Cloud-based workspace systems, such as Google Workspace and Microsoft OneDrive, have enabled third-party developers to create and upload functionality-rich applications (referred to as \emph{add-ons}). Existing studies have primarily examined user-centric data protection and permission management of this emerging ecosystem, but the underlying \emph{DevOps} mechanisms that regulate add-on development, deployment, and operation remain largely unexplored.

In this work, we conduct the first \emph{developer-centric} investigation of these DevOps mechanisms. We propose a hybrid method that combines a static analysis to abstract development and integration (i.e., deployment) (\emph{Dev}) models and a dynamic analysis to add-ons’ runtime operation workflows (\emph{Ops}). It yields insights into the DevOps lifecycle of add-ons, unveiling associated attack surfaces and multiple types of security vulnerabilities, including source code leakage, code tampering and secret key exposure. Our large-scale evaluation of 5,300 Google Workspace add-ons reveals a concerning \emph{status quo} of the ecosystem: 274 add-ons are subject to source code leakage, including widely-used ones with over 100,000 users. Among them, 96 (around one third) expose the secret keys of developers, e.g., PayPal merchant secret key and secret keys to access the developer’s back-end databases.