Develop Reference

Google Chrome Extension got rejected multiple times for "User Data Privacy"

I submitted a Google Chrome Extension and got rejected
Your item did not comply with the following section of our Program Policies:
"User Data Privacy"
The Privacy Policy & Secure Transmission section requires that:
If your product handles personal or sensitive user data (including
personally identifiable information, financial and payment
information, health information, authentication information, website
content and resources, form data, web browsing activity, user-provided
content and personal communications), then your product must:
Post a privacy policy. Handle the user data securely, including
transmitting it via modern cryptography. To comply with this policy:
Provide a working link to your privacy policy in the appropriate field
in the Chrome Web Store Developer Dashboard. The link must lead to a
privacy policy that is owned by you. The privacy policy must also
accurately and fully disclose all the details pertaining to how your
product collects, uses and shares user data, including the types of
parties with whom the data is shared. For more information on the
policy, please refer to the User Data FAQ.
Once your item complies with Chrome Web Store policies, you may
request re-publication in the Chrome Web Store Developer Dashboard.
Your item will be reviewed for policy compliance prior to
re-publication.
If you have any questions about this email, please respond and the
Chrome Web Store Developer Support team will follow up with you.
Our privacy policy is here
How could I fix it? What should I do?

After few emails with google asking about the exact issue, it turns out the User Data policy is a big section and a lot of thing might go wrong there, however, in my case I had a snapshot that is actually created by a designer to look pretty, not a snapshot from the actual extension and I had a permission that did not have a justification description. After I replaced the snapshot with an actual one and I removed the permission that didn't have a description because I actually didn't use it. The extension was approved and published.

Can/Should I hide the details of Error 403: org_internal in google login?

I am using Google's login API for a project that needs to be internal to my organization. When I tested to see what happens if I try to login with an account that is not part of that organization, this error showed up:
Error message image on https://i.stack.imgur.com/bnXNw.png
This error shows the client id provided by my API panel on my developer account.
Is showing that information safe? If not, what could I do to hide it?
Thank you in advance!

The client identifier [1] and everything else on the error page is not considered a secret. The error message has two uses: to lock your app down for internal usage and to allow users to use that information to escalate to you, the developer, or their admin that they need access to a particular app if they have a legitimate need for it. For the latter, it is important for users to be able to identify apps, typically using the client ID.
[1] https://www.rfc-editor.org/rfc/rfc6749#section-2.2

I keep getting an error that my app needs to be verified when either I or another user try to authorize with OAuth2. What does that mean?

I received this error when trying to authorize my app with my own account:
Your project is trying to access scopes that need to go through the verification process.
{invalid=https://www.googleapis.com/auth/contacts}
If you need to use one of these scopes, submit a verification request. Learn More
When I use a different account, the error message is different:
This app hasn’t been verified to access:
{invalid=https://www.googleapis.com/auth/contacts}
Are you the developer? If this project needs these scopes, sign in to an account with access to edit your project and try again.
If not, contact the developer for help.

As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
UPDATE: Corrected broken link to form.

Email from Google: Using a Google product name as the project in OAuth consent screen

I received this message for the second time and i still dont understand why. Can someone help me?
Action required: Critical problem with your Google Cloud/API project
Youtube API (id: tonal-topic-123301)
Dear Developer, We have recently
detected that your Google Cloud/API project Youtube API (id:
tonal-topic-123301) is using a Google product name as the project name
shown to users on the OAuth consent screen, which violates the Google
API Services: User Data Policy. You can fix the problem by revising
the project name and other relevant content so that the OAuth consent
screen shown to users accurately reflects the identity of your
application. To revise the project name visible to users, please take
the following steps:
Please review the Google API Services: User Data Policy, specifically
the following section- "Do not make false or misleading statements
about any entities that have allegedly authorized or managed your
application. You must accurately represent the company, organization,
or other authority that manages your application. Making false
representations about client credentials to Google or Google users is
grounds for suspension."
Sign in to the Google Cloud Platform Console.
Select your project.
On the Home Page Dashboard, select Go to APIs overview under APIs.
In API manager, select Credentials on the left bar, then select OAuth
consent screen. Change the name in the field under Product name shown
to users and then click on Save. We will suspend your Cloud project in
3 days unless you correct the problem. Please submit an appeal if you
have any questions. Please note that you should be logged in as the
project owner to access the appeals page. For more help on submitting
an appeal or to learn more about the process check the Policy
Violation FAQ. Please take a moment to review the Google API Services:
User Data Policy, the Google API Terms of Service, the Google Cloud
Terms of Service and the applicable Terms of Service for the specific
Google API you are using so that you do not violate our terms and
policies in the future.

This is obviously a naming issue regarding something in the google product range.
You Should be able to re-name your project to solve this.
If not, try a Google forum or help pages.

The problem you are having is that Google does not allow you to use a Google product name as the name of your in your application. Users can become confused and assume your third party application was created by them.
How to fix it:
Go to Google Developer console find the credentials screen. Click on the Oauth consent screen tab at the top rename your application.
Note: If you don't do this google is going to shut down your application they are very picky about this.

Linkedin Rest API suddenly stopped working

I'm developing a Rails app, which contains importing of profile information from LinkedIn to a Rails DB.
It works fine a lot of the time, but over the last 2 weeks it suddenly stopped working...
Default Application Permissions on LinkedIn is only r_fullprofile
I use linkedin gem as a wrapper
Fields to import - positions, educations, summary, languages, picture-url
Error, which I see in PROD logs:
LinkedIn connect failed: Scope NOT_AUTHORIZED : r_fullprofile
.rvm/gems/ruby-2.1.2/gems/oauth-0.4.7/lib/oauth/consumer.rb:178:in `request'
.rvm/gems/ruby-2.1.2/gems/oauth-0.4.7/lib/oauth/consumer.rb:194:in `token_request'
.rvm/gems/ruby-2.1.2/gems/oauth-0.4.7/lib/oauth/consumer.rb:136:in `get_request_token'
.rvm/gems/ruby-2.1.2/gems/linkedin-0.4.3/lib/linked_in/helpers/authorization.rb:22:in `request_token'
As I see in debug, for some reason request token and secret are nil,
so I decide that the API to authorize client with my linkedin-app does not work.
ALso, I found an answer on stackoverflow that some API rules were changed some time ago:
After May 12th, 2015, apps will no longer be able to request this
member permission without being specifically reviewed by LinkedIn for
compliance with the Apply with LinkedIn use case
(https://developer.linkedin.com/docs/apply-with-linkedin) or some
other partnership program membership which grants access to that
permissions.
But, does some analog of r_fullprofile permisson exists now, which give an access to get all profile information from linkedin?

Here is what I found in Developer Program Transition Guide:
Access to the r_fullprofile member permission now requires explicit approval from LinkedIn. Additionally, the focus of this permission has changed to become much more specific. Going forward, data received from the Profile API using the r_fullprofile permission can only be used to complement your company's careers pages, as described further on the Apply with LinkedIn page.
If you are already using member data provided by r_fullprofile and you believe your application meets new useage criteria, you will still be required to apply for permission on the Apply with LinkedIn page to maintain your application's ability to use the r_fullprofile member permission.
Here is a link for Apply with LinkedIn if you need it:
https://help.linkedin.com/app/ask/path/api-dvr
I have asked for restoring API-access from my application,
hope that LinkedIn support help me.
Use Apply with LinkedIn to:
Round out your knowledge about a candidate’s background, their recommendations, interests and who’s in their network
Incorporate a candidate’s full profile data in your careers site
Make it easy for qualified candidates to apply to your company’s jobs
And in a few days I received an answer that my access to API is restored!
Thanks LinkedIn Review Team, they are great guys!