Google now requires apps that look at sensitive personal data (in my case, daily step count) to perform a threat assessment of the app. (Basically, throwing some of their review process onto the developer.) The free tool they provide (Fortify) does not support lua, and none of the SAST/DAST tools or services I have looked at support lua. I found one that analyzes the built app (NowSecure) but they don’t answer my query.
Does anyone know of a way to get this done?
This sounds unlikely to me. Do you have a link to an official post by Google regarding this?
Those sound like enterprise level security checks and I don’t think small developers could abide by them even if they wanted to. They’d also need to analyse the engine the app is running on, many of which are not open source.
As for personal data, a pedometer is unlikely to use such unless you’re requesting user emails or similar PII as well. Daily step count is not PII or sensitive data.
Perhaps I misunderstood or got suckered. I cannot find the original email about the Fit API, must have deleted it, but not in trash. I ended up in a PWC-built “Cloud Application Security Assessment” which is beyond my resources. I thought it came from a warning that the Fit API requires this.
I don’t think small developers could abide by them even if they wanted to. They’d also need to analyse the engine the app is running on, many of which are not open source.
Certainly true. That is exactly what I am running into, I do not have the resources to do this.
However:
Daily step count is not PII or sensitive data.
This is certainly not true. At Google Play, this is very specifically in the sensitive data category, as it uses the Fit API, and all queries on that API are considered sensitive. I have had to jump through hoops for 2 years for this one, with the app rejected until the UI matched some (undocumented) flow. Absolutely apalling, but I had to do it, they would not approve the app until I got it exactly the way they wanted it.
So, I can ignore what I was certain was a specific new requirement, but I might get caught. On the other hand, this app has not been fun with Google (though trivial with Apple).
I did find this notification of impending CASA application requirement, shown in the (second) snapshot from the email. I submitted my app for verification as required by the email, then received a notification that I needed to complete the “Cloud Application Security Assessment”. That required the Fortify or SAST/DAST. The first screenshot below is the beginning of the follow-up email.
Fit API does provide access to PII (personally identifiable information) and sensitive health information, but daily step count specifically is neither. A person cannot be identified based on how many steps they take on average per day.
Fortify seems like an expensive paid service, PwC even more so. If that email is from PwC and not Google, then they are just trying to sell you services you don’t want or need.
Your argument is perfectly logical and reasonable, and I argued that with Google reviewers last year. I lost.
Here is a screenshot of the scope in Google Fit:
All endpoints in the Fit API are restricted.
But the good/bad news is that the Fit API for Android is being replaced by the Health Connect API, which might have different scopes. Unfortunately, it does not appear to have a REST API, the only REST API I can see for step count is through Fit, but I am still learning about it.
Although one of the emails wa from PwC, the original email telling me I would get enrolled in the CASA (which is from PwC) was definitely from Google. And there is no cost, at least they have never mentioned it. The notifications specifically said the Fortify scan was free (within this context), and I was able to start the full survey with no mention of financials.
Anyway, I will switch to Health Connect, and hope for a better result.
Here is a better screenshot from Google telling me I have to do the PwC CASA:
