I completely understand your CTO’s concern — it’s a valid one, and we’ve heard similar feedback from other organizations. While using a service account is indeed an option (as your Android engineer suggested), it’s important to note that Google Play only provides a single required scope for the API: https://www.googleapis.com/auth/androidpublisher Unfortunately, Google does not offer more granular scopes like “read-only” or “reviews-only.” Even if you're only reading reviews, this broader scope is still required. Also, in the service account approach, you would need to add Dovetail’s service account to your Play Console and explicitly grant it access to the app. That gives you full control over which apps and roles the account has, but it does require your team to manage permissions. To reduce friction and ensure transparency, another option is to add your own user (with the right permissions) in the Play Console and use that to generate credentials — this way, you retain full visibility and revocability at any time.
Thanks for sharing this, Jane Slaughter. After a quick investigation, I found that they're using web scraping to collect the data. Unfortunately, this approach violates Google Play’s policies. One of the main reasons we chose to use the official API is to ensure we’re following the correct legal and ethical practices. While app reviews are publicly visible, scraping them in this way goes against Google’s terms of service. Here’s some context for reference: Restrictions: You may not:
display (in part or in whole) the Content as part of any public performance or display even if no fee is charged except (a) where such use would not constitute a copyright infringement or violate any other applicable right or (b) as specifically permitted and only in the exact manner provided.
sell, rent, lease, redistribute, broadcast, transmit, communicate, modify, sublicense, transfer, assign any Content to any third party including with regard to any downloads of Content that you may obtain through Google Play except as specifically permitted and only in the exact manner provided.
use Google Play or any Content in conjunction with any stream-ripping, stream capture or similar software to record or create a copy of any Content that is presented to you in streaming format.
use Content as part of any service for sharing, lending or multi-person use, or for the purpose of any other institution, except as specifically permitted and only in the exact manner provided.
attempt to, or assist, authorize or encourage others to circumvent, disable or defeat any of the security features or components that protect, obfuscate or otherwise restrict access to any Content or Google Play.
remove any watermarks, labels or other legal or proprietary notices included in any Content, or attempt to modify any Content obtained through Google Play, including any modification for the purpose of disguising or changing any indications of the ownership or source of Content.
Here is the original link for your context.
Hi Jane Slaughter, I'm Felipe, one of the engineers from Channels. Thanks for reaching out to us about the Google Play integration — I'm really excited to hear that you're interested in using it! I completely understand your concerns. As an engineer, and at Dovetail more broadly, security is our top priority. Based on Google Play's official API documentation, unfortunately, this integration does require very high-level permissions. Here’s a bit more context:
They only provide a single available scope for access: https://www.googleapis.com/auth/androidpublisher.
You can find more information in their official API documentation here.
I’m also curious to learn more about the "other Play Store integration" your Android engineer mentioned — it would be great to understand how that solution works. Please feel free to reach out if you have any other questions — I’m happy to chat more or work through any concerns you have!
