Author Topic: Question about OAuth2+Gmail in Aquamail  (Read 5138 times)

StR

  • Hero Member
  • *****
  • Posts: 1558
Question about OAuth2+Gmail in Aquamail
« on: March 09, 2017, 08:33:50 pm »
Kostya,

(I tried to ask this question in a different thread but it got lost in there, so please excuse me if this question might sound repeated.)
In Android, if you add a Google account, a variety of apps (e.g. all Google apps) can use this account to access various parts of the respective Google account.

Here is the question: If I were to create a OAuth2-based Gmail account in Aquamail, would some other apps on the devices (e.g. any of the Google apps) be able to access information associated with the corresponding Google account or any part of it?

I know that once you enter a password via OAuth2, it creates an authorization (token) for Aquamail to access the account, or at least its mail. The question is essentially if this token is app (i.e.Aquamail)-specific or device-specific.

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Question about OAuth2+Gmail in Aquamail
« Reply #1 on: March 09, 2017, 08:39:04 pm »
The token is

1) app specific 2) includes only access to specific things (e.g. not possible to make a Google+ post on the user's behalf or to read his/her contacts).

Now if some other app stole the token, it would be able to have same access as Aqua Mail does, at least temporarily, because:

- There is an "access token" which is only good for one hour (with Gmail and Hotmail), and then it expires. This gets sent to the mail server to log in, so in theory, it could be intercepted, and then used by another app.

- Getting a new access token requires a special call (web API) to Google, and the app has to provide a "refresh token" and also something called "client secret", a piece of info that is only known to the app and Google's servers. Someone could decompile the app of course.

So to summarize, OAUTH2 is not "perfect" for security, there are a few holes, but just because you granted Aqua Mail access to the things it needs does not at all mean that any other app is "magically" granted access to those things, let alone other things.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

StR

  • Hero Member
  • *****
  • Posts: 1558
Re: Question about OAuth2+Gmail in Aquamail
« Reply #2 on: March 09, 2017, 09:05:20 pm »
Thank you, Kostya for the very detailed and clear response!

And just for the record, the question was not to question Aquamail security. Rather, it was to make an educated decision for the choice between regular IMAP vs OAuth2 account in Gmail.

I am annoyed by being blocked by Gmail while traveling.
E.g. I am flying and have a short connection at some airport (often with a spotty Wi-Fi or even expensive roaming while traveling internationally). Gmail decides that it will not allow me accessing my account until I log in in a browser and confirm the legitimacy (And it is also awkward, as it is hard to find the right page/link).

So, here is a follow-up question:
I am hoping (but I am not 100% sure if this would help) that setting up that account with OAuth2 would avoid this type of problems. Yet another alternative that I am considering is to set a device-specific password. (I have never done that.)  Do you know if either of these two solutions would be successful for my issue?

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Question about OAuth2+Gmail in Aquamail
« Reply #3 on: March 09, 2017, 10:42:43 pm »
I do think that Gmail's blocking access because of the changing location (as determined by the IP address on the device's end) seems more aggressive when using the "plain old" password.

If you enable two-step auth, then you'll need to either use OAUTH2 or generate an app specific password.

The security risks for OAUTH2 have to do with either someone reverse engineering the app, or intercepting its network traffic, or reading its private data files on a rooted device, things like that.

And in those scenarios, I don't have any reason to think that OAUTH2 would be less secure than the "plain password" auth.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

StR

  • Hero Member
  • *****
  • Posts: 1558
Re: Question about OAuth2+Gmail in Aquamail
« Reply #4 on: March 10, 2017, 06:23:51 pm »
Thank you!

By any chance, do you know if there is any difference in Gmail blocking access based on location between OAUTH2 and app-specific password?

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Question about OAuth2+Gmail in Aquamail
« Reply #5 on: March 10, 2017, 08:11:57 pm »
Re: By any chance, do you know if there is any difference in Gmail blocking access based on location between OAUTH2 and app-specific password?

I don't, and don't think anyone outside Google really "knows".

What I wrote above (about IP / location based blocking) is just from personal experience. There was a time when switching between WiFi and mobile on my personal phone would "move" me, in Google's eyes, by about fifty miles.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

StR

  • Hero Member
  • *****
  • Posts: 1558
Re: Question about OAuth2+Gmail in Aquamail
« Reply #6 on: March 10, 2017, 09:24:14 pm »
I don't, and don't think anyone outside Google really "knows".
Coining a new expression here: "Google knows..."  8)


What I wrote above (about IP / location based blocking) is just from personal experience. There was a time when switching between WiFi and mobile on my personal phone would "move" me, in Google's eyes, by about fifty miles.
That coincides with my own observation. I might be wrong, but I have a strong (but somewhat blurry) impression that I've read about that somewhere...

During the recent week-long trip to a location that is about 1500 miles away from home, I experienced those blocks. The interesting thing was that switching between hotel's Wi-Fi and mobile data - was blocking/unblocking me. (I don't remember which way.)
I speculated that maybe VZW's mobile IP did not have reliable geo-location associated with it, but didn't have time or energy to investigate in more detail.