Evaluate a Marketplace app's security
Because G Suite Marketplace apps are developed and offered by third-party developers, you should install an app only if you trust the app’s developer and vendor. You are solely responsible for any compromise or loss of data that may result from using a Marketplace app. Please see the G Suite Marketplace Terms of Service for more information.
G Suite Marketplace app developers must adhere to the Marketplace's listing requirements, program policies, and Developer Agreement, which requires developers to be clear in setting forth the terms under which they offer their services.How to evaluate a vendor or application
Here are some things you can do to help verify whether an app is trustworthy, before installing:
- Look at customer reviews and ratings (available for all Marketplace apps).
- Contact the vendor directly with any questions.
Gmail contextual gadgets are a special class of gadgets that extract data from a message and provide contextually relevant information to your users in the message pane.
A poorly written gadget may have vulnerabilities, and expose your users to risks, including phishing attacks and data loss. Only install gadgets that you trust.
Under the new G Suite Marketplace Security Assessment Program, developers can submit their app to a third-party security firm which performs a security assessment of their Marketplace app. Apps that pass the security assessment display a security badge in their Marketplace listing:
To earn a security badge, apps must pass testing and review by the security firm in four key areas:
- External Network Penetration - Identifies potential vulnerabilities in external, internet-facing infrastructure systems
- Application Penetration - Identifies potential vulnerabilities in applications that access user data
- Deployment Review - Identifies exploits and vulnerabilities in developer infrastructure
- Policy and Procedure Review - Examines efficacy of information security policies and procedures
While the security assessment badge is not a guarantee against every possible threat or harm, it shows that an app has successfully passed a security review based on all the criteria above. For specific information on what's included in each assessment, see the Google Cloud Platform Help Center.
To keep a security badge, apps must be reassessed every 12 months.