Sending to Google sheets from Android device via Google Script. Is this secure?

Question

I followed this tutorial: https://www.crazycodersclub.com/android/how-to-use-google-sheet-as-database-for-android-app-1-insert-operation/

Somehow, I got it working for androidX. I want to send sensitive location information over the air to my Google sheet link. How secure is this? I have used OAuth2 with gspread in Python before, and relied on a .json key. This seems so much easier... Can users discover my link and read my private entries? Or is there some limitation where they can only send data to the sheet?

Web app code:

var ss = SpreadsheetApp.openByUrl("Add Your Spread Sheet URL here");

var sheet = ss.getSheetByName('Items'); // be very careful ... it is the sheet name .. so it should match 


function doPost(e){
var action = e.parameter.action;

if(action == 'addItem'){
  return addItem(e);

}

}





function addItem(e){

var date =  new Date();

var id  =  "Item"+sheet.getLastRow(); // Item1

var itemName = e.parameter.itemName;

var brand = e.parameter.brand;

sheet.appendRow([date,id,itemName,brand]);

   return ContentService.createTextOutput("Success").setMimeType(ContentService.MimeType.TEXT);



}

My sheet is set to be viewable only by me. The webapp is deployed as everyone has access even anonymous

this is how it's called in the android app:

StringRequest stringRequest = new StringRequest(Request.Method.POST, "Add Your Web App URL",
        new Response.Listener<String>() {
            @Override
            public void onResponse(String response) {

                loading.dismiss();
                Toast.makeText(AddItem.this,response,Toast.LENGTH_LONG).show();
                Intent intent = new Intent(getApplicationContext(),MainActivity.class);
                startActivity(intent);

            }
        },
        new Response.ErrorListener() {
            @Override
            public void onErrorResponse(VolleyError error) {

            }
        }

Answer 1

Answer:

The only data that your web app will serve is that which is returned from your doGet() or doPost() functions. If your sheet data is not returned, then it will be unviewable.

More Information:

Just to summarise the comment chain above:

• If the Google Sheet's privacy settings are set to Only me then even with the Sheet link, no one will be able to view it.
• In theory, with enough time and brute forcing, the web app link could be guessed, but it is highly unlikely.
• The web app will run as the person you set in the Publish as web app dialog as below:

• The only thing that will happen if someone "unauthorised" accesses the web app is the doGet() or doPost() function will run, HTTP method dependent. If you have no doGet(), then doPost() will run.
  • Expanding on this, if your doPost() does not display the Sheet information, then the Sheet information will not be retrievable to the user.
  • Also, as long as you do not have your Sheet ID in the returned content from your doPost() function, the user will also be blind to the Sheet's ID and can not reverse engineer it.

Additionally, if you want to mitigate Web App usage entirely, you can implement adding data to the Sheet directly using the Google Sheets API Java Client Library. You can also see the Quickstart on how to get this set up here.

References:

• Overview (Google Sheets API v4 (Rev. 612) 1.25.0)
• Java Quickstart | Sheets API | Google Developers