Can 2-Auth or OAuth be Avoided with K-9

Gideon · August 5, 2022, 10:25pm

I’m a privacy-oriented person with a DeGoogled phone using K-9. As most are experiencing, the client used to work fine with Gmail, however back in May, 2-step auth was needed to continue using Gmail with K-9. I let it go because I don’t want to let Google trace my device’s IMEI back to me. Is there any workaround for this yet?

Nimueh · August 6, 2022, 5:22am

Google requires OAuth (or 2FA with an app password) for using their email on ALL email clients, so the only way “around it” is not using a Gmail email.

Pretty sure Google couldn’t care less about your IMEI and “tracing it back” to you btw - but why use Gmail (or an OS made by Google for that matter) if you’re that worried?

tchara · August 6, 2022, 12:39pm

The IMEI is not part of the OAuth Token Negotiation. Instead, a per-app device ID is used.

(If the app is not properly set up to the current API, the real device ID may be used. However, that still doesn’t allow any inference wrt the IMEI.)

You should be way more worried about using a cell phone in general. Governments and even private entities can track your movements based on cell tower data. If you are using 2G and 3G, your connection (voice and data) is unencrypted. On 4G the encryption is a joke (due to known static key), and on 5G all major intelligence players made sure that the encryption can be broken with little effort. And of course, metadata is never encrypted on your mobile connection on cell level.

Gideon · August 6, 2022, 10:28pm

Hello @tchara and @Nimueh,
Thank you for your input. As I expected, there is no way around it so to speak. I don’t want to get side-tracked into a debate about what to worry about or what not to worry about. We all have our opinions and it’s a really deep topic. But thank you for the input nonetheless.
Gideon

OldieAB · August 7, 2022, 2:46am

Couple ideas…

With a Google App password (assuming they still let users create these) as your K9 IMAP connection password should do. Ensure you connect over a VPN when retrieving and sending email.

or

Forward your gmail to another provider, and have K9 pick it up from there.

Gideon · August 7, 2022, 3:04am

@OldieAB - these are good ideas - I like the second one you have. I’ll be sure to give it a try and I’ll let you know how it works out.

Your second suggestion is wonderfully simple and one can even opt to have the message deleted as they are forwarded. I use thunderbird on my PC and K-9 on my phone running LineageOS. Ultimately, I can back up my messages on TB.

Thanks @OldieAB.