my app won't stop?
I have read through FAQ (https://support.google.com/cloud/answer/9110914) and many other documents by google about this topic..
I have checked similar questions found on web, but with no luck of answers.. It looks it's pretty new experience for all of us..
Thank you for any advices.
I have personal account, so I can't use "internal apps" selection, this works only for paid G-suite customers which I'm not.
EDIT:
As Yoel Vinitsky stated, app doesn't need verification if it has only one user.
Here at bottom: https://support.google.com/cloud/answer/7454865 is table which shows that there is quota 100 new users in total, once the app presents the unverified app screen.
It seems like that I don't have to worry about verification of my apps at all, because I'm the only one user or maybe I use this app from 2 or 3 more users emails so it should be ok, my question is, is it going to be ok without verification, or not?
EDIT 2:
Google sent clarification email:
NO ACTION is required if:
Only owners use the project: If the project is only used by owners of the project, no action is required.
To determine whether you are an owner (versus an editor or viewer), follow these steps:
Click the project link above to navigate to its OAuth Consent Screen
configuration page.
Click the Navigation Menu button in the
upper-left corner, select IAM & admin, and click IAM. This will show you all project contributors and their roles.
The project doesn’t have users outside of your G Suite domain:If the project owner is using a G Suite account and the project is only used by Google Accounts in the project owner’s domain, no action is required (learn more here).
But the question is how to avoid verification with personal accounts for my own scripts used only by me?
As mentioned in the support FAQ You linked to:
When can I skip publishing my app for a review?
You do not need to request for verification if your app is
going to be used in any of the following scenarios:
1) The app is not shared with anyone else.
2) The app is used to send emails through WordPress, or
3) similar single account SMTP plug-ins.
The only drawbacks should be the warning that your app is unverified and maybe quota limits.
Questions regarding billing for Google API's or more specifically the places and maps Google API's.
We have an app which is part of a SAAS package. When clients use our Software we have maps and place's API built it, however we want to offset the cost of the bill using these API's to that particular client using the software.
Currently we have a single Google Project we created and enabled the API's on our own google account however this means we will foot the bill as its using our token.
Can clients somehow connect to our google project etc or do we simply need them to create their own google project and pass that token through? Is there a streamlined approach that covers this...
When we did for our multi tenant application we did create only one google project and billing was getting accumulated into a single account. We looked at what you're talked about but since google does not allow to bill separately without having separate google project. Google API billing works on google project id. We decided to bill our clients separately and handled all calls to Places API on a single google project.
Long story short - it was not easy to have our clients connect to our project without having them create their own google project we ended up with one google api project.
edit: also missed another important point - Google My Business API needed whitelisting for each project id so it was another reason to keep it as a single project
Passing the token to the application is a probably very bad idea and will result in a security risk for your client and their token if it is intercepted.
As a developer for the client they should create a token on their account and then they will be charged. They can then give it to you as the developer for use. This is however a gray area as technically you are not allowed to share your tokens with anyone TOC However i believe that client and developer relationship should be secure enough for sharing the token.
Ideally you should give the client the code they can then use their own token and run the application themselves.
I'm a hobbyist student developer playing around with the Actions on Google to create a simple "text adventure" game on Google Home. Since Google Home will be speaking to the player rather than the player reading the text, I'm hoping this will create an experience similar to the "Dungeons and Dragons" roleplaying game, with the computer working as the "Dungeon Master." With the natural language assistance offered by API.AI and Actions on Google, it seemed like a good fit, since the player can respond "naturally." Here's an example of an Amazon Alexa skill that does essentially what I'm going for.
However, every time I boot up the game, it's always a new game. I'd like to store a savegame with the user's previous state in a JSON file hosted on the user's Google Drive -- Since I'm just a student doing this for fun, I don't actually have an official website or anything beyond a free Heroku server I'm running the app from, making storing saves on my end pretty much out of the question.
I've walked through the Google Drive REST quickstart for Node.js, and I've gotten that working in the console just fine. The only problem is in that quickstart, the user has to click a link to authorize the application to read the stuff in their Google Drive account, and I'm not sure how I'd be able to "click a link" and give back an access token via voice on Google Home.
Is there a way to do this via Google Drive? Or is there a better way to provide persistent data between sessions? I don't normally work in web development, so any help would be appreciated.
The bad news is you won't be able to get away from the need for a user to use his web browser to authorise your app to access his Drive.
The good news is that you only need to do this once. When your app requests authoirsation, it should specify "offline", which will result in you being given a refresh token. You should save this somewhere in your database of users. Whenever you need to access the user's Drive, you can use the saved refresh token to request an access token and you're good to go.
You have a few problems that you need to solve here, and while they seem related, they're not as related as you might hope:
You need to get authorization to access a user's Drive space
You need to authenticate the user's Home (so you know this person has come back)
You have to connect the two relationships - so you know what Drive space to use for the Home device that is talking to you
You've found the answers to (1) already, and as noted, you'll need to use a browser for them to authorize you to access their Drive. You'll then store the refresh token and will be able to access it in the future.
But that is only part of the problem. Home does not provide you access to the user's Google account directly, so you'll have to manage your own account mechanism and tie it to Home. There are a few solutions here:
Home provides anonymous user identity in the JSON sent to your webhook. You can access this using getUser().user_id if you're using the Actions API library, or access this in the data.user.user_id field in the JSON. While this is similar to a browser cookie, it only stores the user ID and can't store additional data. There is also no concept of "local storage". On the plus side, this ID is consistent across devices.
You can request user information such as their name and address. But it doesn't have anything unique or account information, so this probably isn't useful to you.
You can implement an OAuth2 server and do account linking. Note that this is the other side from what you need to do with Google Drive - you'll be providing the access and refresh tokens to authenticate and authorize access to your account and the Google Home device will send these tokens back to you so you can determine who the user is. You don't actually need to store account information - you can provide token information using JSON Web Tokens (JWT) or other methods and have them store account information in a secure way. Users will use the Google Home app to actually sign-in to your service as a one-time event.
In order to handle (3), you may be thinking that (1) lets you get tokens and the OAuth solution for (2) requires you to hand out tokens. Can the two be combined? Well... probably, but it isn't as straightforward. You can't just give the Google OAuth2 endpoints to Home - they explicitly block that and you need to control your OAuth2 endpoints. You may, however, be able to build proxy endpoints - but I haven't explored the security implications of doing so.
I think you're on the right track - using Drive is a good place to store users' information. Using Home's account linking gives you a place where they have to come to your web site to authenticate and authorize their Home, and you can use this to do the same for their Drive.
Is there any option to save updated contact details provided by Rapportive to google contacts ?
Any greasemonkey script or Firefox plugins ?
I've never seen that sort of Greasemonkey script of Firefox plugin, but conceivably it would be doable to rig up something to that effect. It all depends on Rapportive's Terms of Service, however.
Programmatically, Rapportive doesn't currently offer an outbound API - they currently only offer a way to programmatically send info to them regarding contacts. So you'd have to go about it another way. Scraping the info that's displayed could be an option - but I'd do due diligence first & be sure to read their policies. They might prohibit that sort of thing (they're owned by LinkedIn, whose TOS are known to be very restrictive).
You could also accomplish this sort of thing using FullContact (disclosure - my company). Our Address Book app (in beta) adds photos, social profile links, titles, etc. - the same sort of data returned by Rapportive - to Google Contacts and syncs in real-time.
We don't use Rapportive's data - the data is all public social profile data, returned by our social profile APIs - but the Address Book should help you do exactly what you're looking to do.