iA Writer’s Google Drive Access
Oliver Reichenstein (Mastodon, Hacker News):
A couple of months ago, Google changed its API policy and revoked iA Writer’s access to Google Drive on Android. By freezing up Android’s main storage option, our app was frozen in carbonite. It still lived but we couldn’t move forward before resolving it. In order to allow our users to access their Google Drive on their phones we had to rewrite privacy statements, update documents, and pass a series of security checks, all while facing a barrage of new, ever-shifting requirements.
[…]
The cost, including all internal hours, amounts to about one to two months of revenue that we would have to pay to one of Google’s corporate amigos. An indie company handing over a month’s worth of revenue to a “Big Four” firm like KPMG for a pretty much meaningless scan. And, of course, this would be a recurring annual expense. More cash for Google’s partners, while small developers like us foot the bill for Android’s deeply ingrained security shortcomings.
[…]
So, as of today, we’re not just accepting our frozen-in-carbonite fate. We’re embracing it. We’re going to take the app offline. We know this decision will disappoint our loyal Android users, and we share your frustration. After seven years of continuous investment, this is way more painful for us than it is for any of you.
With ForkLift, this problem seemed to apply to all platforms, yet iA is framing it as an Android issue rather than a Google Drive issue. Is this because Google Drive is less prevalent on the other platforms, so that removing it isn’t fatal, or because they can get by indirectly accessing Google Drive via the a file provider or the file system directly?
I just finished the process to get drive.readonly for my app. It was a huge pain in the ass, and Google was not very helpful. Google recommends you pay $720 for a CASA lab assessment, which consists of some random dude in an apartment in SF running an open source script against a .zip of your codebase, then that guy emails Google saying you “passed”.
CASA isn’t real security. It’s a very badly played security theater. There are plenty of holes, MI CASA SU CASA, that real hackers can use to steal your selfies and credit card info. You still think we’re not informed enough? We never wanted access to Google Drive. We don’t care about your Google Drive or anyone’s Drive at all.
We don’t have, want, or ever asked for access to your files. And don’t start with, “But you could be hackers!” We’re not. Google has our entire history—7 years with them, 14 years building apps, and 20 years as a company. They have our code, user feedback, passports, phone numbers, bank info, and confidential documents. But they still pass the security theatre burden onto us, making us pay KPMG for audits. Not because it makes things safer. It's so they can lean back, do nothing, and then lift both hands and then point fingers in case things go wrong. That scales nicely.
Previously:
- Google Drive Blocks Unverified Apps
- VLC vs. the App Stores
- Google Removing Support for “Less Secure Apps”
Update (2024-09-30): John Gruber:
See also the footnote on how stunningly rampant piracy is on Android, too.
6 Comments RSS · Twitter · Mastodon
Can’t they [still] save files locally? Not great, but since they’ve got the app written, seems some revenue is better than none — I originally assumed that’s what they meant by “We’re going to take the app offline [for saves],” but nope!
What happens if they release a side-loadable app? Still no Drive access? (Would be surprised if you could, but you never know.)
But you can use any payment processor with side-loading, right?
One skall step closer to whatever comes next.
In related news I just saw a talk where a Swedish Beauty products chain introduced their own community app, which was a tailormade Instagram/TikTok clone.
"We want our customers to interact with us, not Meta"
Bravo 👏👏👏
I don't code for Android at all, and I haven't done anything with coding access to the file system on iOS. I assumed an app would leave all that to the "system", but I guess that's not the case?
@DJ: My understanding, which might be wrong, is that they claim the system access confuses most of their customers, and they rewrote a custom version to solve that problem. It seems to me that it might be a necessity given the type of people who'd buy their product.