Google Advanced Protection Program

Thunderbird is an authorized application for Gmail accounts using Google’s Advanced Protection Program, but K-9 is blocked when logging in with Oauth2. Is it possible to program K-9 in such a way that Google recognizes it as “Thunderbird” and therefore allows it access to accounts with advanced protection?

I’m using OAuth just fine with Gmail (IMAP) on K-9. What exactly is your error?

Google Advanced Protection

It is too restrictive which is why I opted back out of it after testing it for just two weeks.

Principally, the concept is very good if you have higher than usual security demands, especially in corporate settings. However, as a private person the restrictive drawbacks are too many.

Just keep in mind that any app installed from other app stores (F-Droid, …) cannot be installed or updated once you enroll, as only Play Store is considered safe.

1 Like

Eeeek, why would anybody enable THAT lol? That would include K-9, since I always install the Github version :roll_eyes:

Thanks for the link + explanation, I just figured he meant normal OAuth and not some new shenanigans Google cooked up.

Actually I believe it’s possible to side load apps via ADB, including app stores. I think only downloading and installing an APK directly is blocked.

Nope, not a chance!

1 Like

Often with security there can be a cost: time, money, hassle/effort, etc. With the Google’s Advanced Protection Program, you will have limited options for your devices. Read up on the program - it’s not meant to be a typical offering for all Google users.


Instead of OAuth2, generate an app-specific password from your Google Account settings. This password can be used to authenticate K-9 with your Gmail account.


This is not possible while enrolled to Advanced Protection.

That, and app passwords are slated for removal, apparently. I’m not sure this applies to consumer accounts but does appear to apply to the paid-for service. We will know in several weeks.

No, that is not what the Google statement says.

This is the use of regular username and password.

Surprisingly, the Canary Mail app is capable of logging into Gmail with Advanced Protection enabled. I don’t fully understand the technicals, but I read something about interfacing directly with Gmail or the Gmail API and using only fetch? I might have gotten all that wrong. But the interface looks like a direct copy of my email folders. Works with PGP too.

I’m not so sure, but not sure either way.

Since app passwords are assigned, they are still a user/password combination and sent normally for authentication, perhaps not protected well within third party apps either. Google would probably like us to all use passkeys, push, totp, oauth, and yubikeys if we all could.

I went into my personal Google Account settings, and under the Security settings page, there is NOT a menu item for App Passwords. I can search and find App Passwords though. Given it’s not plainly aware and easily discoverable via the menu, I wonder if the demise of AppPasswords is upon us.

We’ll know more for sure in a couple weeks - June 15 isn’t that far away.