Google Mail - Less secure app

I have an app that needs to send mail though Google mail. All of a sudden it started failing yesterday day an teh account got an email from goggle saying :

[quote]Google just blocked someone from signing into your Google Account XXXX from an app that may put your account at risk.
Less secure app

Google will continue to block sign-in attempts from the app you’re using because it has known security problems or is out of date. You can continue to use this app by allowing access to less secure apps, but this may leave your account vulnerable.
[/quote]

From the link in the email:

And apparently Xojo apps…

Not sure if google changed something or my employer changed an account setting

If I can’t get management to allow “less secure apps”, How do I gave to code sending mail to make Google mail happy?

Thanks,

  • Karen

I am in process of developing an application that will use GMail . Your issues scare me a bit. Have you investigated getting your app cleared by GMail? Here is the link. I am not quite at the point when I need to set this up yet, but I will be most interested in your findings!

I have a couple of apps that use the Gmail SMTP server and I had to change the setting to allow the Gmail account to use “Less Secure Apps”

I haven’t found a way around it yet.

[quote=343595:@Bill Plunkett]I have a couple of apps that use the Gmail SMTP server and I had to change the setting to allow the Gmail account to use “Less Secure Apps”

I haven’t found a way around it yet.[/quote]

I doubt management here will allow it.

Would using an IMAP plugin help get around it?

In any case IMO in this day and age Xojo SHOULD have classes that can work with that Google mail setting as I suspect more and more companies will require using it.

  • Karen

I have also run into this and requested clarification from Gmail support. The thing that’s frustrating is that they don’t clearly state WHAT causes an app to be a “Less Secure App”. I suspect that it has something to do with using old protocols, but a direct answer would allow us to solve (or work toward solving) the problem.

Personally, this feels like a “we’re going to blame everyone else if your account is hacked and you’re not using the Gmail app or the web interface” standpoint.

No. IMAP is for accessing email, not sending it.

This is not a Xojo issue. Anything that wants to use SMTP to connect to Gmail has to enable the “less secure apps” setting. Essentially they consider SMTP with basic authentication as “less secure”. I haven’t tried it, but as an alternative perhaps an app-specific password might work?

https://support.google.com/accounts/answer/185833?hl=en&topic=2784804&ctx=topic

As far as I can tell the only real way around this is to not use SMTP at all and to instead use the Gmail API with OAuth.

https://developers.google.com/gmail/api/auth/about-auth

[quote=343617:@Paul Lefebvre]As far as I can tell the only real way around this is to not use SMTP at all and to instead use the Gmail API with OAuth.

[/quote]

Then Xojo should have email classes that support OAuth

  • karen

There is no such thing as “email classes that support OAuth”. What you perhaps would like is built-in Xojo support for the proprietary Google Gmail API. A Feedback feature request is the only way to get that considered.

Other email services haven’t declared SMTP as “less secure” so they may be an option for places that aren’t required to use Gmail.

I am curious if the Gmail “app-specific password” feature would work without having to enable the “less secure apps” option. I’l have to test that out.

[quote=343624:@Paul Lefebvre]There is no such thing as “email classes that support OAuth”. What you perhaps would like is built-in Xojo support for the proprietary Google Gmail API. A Feedback feature request is the only way to get that considered.
[/quote]

OK

You do realize that upper management in most places are not that technically sophisticated and with all the hacking in the news upper management in most places would be dead set against allowing “less secure apps” have access.

[quote]
I am curious if the Gmail “app-specific password” feature would work without having to enable the “less secure apps” option. I’l have to test that out.[/quote]

Please let us know asap. I am obviously not the only one affected by this … Google mail is pretty ubiquitous.

Yes. It is frustrating that Google chose to call this setting “allow less secure apps” rather than “enable SMTP basic authentication over SSL”.

From the google website:

[quote]Google may block sign-in attempts from some apps or devices that do not use modern security standards. Since these apps and devices are easier to break into, blocking them helps keep your account safe.

Some examples of apps that do not support the latest security standards include:

The Mail app on your iPhone or iPad with version 6 or below
The Mail app on your Windows phone preceding the 8.1 release
[/quote]

So what is the difference between mail authentication in iOS 6 and iOS 7+ ?

  • karen

use OAuth2 and problem solved
i recommend you this link–> https://www.example-code.com/xojo/imap_gmail_oauth2.asp

Gmail is not really the optimal way of sending transactional email. I personally prefer Mailgun, but others like Mandrill/Sendgrid as well.

Why? They love their own protocols. Also they have firm limits on number of outbound emails you can send in a day (2000): https://support.google.com/a/answer/166852?hl=en

Essentially they don’t even recommend gmail for that purpose.

This app is only used internally inside my company

  • karen

You’ll have to ask your google apps admin to enable “less secure apps” if you can’t do it with your account level, or go about implementing oAuth2.

Whether or not you employ the use of plugins to do so is up to you.