
Gmail blocks access to custom “webview/browsers” - unlog
https://i.imgur.com/WwuOOUG.mp4
======
tetromino_
Your custom browser might be getting detected as a MITM attack on your
account.

If that is the case, take a look at
[https://security.googleblog.com/2019/04/better-protection-
ag...](https://security.googleblog.com/2019/04/better-protection-against-man-
in-middle.html) for the official statement and at
[https://stackoverflow.com/questions/59480956/browser-or-
app-...](https://stackoverflow.com/questions/59480956/browser-or-app-may-not-
be-secure-try-using-a-different-browser-error-with-fl) and all the resources
that it links to for some workarounds.

~~~
unlog
Mmmh, I considered a MITM attack an interception. While maybe making a custom
browser (that obviously have access to the webpage) could be considered as "In
the Middle" I do not think the definition sticks to it, but they seem to do,
given your link. I understand the reasoning but I dont share it, it sort of
make sense, but doesnt. If someone got to install a "Chrome Embedded
Framework" then they already bypassed the "(in)secure screen", but I see how
this could be a problem..

------
horsawlarway
Google doesn't allow auth in a webview. The reasoning is that any application
prompting you to login with a 3rd party service (ex:
google/facebook/twitter/etc) in a webview can compromise the account.

Technically, they're correct - It's pretty easy to inject code into a webview
you own, and it can do basically anything it likes (for example - record the
username/password you just entered into the Google login page).

So Google's stance is that you need to use a browser they approve of to access
your account, and if they spot a webview they tend to block it and show this
message.

I'm conflicted - As someone responsible for doing security audits, their
concerns are fair.

As someone who does not believe Google is operating with any vestiges of the
"Do no evil" motto, this is also a very convenient way to block new entries to
the browser market.

~~~
unlog
> Google's stance is that you need to use a browser they approve of to access
> your account

Yeah thats the crazy up situation..... I could maybe access via a imap client,
Guess they will ask for an "insecure app password" (I forgot the name of this)

But the thing that blows my mind is that you cannot make your own browser!
Thats the problem..... because I was considering to do just that, my own
browser, wow, I cannot do it without google approval..... I will need to think
about it....

------
franga2000
Does anyone know how they're detecting this? User agents can be changed and JS
APIs can be modified with very little effort. Short of making something
absolutely insane and forcing everyone to go along like they did with
SafetyNet on Android, I don't see a way for this to actually work...

