
Gmail’s API lockdown will kill some third-party app access, starting July 15 - joeyh
https://arstechnica.com/?p=1528361
======
tomswartz07
I see this as a double-edged sword.

1\. It makes sense that Google wants to stop apps from abusing their storage
platform. There are a lot of projects that abuse the data storage capacity.
There was that one app that converted files to Base64 or something and was
storing files that way as email text. Obviously not cool. However, Google
needs to be explicitly clear on expectations and throw some people-power
behind the reviews, since many are being denied by (seemingly) some automated
process.

2\. The second issue I see is that it will encourage less secure methods of
using these apps. SMSBackup+ in particular is discussing the possibility of
moving to "App Passwords" to bypass 2FA and provide the app access it needs to
upload and store the data. Issue being, App Passwords are incredibly fragile,
they provide near-unfettered access to IMAP and other account features with no
auditing. Caveat emptor and all that.

I think SMSBackup+, specifically, has a bit of a gray line as SMS messages can
technically be sent via email and vice versa, (among other similarities). It's
a shame that Google is becoming so draconian about their data storage uses.

~~~
baroffoos
How can you abuse storage? You get n gb of storage on your account. Why does
it matter what you store on it or what tools you use to utilize it?

~~~
ddalex
Some things such as google docs text documents do not count towards your quota
- so people converted data to base64 and uploaded that as docs to get free
storage - bit of a dick move if you ask me, as it forces google to take steps
like this one and kill the goodness for the rest of us

~~~
baroffoos
Google offered unlimited storage of private documents and people used it. I
see nothing wrong with that. If this became an issue then goggle should have
set limits or made it count to your google account storage. There is no point
offering "Unlimited storage" and then stop people from using it.

~~~
sdenton4
I went to a restaurant that offered free refills last week. I brought a 50
gallon barrel with me, and then took home a whole barrel of soda...

(Or, in other words, somehow all sense of fair play and decorum go out the
window once we're anonymous on the internet. And this is why we can't have
nice things.)

~~~
TeMPOraL
It's not like this.

Google doesn't like storing files as e-mails with base64-encoded binaries
because it competes with Google Drive. That solution - the Gmail Drive -
existed _long_ before Google Drive, and even had a nice tool that mounted your
gmail storage as a network drive on Windows! GMail storage isn't unlimited, so
I always considered it fair - they give me a couple of GB of free storage,
it's up to me how I use it.

As for the unlimited offers and restaurants, people don't do that too much in
meatspace because they'd get thrown out by security for obvious abuse. But
they do it a little, like e.g. couples buying one cup and using it together.
There are also natural limits to how much soda you can consume or use, even if
you got away with taking home a whole barrel (sodas lose gas fast)...

(And note that the "decorum" and "fair play" doesn't apply in meatspace
either, when it comes to e.g. retail chains making mistakes in their
promotions, like that one famous case where (AFAIR) Lidl in Poland offered
refunds for products you didn't like if you brought back the box, whether or
not the product was still inside. You can imagine what happened next.)

However, ultimately, it's the company that's playing tricks on people with
"unlimited" marketing, and they deserve the problems they get when people take
it at face value (offering something with no intent to fulfill that offer is
plainly dishonest). Reminds me of a mobile vendor that offered USB modem with
free unlimited LTE for $notmuch, back when LTE was a somewhat new thing
(~2012). A friend bought the subscription to test it out, and discovered that
the "unlimited" LTE was actually throttled past 20th or 30th GB. Guess which
company I never considered buying Internet services from since?

It's not because of customers that we can't have nice things. It's because of
companies using dishonest marketing tactics and then acting surprised when
some people call them on their bluff. It isn't so hard to say "no hard limits
<small>but we throttle you past XX $unit, and there are following restrictions
on use...</small>", except treating customers with respect is anathema to
modern business.

~~~
dboreham
"Unlimited" is a marketing term with a very specific meaning. It means
"limited".

~~~
TeMPOraL
Yeah, and "tasty" is a specific marketing term meaning "poisonous", which I
won't explain to you when I offer you a tasty sandwich.

Marketing does not create reality, no matter how much marketers may think
otherwise. Words have meanings, you can't unilaterally attach some new one to
a word and expect people to agree with it.

~~~
criddell
Marketing doesn't create reality, but the courts do and sometimes what a word
means in a legal context is different than in conversation. It usually hinges
on some standard of being reasonable.

~~~
TeMPOraL
Sure, and marketing which expects people to use their standard of "being
reasonable", while the service being offered under a different standard of
"being reasonable", is essentially bait and switch. That only a small subset
of customers notice it doesn't make it more OK, it only shows the company is
not dumb.

~~~
criddell
I don't know if I'd call it a bait-and-switch. Gmail is an email service and
the purpose is to send and receive emails. Getting upset that you can't use it
as a general purpose storage service isn't reasonable (IMHO). There was no
_baiting_ in this regard.

------
SpicyLemonZest
> _Google 's OAuth APIs have been around for years as a way for apps to get
> access to and control your Google data. A third-party email app, for
> instance, would want access to your Gmail account and the ability to send,
> read, and delete emails so it could control everything remotely. An IM app
> might just want access to your contacts and profile picture. For years this
> was purely an agreement between the user and the developer—the app would say
> what it wanted access to, and the user could deny or allow it._

Yeah, until the Cambridge Analytica scandal revealed that agreements like this
aren't sufficient to protect user data. I think Google's making the only
acceptable tradeoff here.

~~~
quotemstr
I think that prohibiting user authorization of data access is throwing the
baby out with the bathwater. I approve of privacy, but at the end of the day,
my data is my data, and part of data ownership is having the freedom to share
my data with whomever I choose.

~~~
sha666sum
That sounds nice in theory, but even as a highly technical user, I don't have
any knowledge about what information apps _actually_ gather about me.

~~~
dehrmann
I tend to assume they collect more than you'd think and are less effective at
using it than you'd think.

------
akkartik
I've been expecting this. Google's attempts to get me to turn off "less secure
app access" have grown increasingly obnoxious over the last couple of years. A
few months ago they went so far as to send me a "prevented login from
suspicious device" alert after a getmail run. Time to leave. If I can't
download it with POP or IMAP, then it's not email.

~~~
rjf72
Out of curiosity do you ever login to your Google account on the web? I also
had the exact same experience where they have started increasingly sending
alarming, and fake, security notices about suspicious devices logging in.
Those device are, of course, me logging in from an identical geomapped IP
using IMAP as I've done for years. This was following their decision to
require IMAP access to require the "allow insecure application access" as an
encrypted IMAP connection is apparently insecure now. A couple of times they
also reset the "allow insecure application access" toggle on my account.

My working theory is that they were simply trying to refresh their fingerprint
on my account since the only point of these alerts seems to be to get me to
login using their web page. In particular I use Google for IMAP email, but
never login to my Google account until forced. That's not so great for their
metadata and tracking. Interestingly enough then when I then do login using a
proxy half a world away from where I use my IMAP, Google never considers it a
"login from a suspicious device." And yeah, as annoying as it is to migrate my
primary email - Google is becoming intolerable on so many levels.

~~~
londons_explore
I see the same. About once a year, Google will throw a hissy about someone
logging on via IMAP/SMTP, _even if it is Google themselves_ logging in (to
send email as another account).

My guess is if some fingerprinting/Auth service is down, it fails in a 'safe'
state, causing the login to be rejected and your account locked.

------
sct202
As a former user of SMSBackup+, at a certain point it did seem like I was
putting a lot of trust into a 3rd party to have full access to both my text
messages and my email. So I can kind of see how it's a risk, but it seems sad
to just shut it all down.

~~~
tomswartz07
Current SMSBackup+ user here.

I agree with your sentiment, but part of the key difference for me is that
SMSBackup+ is open source. I've been building the app myself and using it for
years, so I'm very certain what it's doing and not doing.

This may or may not apply to the other apps being affected by this ban.

~~~
Qiasfah
Any good alternatives for this very useful app?

~~~
tomswartz07
Presently? None of which I'm aware.

I'm very much hoping that we could resolve the issue with SMSBackup+ for the
time being, but that's mostly up to the project owner.

I did hear of some folks using their own IMAP server and CALDAV service to
target instead of Google, but I have not tested it.

~~~
nine_k
How about an app that just, well, sends the SMS texts to your email, as
regular emails? A filtering rule would put them under a certain tag and skip
inbox.

The upside of the design is that it requires only one, very clear, permission:
send emails to a given address.

~~~
warmwaffles
SMSBackup+ makes the sender the contact / phone number and the receiver as
your number. It's been fantastic for archiving all of my texts and such. I've
been able to search it all relatively easily.

------
quotemstr
I wonder how long it'll take for scraping to make a comeback. I feel like
we've become used to APIs being the only integration options. When API
restrictions become too burdensome, however, I expect people to recall that
other access options exist.

~~~
johnwheeler
Funny thing - there’s a very successful bank account aggregation API company
called Yodlee that gets the majority of it’s bank data through scraping your
account given that account’s username and password.

------
paxys
There will always be misuse of open APIs by third parties, and the company
itself will be blamed in the PR fallout. After Google and Facebook I expect
more services to follow suit, which is a shame but understandable.

------
6cd6beb
You shouldn't be building anything that relies on a google service unless

A) Google would die without that service

B) You're just fucking around and what your building could burn to the ground
without consequence

[https://killedbygoogle.com/](https://killedbygoogle.com/) has 143 services
listed.

~~~
la_barba
To add a few..

    
    
        C) You're looking to get acquired by Google
            C) a) You're looking to get noticed and hired by Google

------
dpacmittal
Slightly off topic, but Google is also discontinuing Google photos and google
drive syncing feature. This is currently the only way to access your Google
photos with Rclone.

~~~
pmlnr
Wait, that's... that's actually bad, unlike Gmail. Drive _is_ a storage
endpoint, so is Photos. Not having a way to sync them is a serious issue.

~~~
dpacmittal
Yeah. It's ending on July 10 -
[https://www.blog.google/products/photos/simplifying-
google-p...](https://www.blog.google/products/photos/simplifying-google-
photos-and-google-drive/)

~~~
yrro
To be fair I can't blame them for this--the feature is confusing (I'm pretty
sure it's responsible for every photo in my account up to a point in time last
year being duplicated [in a rather annoying way--they appear visually
identical and have the same EXIF tags and timestamps, but are different sizes,
as a result my obsessive compulsive tendency won't let me delete either]).

I presume you can still download all your photos via Google Takeout right?

~~~
pmlnr
I do blame them.

Google Photos should have been a frontend for Drive from the beginning.
Splitting it into another storage is wrong.

~~~
ilikehurdles
Google wants the ability to promise unlimited storage without any of the
responsibility of meeting that promise.

------
miki123211
how long until Google says "hey, actually, it would be cool if users used
gmail.com with all the ads instead of some stupid external email clients.
Let's disable POP3/IMAP/SMTP for non-business users. Oh, and let's disallow
mail redirection too, so they won't even think about running away".

~~~
repolfx
Gmail doesn't have ads in it anymore.

~~~
smitop
Both the app and the website have ads, I just checked. They look like normal
email messages, but they start with an advertisement indicator. I only see
them in the "Promotions" and "Social" tab though.

------
_Codemonkeyism
The email client I use - Nine - is on the list. I can't see how an email
client is a problem except they want to push Googles client. Hope Nine gets
fixed.

~~~
Cu3PO42
I sincerely hope so as well. I'm just at the end of the trial period and I'll
likely take the plunge, but not having access to Gmail would be very
inconvenient.

They say they'll fix it, but seeing the requirements I'm not sure they'll get
it done in time.

------
exabrial
Yep, I wish I could opt out. For years, I've used an app to backup my sms
messages to gmail, now it's being taken away.

~~~
aqzman
SMS Backup+? I totally agree, I wish I could opt out as well. Having my text
messages and phone call log backed up to Gmail with this app has come in handy
so many times since I started using it in 2012.

~~~
giarc
Just thinking out loud but could IFTTT accomplish something like this without
integration into Gmail?

------
dazbradbury
Does anyone know if this will have any impact on Gmail backup tools such as:

[https://github.com/jay0lee/got-your-back](https://github.com/jay0lee/got-
your-back)

Or the long term sustainability of such projects?

I've found gmail's own data export tools to not work _at all_ for any inbox of
a considerable size (100gb+) - so third party tools are the only way to
actually back up / migrate email data.

Without such tooling, relying on Gmail would be a huge mistake for anything
remotely important.

~~~
aepiepaey
It requires the user to create their own API project.

GYB has such functionality built-in since 1.20, see the release notes:
[https://github.com/jay0lee/got-your-
back/releases/tag/v1.20](https://github.com/jay0lee/got-your-
back/releases/tag/v1.20)

For gmvault, you have to create it manually:
[https://github.com/gaubert/gmvault/issues/335#issuecomment-4...](https://github.com/gaubert/gmvault/issues/335#issuecomment-475437988)

------
xt508
I just noticed a new "Schedule Send" Gmail feature, could this be related and
Google is adding in features from third-party apps?

------
jguimont
They could have gone another route than imposing a bogus security audit and
have the devs pay for it. I did an integration with QuickBooks a while back,
and they paid/conducted the security audit themselves.

Google could have added a contract that would plainly state that any data
needs to be wiped out etc and enforce that contract if anything is fishy.

Google could have created a process to clearly inform the dev that the user
wants to delete google related data and impose deadlines on it.

Those are simple, but I think Google was just lazy and listened to a bunch of
lawyers instead of thinking out the box.

I have an app that allows to link your email account thru Nylas (with google),
now I would have to pay the security audit? No way. I told my customers that
any google account that is not a GSuite which whitelisted the app (most of my
customers corporate) that they might have warning dialog when connecting their
gmail account. There is a limit of 100 linked account without verification ;(

------
lstodd
> "Don't store Google user data on your server."

The, I'm sorry, WTF? This is not Google's data.

~~~
brongondwana
Yeah, totally. It's our customer's data, who is also Google's customer.
Obviously since Fastmail allows our customers to synchronise email and
calendars with Google, we're dealing with this right now - and kind of annoyed
that our customers got emailed when we were already following Google's
reauthentication process. Fun times.

~~~
dboreham
Any progress with this? Also is it true that GSuite (paid) accounts are not
affected?

~~~
brongondwana
It's still underway.

I'm afraid I have no idea about GSuite accounts, you'd have to ask somebody
who knows Google's policies.

------
prasanthmj
I invested a lot of time trying to publish a Gmail add-on and failed miserably
[1][4] because of this lockdown. Here are some notes that may be of interest:

The lock down is for the Gmail API especially for API that allows reading
user’s email.

Any App has to get OAuth 2 token to get access to the API. The user has to
explicitly provide access . The approval screen will show each type of access
the app is asking. See an example here [2]

In addition, Google will send an email to the user immediately after the
approval, with a scary warning.

The user can withdraw the app access anytime, from Google account page.

The data access concern Google is projecting is that the APP can read user’s
email (Remember, the app can read only those who explicitly gave the app the
permission to read their email). The “lockdown” is a direct reply to the media
frenzy that “Gmail allows any app to read anyone's email” [5]. Gmail does not
allow reading email automatically. The user has to allow explicitly.

In order to get Gmail API access, the app has to go through a Google review
process where Google will ask the developer to justify each type of API access
the app is requesting in addition to explaining (with videos) what the app
does and how the API is used. The first level of approval process demands you
to publish a comprehensive privacy policy and in my experience, anything like
“marketing” or “research” in the privacy policy will get you disapproval. [3]

Such a strict approval process is good and fine, and well appreciated till
this point. The issue comes for the last part of the approval process.

Those Apps that requires read access to Gmail has to get themselves assessed,
through Google appointed third party security assessors paying $75000 USD
annually.

This is the main blocker.

This will kick out any app or add-on that small scale developers create. It
will block new entrants. What remains will be established apps that are
generating huge revenue to justify the “protection money”. They get an added
advantage that there will no longer be any new competition.

It is not the restrictions, or the intention to protect the end user that is
in question but the “first save my back” attitude in the process, and the bait
and switch - that is the problem. In summary it happened like this:

Hey developers come, build apps using our platform, show your innovation!
Developers start investing time and effort on the platform, approval process
is smooth and fare Somewhere else, someone misuses someone’s system, huge
media attention Sorry developers, you go to Mr X , keep paying him and we will
keep you here. If not, trash your product and go away.

[1] [https://medium.com/@prasanthmj/lessons-learned-developing-
an...](https://medium.com/@prasanthmj/lessons-learned-developing-an-app-using-
google-apis-dff3f7b91be0)

[2]
[https://www.youtube.com/watch?v=GGXFQUmZTf4](https://www.youtube.com/watch?v=GGXFQUmZTf4)

[3] [https://blog.gsmart.in/applying-for-g-suite-api-
approvals/](https://blog.gsmart.in/applying-for-g-suite-api-approvals/)

[4] [https://medium.com/@prasanthmj/google-restricted-api-
scopes-...](https://medium.com/@prasanthmj/google-restricted-api-scopes-
require-75k-yearly-fees-a23cad053a4c)

[5] [https://www.wsj.com/articles/techs-dirty-secret-the-app-
deve...](https://www.wsj.com/articles/techs-dirty-secret-the-app-developers-
sifting-through-your-gmail-1530544442)

------
ryanmercer
The changes they've been doing is somewhat annoying. It killed probably 75% of
my IFTTT and now it is going to kill my SMS backup solution (SMSBackup+)
unless the developer changes a bunch of stuff. Sure I can backup other ways
but I like having it in my gmail, I've been saving SMS backup there since the
iPhone 3gs.

I get why they are doing it but blah, now I have to find solutions for
everything again.

------
pmlnr
Good.

Maybe email clients will go back being email clients with IMAP so they can be
used with _any_ provider, not just gmail.

------
js4ever
I'm now considering to stop using gmail and all google services in general

------
laurent123456
The article mentions this is going to affect Drive soon too, but couldn't find
any info about this on Google announcement. Anybody has any info on this?

~~~
kwerk
Looks like[0] using the scopes that allow for seeing all drive files vs
specific files the user has invoked your app to see triggers the review
process next year.

[0] [https://cloud.google.com/blog/products/identity-
security/enh...](https://cloud.google.com/blog/products/identity-
security/enhancing-security-controls-for-google-drive-third-party-apps/)

------
jackjackk0
The only third-party app I received a warning about from Google regarding this
issue was FastMail... coincidence?

------
Zenbit_UX
This doesn't bode well for companies like streak whose sole product is an add-
on to Gmail...

~~~
giarc
Gmass owner has talked about this changed in a few blog posts. For companies
that are built on Gmail, they will just have to pay the $15k-75k security
audit fee and consider it cost of doing business.

------
tregoning
Doesn't this mean that SuperHuman is screwed?

------
alacombe
So... if every player (and Google in particular) start locking their platform,
how could this not constitute ground for antitrust trial ?

Even explorer was less tightly integrated 25 years ago...

------
unixhero
Christ. So much for the API economy.

