We have used Google Fit API in our Flutter app for collecting user steps data. We have used the "health" package and during the development phase, there was an option to add test accounts and QA the app functionality. After completion of development when we turn the project from testing to production at the Google Cloud console a message pops up that says we have to verify my project because we are using some sensitive scope. We have filled out the verification form and completed the phase 1. Now in phase 2, they recommend verifying our app at the CASA portal and getting a certificate. Our concern is CASA tier 2 process require source code to verify our app and we are little bit confused why should we share our source code to Third party?
Email: enter image description here
Our Scopes: enter image description here
We aimed to find a verification solution or process that doesn't necessitate sharing our entire source code with a third party while complying with Google's verification requirements. Our expectation was to gather insights, alternative methods, or guidance from the community on how others navigated similar verification hurdles.
You can use the Fluid Attacks CLI which is free and open source. This answer has more information.
CASA Scan - fluidattacks/cli Doesn't seem to do anything