Changed Google password but can still access my gmail with app

[ThomasN]

I am puzzled why I am not asked by AquaMail to reenter my google password after I changed it! The account got blocked but I was only asked to give the app access to my gmail. Security bug?

Sent fra min SM-T810 via Tapatalk

[nica]

Hi, did you see the FAQ regarding your question?

Gmail's new authentication, OAUTH2

OAUTH2 is Google’s preferred method for apps to log into your account, where a mail app doesn’t need to know, store, or transmit the password. They’ve been gradually enforcing by turning off regular login / password authentication.
When adding a new account, Aqua lets you pick “Gmail or Google Apps” as an account type.
Then you can choose a Gmail account already present in the device’s system settings (under accounts), Aqua will ask for your permission to access the account’s email messages, and that’s all. No need to re-enter your password into AquaMail.
Or you can choose “Other…” and Aqua will take you to Google’s web site for authentication (right in the app, in a window). You will need to enter your password there, but Aqua won’t see it or use it. Just like with a system account, you will need to grant permission for the app to access your email messages.

http://www.aqua-mail.com/?page_id=227

Hope that helps.

[ThomasN]

Hi, did you see the FAQ regarding your question?

Gmail's new authentication, OAUTH2

OAUTH2 is Google’s preferred method for apps to log into your account, where a mail app doesn’t need to know, store, or transmit the password. They’ve been gradually enforcing by turning off regular login / password authentication.
When adding a new account, Aqua lets you pick “Gmail or Google Apps” as an account type.
Then you can choose a Gmail account already present in the device’s system settings (under accounts), Aqua will ask for your permission to access the account’s email messages, and that’s all. No need to re-enter your password into AquaMail.
Or you can choose “Other…” and Aqua will take you to Google’s web site for authentication (right in the app, in a window). You will need to enter your password there, but Aqua won’t see it or use it. Just like with a system account, you will need to grant permission for the app to access your email messages.

Hmm, thanks, but I can't see how security is maintained this way. If I lose my phone it won't help to change my google password in this case to protect my gmail!

Sent fra min SM-T810 via Tapatalk

[StR]

Hmm, thanks, but I can't see how security is maintained this way. If I lose my phone it won't help to change my google password in this case to protect my gmail!

Under Google account management (on the website - use the link below) you have an option to revoke the authorization for a specific device. That will invalidate the authorization obtained (and saved) via OAuth2 mechanism.

https://myaccount.google.com/permissions

P.S. It looks like this behavior has been changed recently for Google Apps users (after some back-and-forth):
https://gsuiteupdates.googleblog.com/2016/09/update-increased-account-security-via.html
So, occasionally Google might decide to implement the same behavior for the regular Gmail.

[nica]

In addition:

After having changed  the password on Google, at first you have to re-enter new password in your device.

When it's done, you are logged in into Google, and THEN you can use apps with OAUTH2.

So without the new password it should not be possible to use the mail servers.

[Kostya Vasilyev]

Right, it's OAUTH2 magic.

You already granted Aqua Mail access to your email, and Google knows this.

Since the app doesn't use the password (but rather deals with OAUTH2 tokens), changing the password has no effect - Google still remembers that "this app has access to your email".

[nica]

So, after having changed the Google password:

If you can not enter the new password of the device's Google account, no Google service will work - including fetching mails by AquaMail.

Right?

[Kostya Vasilyev]

Re: If you can not enter the new password of the device's Google account, no Google service will work - including fetching mails by AquaMail.

That's what you wrote above and I believe you Makes sense. Haven't tried it myself personally.

My main point was that for a Gmail account, Aqua Mail doesn't use or even know the password, and so it's not necessary to re-enter it, and it doesn't magically obtain the actual new password somehow either.

[nica]

That's what you wrote above and I believe you Makes sense. Haven't tried it myself personally.

Last change of password has been quite a while, I wrote what I remember and what is logical.

I was hoping, somebody could confirm this. I am not very motivated to just test it..