I’m an independent developer developing a mobile app to help users manage their food delivery emails with Gmail API.
After getting approval for the Gmail API, I received a new requirement from Google asking for a CASA Tier 2 security assessment by July 2025.
I reached out to CASA authorized labs, including Bishop Fox, for quotes, but the costs were way beyond what I can afford as a small developer.
Here are my questions:
- Is the CASA assessment a must for every app using the Gmail API, regardless of size?
- Are there any budget-friendly alternatives or exemptions available for small developers?
- Has anyone navigated this without spending a large amount?
It seems unreasonable to require such an expensive assessment for a limited use case like mine.
I’m eager to hear from fellow developers who faced similar challenges and any suggestions they might have.
Same thing happened to me last year with my productivity app. Google requires CASA Tier 2 for most Gmail API apps using sensitive scopes, and there’s basically no way around it for indie devs. Once you hit certain user numbers or use specific scopes, you’re stuck with the assessment. I ended up pivoting to less sensitive scopes - lost some features but dodged the CASA requirement entirely. You could also partner with bigger companies that already have CASA certification, but that completely changes your business model. The costs are brutal for small developers - I got quotes from $15k to $40k. I’d figure out if your app can work with restricted scopes before dropping that kind of money on the assessment.
Went through this exact thing 8 months ago with my email tool. Google’s policy is clear - if you’re accessing certain Gmail scopes with more than a few users, you need CASA Tier 2. The July 2025 deadline is firm and they’re not giving exemptions for company size anymore. I found a smaller security firm that specializes in CASA assessments for indie devs. They charged around $8k vs the $25k+ quotes from big firms. Also check if your app qualifies for Google’s developer program benefits - some folks got partial cost coverage through startup programs. The assessment takes 6-8 weeks once you find the right lab, so don’t wait too long.
yep, google’s really strict on this now. the CASA assessmnt is becoming essential for apps that touch sensitive user data like gmail. some people are trying to sidestep it with lighter scopes, but it often means loosing key features. maybe think if you can go a diff route with your app?