"Unverified developer" warning

[WildWeazel]

Just had an odd auth interaction with the app (v7.8, Android 9).

I got the Google triangle warning notification at random when not using the app, requesting account access for Tasks. Opened Tasks to check it out and on the synchronization settings page it showed some JSON data (I didn't copy it down) and something about authentication. I reinitialized the account there, which prompted again for the task management permission, and after verifying that it was just for tasks I accepted. Then Google sent a "was this you?" sign-in notification and an email that Tasks.org was granted access to my account, which didn't happen back when I first signed in.

I checked my account security settings and there are two different apps listed:

• Tasks, with access to Google Drive and tasks, dating to my first install
• Tasks.org, flagged as an unverified developer, with task access only

My app was last updated 6 days ago, my account hasn't changed, and I haven't had to do anything like this before, so I'm not sure what just happened.

[abaker]

I just migrated the Google Tasks/Drive API credentials to a different Google Cloud Project, I didn't realize that was going to happen though!

Does your google security settings still say unverified developer? I just looked at mine and it is showing the app name with a link to the Play Store page.

[WildWeazel]

Mine still says unverified. It also now shows the Google Drive permission.

[abaker]

I think it says unverified because I added an icon to the web consent screen which initiated the verification process. I don't need to use the web consent screen so I followed this to remove the icon, but the dashboard still says it is being verified. I'm hoping the trust and safety team will just cancel the verification process soon.

You have to accept the authorization requests or turn off Google Task sync and the 'Copy to Google Drive' backup feature to make the pop-ups stop coming. Let me know if the app doesn't let you turn them off.

[rationull]

@abaker do you have any new info on this? I had the same experience as WildWeazel and have been checking back periodically.

On my Google account security page, Tasks.org: Open-source To-Do Lists & Reminders is still flagged as "risky access" and the linked App Details popup shows "Unverified Developer".

I can try removing access and re-adding (assuming I get prompted again, which I hope I would) but thought I'd ask in case this was something you expected to go away if you have any visibility into the verification status of the new app identity.

[WildWeazel]

Same for me. I also just found that this whole process is repeated on each device.

[abaker]

Unfortunately I don't have any news. The Google Trust & Safety team sent me an e-mail on 2/16 to say they canceled the verification process at my request, but my cloud console still says I'm being verified. It costs $15k-75k to get verified so I assure you I was never verified in the first place

Are you getting authorization requests even after accepting them? One user e-mailed me last week to say that sync wasn't working, and despite accepting the new request it kept prompting for authorization. A few days later they followed up and said it started working, so I assume the old credentials were cached in the account manager or something. Tasks already has some logic for invalidating credentials but I'll have to check firebase and see if there is some other exception that I'm not catching

[rationull]

I haven't gotten any new authorization requests after approving, and sync is working just fine for me, the only "issue" I'm seeing is the security alert in Google account settings. Perhaps this is some artifact of new warnings that just never applied to the old app/developer identity.

To be clear, this isn't a functional problem, just something that looks alarming. I've been using Tasks for years (since Astrid) but if I were a new user the warning would probably give me pause. Hopefully it's something Google can resolve.

[abaker]

Thanks for the clarification. I had not seen any warnings before, but I was just looking at https://myaccount.google.com/permissions. I see the risky access warning now under security checkup. I just sent another e-mail to Trusty & Safety

[abaker]

Google told me that the only way to get rid of this warning was to get verified

I just noticed that my debug credentials are also marked as risky. Those credentials are associated with a project that was set up in August 2013 (same as the original production GCP), and I did not set an icon or initiate the verification process on that project. So Tasks has probably always been marked as risky and I never noticed? Anyway, it doesn't look like there is anything I can do about it 🤷‍♂

Tasks should now only bug users one time if credentials are missing. If you swipe away or decline the request then you'll have to manually authorize Tasks or Drive

[WildWeazel]

@abaker just a heads up, I've started getting security alerts from Google to review "risky access" by unverified apps. I know it's fine, but it might drive away new users.

[WildWeazel]

I did a security checkup again and I don't know if I just missed this before, but there was an option to dismiss the alert with "I know and trust this developer." It now shows a green check so maybe it won't bug me anymore.

[abaker]

Google verified Tasks so this warning should be gone now