Google App password for gmail

Hi all

My desktop app has an error-reporting tool, where any database error is emailed to me for diagnosis and remedy. I use my gmail account as the outgoing server for the email with the gmail password embedded in the app.

I have just switched to Google’s 2 Step Verification (with a code sent to my phone), to secure my Google account, and that creates a problem with the app, as the outgoing email is sent in the background by the app user, who obviously can’t do the second step of the verification.

I can generate an app password and use that in the app but here is where my questions begin (and I can’t find the answer on Googles page):

  1. the app password generated by Google is not app-specific, correct?
  2. can multiple users use the app with the same app password embedded?
  3. If anyone hacks the app and extract the app password, does the app password also give access to my google account?
  4. should I just re-roll the email system and use my own server to avoid compromising my Google account?

Hi Rob,
#1. Never share your gmail password with anyone, it means anyone can then access any of your Google services.
#2. Get the customer to e-mail you, you can use a mailto link to open the users default e-mail program and auto include text information (plus auto address it).

#2 is quite important for a few reasons:
a) It’s transparent, the user can see exactly what information your gathering from them.
b) You also get their e-mail address, to which you can respond to.
c) Less maintenance on your behalf.

Any e-mail service in the world is hackable, but including your password in your application is like leaving multiple sets of keys around for your car. Most people won’t care; but the ones that do… Generally when someone hacks your e-mail (or in this case your entire google account) they change your password and lock you out. Which will then break your automated feedback anyway.

Use SendGrid or Mandrill instead. SendGrid has a free plan. Mandrill costs 10$ a month. There are classes for integrating Mandril into Xojo around.

Try to go here: and turn off the double security option.

[quote=221714:@Rob Lang]
4. should I just re-roll the email system and use my own server to avoid compromising my Google account?[/quote]

  • Yes :slight_smile:

There’s also MailJet. Simple API. Free for 6000 emails/month. $7.49 for 30.000 emails/month.
Worked great for us in a project we created some year ago.

Mandrill is FREE to use for the first # transactions (with its API). I can’t remember what # is, but something like 10k (or so) interactions with the API. Which for most of us, would cover the month.

I gave Mandrill $5 to switch to PRO months ago (probably over a year now). And I still haven’t touched it. My volume is below the # amount (I mentioned above) so I never touch the $5.

When I investigated Mandrill and its competitors, it was the cheapest one of the highly respected vendors. Mailchimp is the 800 pound guerrilla in their field. Mandrill became the 800 pound guerrilla in its field due to Mailchimp.

I really like Mandrill.

Many thanks for all your help.

I will look into some of the commercial email services. I don’t need the bulk email service that they offer, I just need it as a SMTP relay so I can send one-off emails from my app to me.

In the meantime, I have deleted the gmail/google section from my app (changed my google password too). I have my own server, so I can configure my own email addresses specifically for my app’s error reporting. I still have the password to this email in my app, but there is no harm if it gets compromised as I do not use that email address or password for anything else.

All I am seeing there is “Access for less secure apps”
Is that the same as “double security option”

I used to send emails with my app using my gmail login data but for a few day now it is not making the connections and I am no longer able to send emails via my app.

I have “Access for less secure apps” turned on.

What could be the problem?


  1. Please open a new thread.
  2. Can you connect?
  3. Do you get an error message?

Access for less secure apps means NO double security.

Thanks Beatrix, I have started a new thread.


I do this as well. I am not sharing my gmail password with anyone, but I am obfuscating it and constructing it so my app can send emails to me or to clients (via Google’s SMTP servers as described by Rob).

Is this comment truly related to the scenario I described above? I don’t believe this fits the “sharing my google password with someone” - does it?