If you even had to use some file picker from Google Drive (or Docs, Sheets, etc.) on mobile, you might have noticed that this experience usually sucks: it's either ugly, either feel broken, etc. It's not a coincidence, here I'd like to share the story behind it.
The Good Part: Granular drive.file Scope
Let’s start from the positive side, because the direction itself is great. Google has started recently to actively push developers to reduce OAuth scope usage and move to more granular permissions. One of the key scopes in this story is:
https://www.googleapis.com/auth/drive.file
What this scope gives you:
- Access only to files that the user explicitly selects in a picker
- Access to files created by your application
- No blanket “read everything from my Google Drive” permission
From security perspective, this is exactly what we want, as users do not have to give some random mobile app access to all their docs, sheets, and files and the whole ecosystem moves closer to “least-privilege” access, which is good for everyone.
So, conceptually, I’m 100% on board. As a user, I don’t want to give full Drive access to every app.
But then you try to use it in a real mobile app...
The Reality: Drive Picker on Mobile
I've been working on a mobile app that gives an opportunity to work with a specific Google Sheet (if you are interested, it's called Apparecium). Google support team suggested to use drive.file scope during the OAuth verification process and it sounded great, however when you follow official docs you stumble upon a problem: there is only a Drive Picker for web 🤷♂️.
So you’re left with two choices:
- Use the broader scopes (e.g. full Drive access), which:
- Gives your app access to way more than it needs
- Triggers a CASA Tier 2 security assessment
- To improvise 🤔
If you decide to go with broader scopes, you will face that CASA Tier 2 review is not free anymore and involves third-party security companies certified by Google. Even at the low end, we’re talking on the order of hundreds of dollars (around $500+), which is a significant cost for small developers or indie projects. Again, I'm happy that Google pushes for better security practices.
The Solutioning
If you dig into the public issues and Google forum threads, you will find that many developers complain about the issues and are trying to find a working solution for years. Different solutions were working at different times, but most of them are now broken. Here are the links to the main issues:
In the conversations, people report that tried various workarounds:
- Using Drive Picker in a WebView - now blocked by security constraints and sandboxing.
- Opening Drive Picker in a full in-app browser - fails due 3rd party cookies restrictions.
- Various combinations of redirect URIs - don't work now
- Using custom domain and backend to show the picker in webview - broken now due to security constraints.
Okish Workaround
After spending a lot of time researching the topic in my app I decided to go with the following approach, that gives more or less acceptable user experience and uses drive.file scope:
- Mobile app doesn’t talk to Google Picker directly.
- Instead, it sends the user from the app to the full browser to your backend on your domain with oauth token.
- Your backend:
- Uses the drive.file scope
- Opens the web Google Picker
- The user:
- Signs again in with Google
- Picks the file from Drive/Docs/Sheets using the web Drive Picker UI in the browser
- Your backend:
- Receives the Picker result (e.g. file ID, metadata)
- The backend redirects back to the mobile app using deep link with the selected file ID in the URL params.
This approach give the app opportunity to work with the selected file using drive.file.
Here is the video demo of the flow in action:
Here I've shared the source code of the whole solution - https://issuetracker.google.com/issues/322267485#comment26.
"It Sucks" as a Conclusion
I’m genuinely surprised this isn’t solved yet.
Being able to safely pick a file from Google Drive or a Google Sheet from a mobile app feels like a fundamental feature. It's absolutely unacceptable that in 2025 we still have to do all these workarounds and hacks to achieve this basic functionality. I 100% expect from Google to provide a first-class Drive Picker experience on mobile platforms (iOS and Android) that works seamlessly with the drive.file scope.