🟩 Use gviz to get or query PRIVATE google sheet data

restricted

This guide demonstrates how to use the gviz query language on a private google sheet, with use of an intermediary web app.

Use gviz to get or query PRIVATE google sheet data

Note: this guide comes with a health warning for developers.

It is strongly recommended that developers DO NOT provide users with the option to add a spreadsheet ID in their apps. Spreadsheet IDs should be hard coded into the web app. Failure to do so may provide others with access to your private google sheets.

3 Likes

Why does this have to exist? This is illegal and insecure. Some developers can build a secret app that steals private Google Sheets and possibly Drive files.

1 Like

OK, let me know how many of my private google sheets you have access to....

3 Likes

I have not tried this yet. I have no access to any Google Sheets not owned by me, but I am worried that there could be a method to steal Google Drive files as well. I have no idea if this is legal or not. Does MIT Allow anyone to build apps like this?

1 Like

It was a rhetorical question.

It is the responsibility of the google account owner to protect their own data, Google tells their users this regularly and recommends ways to keep their account and data safe. If a user shares a file using "anyone with the link", then the user will know that the data therein is available to anyone who has the link to the file.

Google Drive files that are not shared, are not shared, and as long as the google account owner does not share the link, it remains private. If the google account owner creates a script that potentially exposes that file, they do so at their own risk. This is not a matter for Google or MIT, but for the account owner.

2 Likes

:ok_hand: :ok_hand: :ok_hand:

1 Like

I was asking if MIT allows apps that steal private information.

@WatermelonIce, is this a joke or are you agreeing with me?

Developer ai2 can only create an application that can access his private files on disk. A wise application user is unlikely to paste into such an application a link to a sheet with important data because it is known that the developer may have placed malicious code intercepting links. However, without this link, no one will get to your data.

So, building apps that steal a user's information is against the MIT App Inventor rules?

I will answer you with a question. Is it against Google policy to develop apps that steal user information? Google created Android Studio and you can create applications that steal data. If you write a Java program that steals data, will the language creator be responsible? Or maybe the creator of the editor or compiler with which the malicious program was created?

1 Like

To be clear, the only files that have the potential to be exposed are those of the developer / google account owner. The script/web app, if written in a way to allow injection of file IDs, does not provide access to any files owned by anyone else, only the google account owners files.

So, the Google Apps Script will deny any scripts that steal files that they do not own?

Where did these scripts that steal files come from ?

Could I recommend you read my guide properly, and follow the resources links, perhaps along with:
HOWTO: Create a Google Apps Script Web App bound to a Spreadsheet

and as previously suggested:

This is not something new, folks have been doing this for over a decade.

Then, perhaps you will be able to ask some more informed questions.....

Oh, and thanks for showing up earlier today, and for routinely bumping my guide to the top :wink:

6 Likes

So, the Apps Script can only access the owners private files if the script is created by that same owner. If so, that means a person can create an alternate Gmail account with no personal information for his/her apps only. Sorry I have been away from this topic for several weeks.