We never like removing functionality from our apps. We especially don’t like doing it when it’s due to circumstances beyond our control. But, sometimes — rarely? — it can happen, and so, please take note:
At some unknown point in the future, Google will revoke Transmit’s access to Google Drive. Sometime after that, we’ll be releasing updates to Transmit and Nova that remove the ability to create Google Drive connections.
Transmit itself is of course still in active development, and no other connection types are affected.
(Note that existing connections should continue to work for as long as they remain authenticated!)
Well, Google has a new set of policies that require apps that connect to Google Drive to go through expensive, time-consuming annual reviews, and this has made it extremely difficult for us to reasonably maintain Google Drive access. You may have seen iA Writer’s announcement that they are stopping development of their Android version for similar reasons. Our experience was different, but our circumstances are similar. While Google Drive may not be the most popular connection option in Transmit, we know many users rely on it, and we often use it here at Panic to send and receive files from the game developers we work with.
This is not a decision we took lightly, and was the result of much debate and anguish in the office. But rest assured we looked at every angle. Hopefully that explains everything.
Okay, okay, here’s a more background for the deeply curious. In 2019, Google announced they were adding additional security checks to apps with full access to users’ files on Drive. Shortly after, they prevented Transmit from authorizing new Drive users. We submitted Transmit to Google for review. And waited for months without hearing anything back.
Eventually, by reaching out through friends of friends of friends to find someone inside Google who could help, we got in contact with a Google employee who was very helpful in getting the process started. We went through review, and our access was restored in early 2020. Unfortunately, we were never able to get Google to approve Nova.
For the next couple years, the annual re-review was pretty straightforward. However, in December 2023, Google again disabled Transmit and emailed us, explaining that we would need to complete a “Cloud Application Security Assessment (CASA)” security review. The review found no security issues with Transmit, but it was an incredibly lengthy process. It involved registering with a security lab, running a vulnerability scanner on Transmit’s source code, and filling out a long form. Between each step, we had to wait for days before we’d hear back from the lab, causing the process to take nearly a month.
In March, Transmit was re-approved for Google Drive access — but we were told we would now need to pass this check annually. At this point, we began to question whether this yearly process was worth it.
Between the weeks of waiting, submitting the required documentation and the process of scanning the code, it took a significant amount of time from our engineers. For example, Google provided a Docker image for running the scanner, but it didn’t work. We had to spend more than a week debugging and fixing it. And because the scanner found no problems, it didn’t result in any improvements to Transmit. No one benefitted from this process. Not Google, not Panic, and not our users.
As a small, independent developer, losing this time for no benefit is a huge cost. That week could have been better spent improving our products. But even so, at the time, we resigned ourselves to the yearly checks. We didn’t want to let our users down, and hopefully, now that we had experience with it, the scanner would be easier to run next year.
But then… a couple of months later, Google completely removed the option for us to scan our own code. Instead, to keep access to Google Drive, we would now have to pay one of Google’s business partners to conduct the review. They promised a discounted minimum price, but no maximum price. We realized that either we’d most likely be paying someone else a chunk of cash to run the same scanner we were running, or our bill would end up much higher.
These ever-shifting requirements and expenses are finally catching up to third parties. Other products have discontinued Google Drive support or come up with interesting workarounds with various limitations that don’t work for all users. Ultimately, we think any workaround strategy is too risky and may result in banned accounts, and we definitely don’t want to be responsible for anyone getting banned.
In short, with all these factors in play, we have decided we will not attempt to renew Google Drive access for Transmit once it expires. We’ll miss it too. We will instead focus our efforts on other features and products. We know that this situation, to put it in simplified terms, kinda sucks. If Google ever revises their security policies to be more in reach for a small software company like Panic, we will definitely take a second look.
Thanks for using Transmit and thanks for supporting Panic for all of these years. Onward.