Concerns Over App Store Integration Permissions and Security | Dovetail Champions

Concerns Over App Store Integration Permissions and Security

Hi there, I am trying to get my App Store and Google Play store integrations set up, but there are some concerns from our team about privacy and security. Is there a way to reduce the scope of the permissions? From the Android engineer I’m working with:

I’m a little sketched out. It seems like they’re requesting access that is much too broad. The way other play store integrations work is that you create a service account and give it access to just the reviews. I think giving dovetail access to upload APKs feels like a security hole we should not open.

8 comments

Felipe Carnevali
·
·
Hi Jane Slaughter, I'm Felipe, one of the engineers from Channels. Thanks for reaching out to us about the Google Play integration — I'm really excited to hear that you're interested in using it! I completely understand your concerns. As an engineer, and at Dovetail more broadly, security is our top priority. Based on Google Play's official API documentation, unfortunately, this integration does require very high-level permissions. Here’s a bit more context:
They only provide a single available scope for access: https://www.googleapis.com/auth/androidpublisher.
You can find more information in their official API documentation here.
I’m also curious to learn more about the "other Play Store integration" your Android engineer mentioned — it would be great to understand how that solution works. Please feel free to reach out if you have any other questions — I’m happy to chat more or work through any concerns you have!
Jane Slaughter
·
·
I’m also curious to learn more about the “other Play Store integration”
Appbot uses a service account, which allows us to lock down permissions to just replying/reading reviews https://support.appbot.co/help-docs/linking-your-google-play-account-to-appbot/Appbot
Felipe Carnevali
·
·
Thanks for sharing this, Jane Slaughter. After a quick investigation, I found that they're using web scraping to collect the data. Unfortunately, this approach violates Google Play’s policies. One of the main reasons we chose to use the official API is to ensure we’re following the correct legal and ethical practices. While app reviews are publicly visible, scraping them in this way goes against Google’s terms of service. Here’s some context for reference: Restrictions: You may not:
display (in part or in whole) the Content as part of any public performance or display even if no fee is charged except (a) where such use would not constitute a copyright infringement or violate any other applicable right or (b) as specifically permitted and only in the exact manner provided.
sell, rent, lease, redistribute, broadcast, transmit, communicate, modify, sublicense, transfer, assign any Content to any third party including with regard to any downloads of Content that you may obtain through Google Play except as specifically permitted and only in the exact manner provided.
use Google Play or any Content in conjunction with any stream-ripping, stream capture or similar software to record or create a copy of any Content that is presented to you in streaming format.
use Content as part of any service for sharing, lending or multi-person use, or for the purpose of any other institution, except as specifically permitted and only in the exact manner provided.
attempt to, or assist, authorize or encourage others to circumvent, disable or defeat any of the security features or components that protect, obfuscate or otherwise restrict access to any Content or Google Play.
remove any watermarks, labels or other legal or proprietary notices included in any Content, or attempt to modify any Content obtained through Google Play, including any modification for the purpose of disguising or changing any indications of the ownership or source of Content.
Here is the original link for your context.
Jane Slaughter
·
·
Thanks for all that information. Unfortunately, due to the security concerns, my CTO is recommending we don’t move forward with this integration 😢 Perhaps the team could look into reducing the access scope — I’d imagine other orgs may have this concern as well? My Android eng thought if you create a service account and use the service account creds with the Play Store API, you would be able to access the review lists
Felipe Carnevali
·
·
I completely understand your CTO’s concern — it’s a valid one, and we’ve heard similar feedback from other organizations. While using a service account is indeed an option (as your Android engineer suggested), it’s important to note that Google Play only provides a single required scope for the API: https://www.googleapis.com/auth/androidpublisher Unfortunately, Google does not offer more granular scopes like “read-only” or “reviews-only.” Even if you're only reading reviews, this broader scope is still required. Also, in the service account approach, you would need to add Dovetail’s service account to your Play Console and explicitly grant it access to the app. That gives you full control over which apps and roles the account has, but it does require your team to manage permissions. To reduce friction and ensure transparency, another option is to add your own user (with the right permissions) in the Play Console and use that to generate credentials — this way, you retain full visibility and revocability at any time.
Cheri March
·
·
Hey Jane Slaughter, I'm the PM on Channels. Really keen to try and help unblock you here, would jumping on a call and talking this through be helpful?
Jane Slaughter
·
·
Hey there. Thanks so much for offering! Actually, just now, our head of support shared with me that we are going to be using Enterpret for the high volume feedback that comes in via Reddit, App Store, and Salesforce. I wasn’t aware that their team was looking into a different tool for this. So I don’t think we will have a need for this integration anymore! Sorry, probably not what you want to hear 😞
Cheri March
·
·
Hey Jane Slaughter ah thanks for letting me know. We have Salesforce and Reddit integrations on the roadmap, so if you're finding you're not getting a holistic picture jumping between Enterpret and Dovetail, always happy to chat it through with you 🙂