With this enforced (but thankfully gradual) change, Google made almost all mail apps "outlawed" --
-- Thunderbird
-- Outlook
-- K9 Mail
-- Stock Android Email (not the Gmail app, but the general-purpose one)
The current "less secure" setting is how Gmail has been for years, and it apparently never bothered anyone until there started to be dozens of mail apps. My conspiracy theory, anyway: Google pushing users deeper into their ecosystem.
And yes, the technical stuff is -- the OAUTH authentication protocol.
Supposedly it is more secure than the default IMAP authentication, where a mail app sends the password, but:
-- Gmail only works over encrypted connections
-- AquaMail has a MITM (man-in-the-middle) attack prevention: settings -> network -> SSL certificate tracking
-- There is an IMAP method for authentication that does not require sending the actual password. Called CRAM-MD5, supported by many mail apps (Aqua included). Implementing CRAM-MD5 would have kept compatibility with current mail apps, *and* provided increased security. However, it would not have gotten the same emotional response from the users as the current "less secure" wording.
About Gmail's location tracking -- the example with travel -- all I have to do for this to kick in is switch between WiFi and LTE. Google then puts me about 50 miles away, and blocks access.
-- I will need to implement OAUTH, but it's not a trivial task. The issue is not the actual crypto stuff -- there is plenty of sample code out there -- but 1) migration of existing accounts 2) making it work with @gmail accounts not present in the device's system settings (a perfectly valid use case) 3) even detecting those in the first place (e.g. the user starts adding bob@bigtrucks.com, and it turns out to be a Google Apps account with a custom domain... somewhere midway through the setup process).
-- [ added later ] OAUTH support in AquaMail implemented, if you'd like to try it, please install the latest 1.5.1-dev version from "development builds" on this forum:
http://www.aqua-mail.com/forum/index.php?board=9.0-- For 1.5.0, the solution is enabling "less secure apps" here:
https://www.google.com/settings/security/lesssecureapps-- To reiterate, Aqua has SSL certificate tracking to protect you against MITM attacks (just needs to be enabled in settings under network), and Gmail connections are encrypted.