To use Google Drive you must pass Google's Tier 2 Security Assessment

Has anyone gone through the process of approving their app with Google? How did it go, what problems did you run into and how did you solve them?

In order to let my users upload files from their Google Drive, I’m required to go through Google’s approval process since I’m self-hosting Companion. I scanned Companion for vulnerabilities and the scanner reported over 200 issues (most of them in dev dependencies). In order to pass I need to resolve all issues reported by the scanner and submit the results to the third-party. Then I need to answer questions about the internals of Companion/Uppy during the self-assessment.

Am I understanding this correctly?

Here’s a link to where I first learned about the app verification requirement: GitHub issue

Below is part of the email I received from Google after submitting my app for approval.

Thank you for your patience while we reviewed your project’s use of OAuth restricted scopes.

We have completed our initial review of your app { / }****.

For final approval, you are required to complete a Tier 2 verified self security assessment and be issued a Letter of Validation for your application by your due date September 20 2023. This assessment is required annually and applies to all apps requesting restricted scopes; to learn more, please visit the CASA website: .

The due date is to complete your assessment and receive a Letter of Validation. It can take up to 6 weeks to complete the CASA assessment, so it is important to initiate your assessment as early as possible.

Next Steps

You have the following options to complete your assessment:

1 - Tier 2 Self Scan Using Open Source Tools

  • Follow the CASA Tier 2 procedures to self scan your application
  • Fix any CWEs flagged by your scan
  • Register: or log-in: to the CASA portal and initiate your security assessment
  • Submit your scan results and fill out the CASA questionnaire on the portal
  • Receive the results and validation report in the CASA portal
  • The CASA portal will automatically share the Letter of Validation with Google.

The next portion is from an email I received from CASA.

Welcome to CASA Tier 2 Assessment Portal. In order to submit your application assessment, please use this link to log in, complete the questionnaire, and upload the scan results document. Our assessment process is as follows:

  • Survey Submission and Initial Review:
    • This is an initial high-level review of your submission to validate that the questionnaire has been fully completed and all necessary evidence has been submitted.
    • If your submission is complete, your submission will be progressed to the detailed review phase.
    • If your submission is deemed incomplete, an assessor will be in touch to request the missing details before your review is progressed.
  • Detailed Review:
    • This is a detailed review of the assessment questionnaire and related supporting evidence.
    • If everything has been appropriately submitted and your submission meets all the CASA requirements, your submission will be progressed to the final QA phase (where your LOA will be issued).
    • If you have not met all the CASA requirements or your submission is unclear, an assessor will reach out to you to obtain clarification and to resolve any open questions. In this instance, the progression of the detailed review phase will primarily be driven by the time it takes you to resolve the assessor’s questions. In this case, we will still work closely with you to progress your assessment before its due date.
  • Final QA and Completion:
    • This is the final QA review of your assessment. If your submission passes the CASA assessment, your LOA will also be issued during this time.

Thank you for your prompt attention to this request.

The CASA Tier 2 Assessment Team

1 Like

Unfortunately I have no experiences to share, but we will have to go through this very soon. Keep us posted how it goes, please!

Ok so here’s what I’ve learned so far. You don’t need to go through the assessment to use Google Drive. However, if you want to customize the oauth screen, then you probably have to (I’m still waiting to hear back from Google and CASA).

To access Google Drive files, just use Transloadit’s hosted Companion server (it’s free as long as you don’t apply any processing to the files). However you won’t be able to customize Google’s oauth screen to use the name of your application.

I mainly want to customize the oauth screen so my users see my app’s name when giving consent to access their Google Drive files. I think it’d be pretty odd if I was using an app called “Video Editor’s Generic App Name” (VEGAN for short) but instead of getting a request from VEGAN to access my files, the request came from Transloadit. Call me a chicken but I don’t want any beef with users trying to use my VEGAN app.

Default oauth screen using Transloadit’s Google API credentials

desired oauth screen

I’m also looking for tips on how to tackle Google’s Tier 2 Security Assessment. I’d love to hear from anyone that’s had success with this. Thanks!

Hey, I’m still trying to get this sorted out. Have you had any luck? Where abouts are you in regards to integrating Uppy?