Google Drive as data source asks for FULL access to ALL user's files on Drive

Hello,

Thank you for posting your request, I have linked it to our internal ticket to change the Google permissions (RDMW-8016). I do not have an ETA yet when this will be implemented, however.

In the meantime, you may be interested in Devolutions Hub Personal, which is hosted by us in Azure, and is free to use. It is faster than the Google drive data source, provides you with a web interface when you do not have access to RDM, and more. You can refer to https://devolutions.net/password-hub/personal for more details.

Best regards,

Hello,

Thank you for posting your request, I have linked it to our internal ticket to change the Google permissions (RDMW-8016). I do not have an ETA yet when this will be implemented, however.

In the meantime, you may be interested in Devolutions Hub Personal, which is hosted by us in Azure, and is free to use. It is faster than the Google drive data source, provides you with a web interface when you do not have access to RDM, and more. You can refer to https://devolutions.net/password-hub/personal for more details.

Best regards,

Thanks! Any luck or timeline with RDMW-8016?

Hello,

It is still in the backlog of the engineering team, unfortunately. I will ask them to increase the priority.

Best regards,

Hello,

No we don't have any update, the issue is still in the backlog.
We have reprioritized the issue

Best regards,

Hey Folks,

This, unfortunately, is still killing me. I'm honestly somewhat shocked that this issue with permissions hasn't gained more attention. It is a HUGE security risk to link any app (regardless of who develops it) to Google Drive (or any cloud storage provider) with full access to ALL content. From my point of view, I worry about someone discovering a vulnerability in the RDM <--> Google Drive connector and then being able to expose folks' data stored on their Google Drive account. This should be a large concern for Devolutions, one would think. I'm assuming Google devs may even be able to help since this is a common scenario.

Please do not take this as me being upset. I LOVE RDM and all Devolutions products but I am 1) slightly frustrated that I still have to manually sync items or switch to Devolutions Hub Personal and 2) concerned for Devolutions' sake in the event of a data breach via this very issue.

Thanks,
Tyler

Additional resource: https://developers.google.com/drive/api/guides/api-specific-auth

Hello,

Sorry for the late reply.

We opened a ticket with our developers and security team to improve/rework this integration to require less permissions.

Thank you for posting.

Best regards,

Thank you, Jeff!

To make matters worse, Google Drive is completely unavailable now for some reason. I just tried to use it as a datasource to see if this issue had been fixed yet and received the following error:

Hello,

I created an account on the forum to simply post a reply to this thread. I simply cannot understand how such a security issue still hasn't been fixed in 2 years :| . As @tylwright said in the previous post, right now Google is simply blocking the app.

What I cannot understand is how a company that's providing security software (credential manager, etc) is requesting FULL access to store its data in Google Drive. Not only it's ironic, but unprofessional, irrational and bottom line not trust-worthy that a company that's advertising for security is asking full control over the customer's Google Drive :| .

Guys, it's been 2 years since one of your clients raised a valid security concern - that shouldn't have even been implemented in the first place - and no real answer. I would have imagined this would be your top priority - I would have fixed is ASAP, followed by an apology that such a security issue slipped your "security team".

I'm sorry if my above words seem like I'm mocking your work - they're not, I'm writing this in disbelief that such a security issue is even real nowadays and also not fixed after 2 years.

Hello,

Our security team has worked on this recently, but now, we are waiting for Google support team for verification process. Google have set a response delay of 4 to 6 weeks.
Unfortunately, we are stuck in the middle for now regarding this situation.

We are sorry for all this delays and confusion.

Best regards,

Going by your last post Google drive was about to finally be supported. But according to this latest update it is being depreciated. Can you explain what happened?

Hello,

Unfortunately, the Google Drive datasource no longer works due to security restrictions by Google. This is why this type of datasource is now deprecated.

You can follow the help article below if you need to export/import your data into a new datasource
https://docs.devolutions.net/rdm/kb/troubleshooting-articles/access-your-en-rdm-entry-in-google-chrome-if-google-drive-integration-does-not-work/

Best regards,

Wow... That is extremely unfortunate. It's odd that hundreds of other apps are able to store data on Google Drive just fine.

As far as I know, only access to the whole drive is possible as a limitation from Google. the only workaround I know is to have a business account then then a specific user access to a certain folder...

I had to write a reply because the situation seems to be disappointing.

So, a couple of months ago Google started restricting apps that require FULL access to Google data. Why? Because it's a violation of the customer's privacy to ask for FULL access when you only need to create/modify/delete files in Google Drive.

Devolution communication with Google Drive asks for FULL access, which is not required and also worrying from a customer's perspective when anyone would ask them to give FULL access to ALL their data. Devolutions's implementation was incorrect from the start - they should not have asked for full access, but they did - why?... (from a developer's perspective), I'd say either this option was not available at the time they implemented it, or out of pure developer laziness or, this was intended to be like this, which is even more worrying. There are many apps out there that use Google Drive as a storage and do not ask for full permissions, so it's not a a matter of technical implementation restrictions.

Devolutions should have gone back to their implementation and make the necessary changes that allows their app to work without full access to Google Drive data. I assume (because there was no official reason why this happened) this is a strategical shift to force free accounts to store their data on Devolutions' servers. Why? The Dropbox integration is also deprecated, meaning the Google Drive was the only way left to store the data online on a 3rd-party service for free accounts. Free accounts now have no options to store their data online, except if they create an account and store it on Devolutions's servers. So, for free accounts, there's clearly a push to keep the data on their servers - which they control and we, as customers have no guarantee they don't use it for other reasons. The fact that their Google Drive implementation asks for FULL permissions is also not reassuring that they would keep my data secure or that they will not use it for something else.

I'm curious to see a response from their staff regarding this push for free accounts to remove the ability to store the data on a 3rd party service. It's their product and of course their decision to do so, but it would be good to know the reasons behind this.

PS: It seems that free accounts can also connect to Azure SQL or SQL Server databases to store the data there, but these are rather technical options that a non-technical user will find hard to use.

I couldn't agree with you more, @ovidiuvasiliu84! That's a great summary!

I just stumbled upon this video that's related to Google Drive's new security policies: https://www.youtube.com/watch?v=UMiB5Z7n6Y8

Apparently Google Drive's new security requirements and app approval is cumbersome and a lot of apps are affected by this. It could be that Devolution's app was also affected, and, due to this they decided to not support Google Drive anymore.

Sorry if my previous post was too harsh on Devolutions, it seems the effort in supporting Google Drive might not be worth the time and money investment.

It's a shame that now there's no other easy way for free accounts to support 3rd party document storage systems (both Google Drive and Dropbox were deprecated).

It would still be nice to have an official answer from Devolutions explaining their decision.

Our verification request was finally approved by Google. In the next 2024.3 update RDM will request access only to the application data when adding a new Google Drive data source.

Our experience with the Google review process was similar to what other software companies like Panic and ia.net have reported. We initially requested access to the drive to make it possible for users to migrate their data source easily to application data. That request was denied, so we switched to requesting only application specific scopes (auth/drive.appdata). That request was also denied because we were missing some information in our request, which we quickly resubmitted. There was a multiple weeks delay each time we updated our approval request which made the process drag on.

We recommend using Hub Personal as a remotely stored database because it was built to correctly handle concurrent use. XML and SQLite are meant to be used from a single place at a time, this combined with the limited number of users we had for these data sources is the reason we deprecated data sources that were storing them online. With this caveat, a workaround would be store an XML data source and access it from the filesystem with Google Drive for Desktop/Dropbox/OneDrive.

This is great news and a great write-up, Sebastien! Thank you so much!

Hello,

The new Google Drive Restricted Mode is now available in RDM 2024.3.19. This feature is enabled by default for new Google Drive data sources (see the image below).
Please note:

• There is no automatic migration from the non-restricted mode. The XML file must be manually re-imported into the new Google Drive data source.
• This data source is still considered deprecated and may stop functioning in the future. We strongly recommend switching to Hub Personal for a more reliable and future-proof solution.

Thank you for your understanding.

Regards,