G Suite editor add-ons — more security for users, more work for developers, better marketplace?

Google Apps Script is soon approaching its 10 year anniversary 🎉 and
Bruce Mcpherson has written an interesting article about its evolution: 2019 — a decade in Apps Script, concluding that it has become more and more complex to release and maintain add-ons.

The potential for an Apps Script ‘wild west’ has given rise to a more sandboxed, user orientated environment again […] to the extent that many of those that have produced free add-ons in the past have either withdrawn them or have stopped developing new ones.

Thus I thought it would be interesting to:

• list the main changes add-on developers had to adapt to over the last years
• check how this impacted the marketplace: are there still people willing to create add-ons?

Main evolutions

With Google trying to better protect its users from malicious third party apps, add-ons creators have (and will) face several challenges:

• In July 2017, Google announced that existing add-ons needed to go through a new verification process, to assess their usage of G Suite APIs / authorization scopes “New security protections to reduce risk from unverified apps” — in addition to having to answer Google’s questions, you also needed a domain name (whereas before you simply needed a free gmail.com account to release an add-on) and a Privacy Policy.

• A year after, in october 2018, Google announced the migration of all add-ons: “Migrating G Suite Extensions from Chrome Web Store to G Suite Marketplace”, requiring some developers to make updates if they wanted to keep their add-on listed (including adding a ‘Terms of Service’ page in addition to a ‘Privacy Policy’). Note that this migration was planned for March 2019 but as of today the add-on stores are still powered by the Chrome Web Store.

• During the same period, Google announced more restrictions for apps and add-ons using the Gmail API: “Elevating user trust in our API ecosystem” — this adds a real blocking point as you need to pay for a yearly security assessment (from $15,000 to $75,000) if you want to build an add-on accessing the user mailbox.

• And last month Google announced the same restrictions for apps and add-ons with access to files stored in Google Drive: “Enhancing security controls for Google Drive third-party apps”

Impact on the marketplace

So, it’s fair to ask if people are still willing to publish add-ons. Since 2016, I’ve been monitoring the number of add-ons available, along with the number of installations, last update and other public data.

There are currently 869 add-ons available for Sheets (+20% in one year, up from 726 in June 2018), 427 for Docs (+20%), 84 for Forms (+20%) and 80 for Slides (+150% but the marketplace for Slides add-ons is newer).

Specifically for Sheets, since June 2018, a year ago, 213 new add-ons have been made available and 70 have been removed.

Overhaul, the new security measures /reviews don’t seem to have really discouraged people to release new add-ons. But a more careful review might show another story.

For example, the add-on GSM MailMerge is still displayed in the add-on store but you can’t install it anymore (as it hasn’t gone through the review process for Gmail scopes / wasn’t willing to pay for the security review).

Several add-ons seem to be impacted in the same way and are still listed but no longer installable. Plus, Google hasn’t yet made the migration to the G Suite Marketplace. When that happens, many old (but still useful) add-ons might also disappear (as some changes — like including a public page containing your ‘Terms of Service’ — are required).

Future

As for the future, the new restrictions to access Google Drive scopes will also have an impact. Some of the most used and installed add-ons have been created by educators (mostly) for educators and are totally free. This is the case of Flubaroo, Autocrat, Doctopus and many others. Will their author / current maintainer be willing to pay for the security review? We shall soon see :)