Gmail - Aqua mail as less secured App

[KTSamy]

Hi,

Recently I have tried to login my Gmail account in Aqua mail.  But,  Getting authentication failed error as shown in the screenshot.



When I have looked at my activity list shows that "Application / device sign-in attempt (prevented)" & asks to enable access to insecure devices since Aqua mail doesn't meet security standards.

I am currently using Aqua mail 1.5.1.

Regards,
KTSamy

[StR]

KTSamy,

To add to what Paris Geek wrote, - Gmail requires enabling "access to insecure devices" even for "... Desktop [sic] mail clients like Microsoft Outlook and Mozilla Thunderbird". You can read this page from Google linked from the page in Google settings:
https://support.google.com/accounts/answer/6010255
(Which actually has a more technically correct and less fear-inducing title then the option you mention: "Allowing less secure apps to access your account".)

Note that even with that, if you were to fly across the world and try to log in from a different country (in Thunderbird, in Aquamail), Gmail will block your access from any of those programs/apps until you go to their website and inform them that it is OK).
While I understand that there is a security-based rational behind it, that is annoying! And, IMHO, it is a way how Google pushes its own app/desktop offline program up the users' throat which is somewhat MSFT-like, but a bit more subtle, and therefore, more devious.

[Kostya Vasilyev]

With this enforced (but thankfully gradual) change, Google made almost all mail apps "outlawed" --

-- Thunderbird

-- Outlook

-- K9 Mail

-- Stock Android Email (not the Gmail app, but the general-purpose one)

The current "less secure" setting is how Gmail has been for years, and it apparently never bothered anyone until there started to be dozens of mail apps. My conspiracy theory, anyway: Google pushing users deeper into their ecosystem.

And yes, the technical stuff is -- the OAUTH authentication protocol.

Supposedly it is more secure than the default IMAP authentication, where a mail app sends the password, but:

-- Gmail only works over encrypted connections

-- AquaMail has a MITM (man-in-the-middle) attack prevention: settings -> network -> SSL certificate tracking

-- There is an IMAP method for authentication that does not require sending the actual password. Called CRAM-MD5, supported by many mail apps (Aqua included). Implementing CRAM-MD5 would have kept compatibility with current mail apps, *and* provided increased security. However, it would not have gotten the same emotional response from the users as the current "less secure" wording.

About Gmail's location tracking -- the example with travel -- all I have to do for this to kick in is switch between WiFi and LTE. Google then puts me about 50 miles away, and blocks access.

-- I will need to implement OAUTH, but it's not a trivial task. The issue is not the actual crypto stuff -- there is plenty of sample code out there -- but 1) migration of existing accounts 2) making it work with @gmail accounts not present in the device's system settings (a perfectly valid use case) 3) even detecting those in the first place (e.g. the user starts adding bob@bigtrucks.com, and it turns out to be a Google Apps account with a custom domain... somewhere midway through the setup process).


-- [ added later ] OAUTH support in AquaMail implemented, if you'd like to try it, please install the latest 1.5.1-dev version from "development builds" on this forum: http://www.aqua-mail.com/forum/index.php?board=9.0

-- For 1.5.0, the solution is enabling "less secure apps" here: https://www.google.com/settings/security/lesssecureapps

-- To reiterate, Aqua has SSL certificate tracking to protect you against MITM attacks (just needs to be enabled in settings under network), and Gmail connections are encrypted.

[Kostya Vasilyev]

And just to reiterate -- I'm going to work on adding OAUTH2 authentication, Google's favorite.

Actually was able to spend a bit of time on it today.

At the very least, I should be able to fairly quickly cover the most common case -- the user already having his / her @gmail.com account in the device's system settings.

The lesser common case -- @gmail or Google Apps accounts that are *not* present in the device's system settings -- is somewhat more involved...

---

Follow-up

OAUTH2 is supported since 1.5.1-dev6, available here on the forum under "Development builds":

http://www.aqua-mail.com/forum/index.php?board=9.0

and also in Google Play if you join this community:

https://plus.google.com/communities/112921486711044378404

[ch3mn3y]

You wrote that it should work, right? Bu I still get this error.
I dont have 2-step verificationenabled, but less secure apps are on.
Still gmail accounts works only when they are added to device and than set as "Gmail or Google Apps", other way 78754 error all the time.

I have 3 different gmail accounts and other works fine, only thin one. Compared their settings, set the same and still nothing.

Anyone found a solution?

I did try it on 4 different devices, 3 with the newest Aqua Mail Apps and one with 1.5.1.13 (Gingerbread).

[mikeone]

I recommend to have a look into this thread at Google's support / product forum:

https://productforums.google.com/forum/m/#!topic/gmail/Mg00Z3dQKvA

[StR]

I have 3 different gmail accounts and other works fine, only thin one. Compared their settings, set the same and still nothing.

You may want to verify that the "problematic" gmail account was set in Aquamail as "GMail" account, because only that uses the OAUTH (google-proclaimed "safer") authentication.
If it is set up as an IMAP account, Aquamail will not use OAUTH authentication. You cannot convert one account into the other. So, you'd have to create a new account in Aquamail - as a "Gmail account" for the same Gmail account, and then, when it is working, delete the old instance (in Aquamail).

And yes, for the "Gmail-type" account in Aquamail, you'll have the Gmail account added to the device's accounts (You'll see this under Android's Settings -> Accounts -> Google Accounts.)

[Kostya Vasilyev]

Re: "You cannot convert one account into the other"

Yes you can. Bring up account setup for "plain password IMAP account" and there'll be a prompt to upgrade to OAUTH.

Other than that --

- "Less secure" wording is just much too frightening for what it really means.

- "Less secure" access is blocked for new accounts, and keeps getting turned on automatically for existing accounts

- Adding a Gmail account as "Internet Mail" in Aqua -- will use password based ("less secure") auth

- Adding a Gmail account as "Gmail / Google Apps" -- will use OAUTH

And one more --

The link at https://support.google.com/mail/answer/78754 lists possible reasons other than "less secure", with things to try.

For example, Gmail tries to detect the user's location and blocks access if he/she has moved "too much too fast".

[StR]

Re: "You cannot convert one account into the other"

Yes you can. Bring up account setup for "plain password IMAP account" and there'll be a prompt to upgrade to OAUTH.

Sorry, I didn't know that.