Gmail-secure-sdk NPM

GMAIL-SECURE-SDK | POC

Proof of concept of a package made for Bachelor Thesis about security in GMAIL addons. This package catches a few AppsScript functionalities that may harm the user and tries to inform and protect the users about the possibly malicious actions of the application.

This package is meant for GMAIL addon projects that were started using the apps-script-starter by labnol.

Installation

Use the node package manager to install gmail-secure-sdk.

npm install gmail-secure-sdk

Usage

Example usage:

import * as GmailSecure from "gmail-secure-sdk"

function sendData(){
    const url = 'www.someapiurl.com'

    const options = {
        'method': 'POST',
        'contentType': 'application/json',
        'payload': JSON.stringify(data),
    };

    GmailSecure.fetchSecured(url, options);
}

Functions

Note & reminder: These functionalities are meant for educational purposes only, you're using it at your own risk.

GmailSecured.fetchSecured(url, options)

This function wraps and uses the UrlFetchApp() provided by Apps Script.

It checks if any data was sent to a third party, based on the request type. In case of a POST/PUT or PATCH request, the user gets informed by an email to its own. That email contains:

the date the data was sent on
where it was sent to
what data has been sent*

GmailSecured.deleteSecured(permanentDelete)

import * as GmailSecure from "gmail-secure-sdk"

function moveAllEmailsToTrash(){
    //make sure to use return as it must load a new card! 
    return GmailSecure.deleteSecured(false);
}

This function wraps the deleting of all emails functions provided by AppsScript. Before the actual deletion gets executed, the user gets informed about it in a new card and gets the choice to cancel the action or to proceed.

userConsentCard

The method accepts "permanentDelete" as boolean parameter. If true, the whole inbox gets deleted permanently - (hard delete). If false, the whole inbox will be simply put in trash (soft delete).

In both cases, the user receives an email afterwards which contains:

the deleted data*
the date of deletion and other metadata.

*Important note: If the email size exceeds the maximum body size (200KB) - the user still gets informed, but without the bodies of the deleted or sent to third party emails. This may be solved in the future by splitting up the data and sending it in separate emails.