With large email providers making it hard to impossible to use password authentication, the sole focus for the next stable version will be to turn K-9 Mail into what the providers like to call a “more secure app”.
The hope is that this focus on just one new feature will mean that the next stable version can be released rather soon.
Current status: The basic functionality has been implemented. We’re still going through Google’s verification process. Apparently they’re only allowed to communicate using template emails. As you can imagine, this is a very frustrating experience.
Here’s a video that I recorded for the verification process:
You can ignore the end. They insisted on being shown all features of the requested scope: “Read, compose, send, and permanently delete all your email from Gmail”.
Update: Google wants to make sure your accounts are safe by requiring K-9 Mail to… checks notes… add a “Sign in with Google” button that complies with the Sign-In Branding Guidelines.
It will take a while to change the implementation and then for Google to have another look.
If I want to use K-9 Mail with multiple GMail accounts, will the new OAuth/OAuth2 method require adding all of them as “on-device” Google accounts on Android?
By “on-device”, I mean will they be visible on the phone’s Android Settings → Accounts → Manage Accounts screen?
For privacy / targeted ad avoidance reasons, I’d prefer if the phone as a whole was signed in to only one Google account and the other GMail addresses remained “invisible” to the Android OS, like it is in say K-9 version 6.00. Will this be possible?
Is it just me or does that make no sense at all lol? Like since when does an email app need that? I’m sure some people don’t even use Gmail, so why would Google require a Google login for, say, Yahoo mail or Web.de mail?
I swear, those Google devs are getting sillier every day
I hope not, but I guess I am not 100% certain. From the video, it looks like a pure web flow. On Android, you can log into Google within Firefox/Chrome without Android noticing and adding a system-wide account, so I assume this would be the same.
Not sure exactly what you are concerned about. Oauth2 makes sense because it allows you to do things like just revoking just one device’s access to your account without needing to reset your password and having devices signed in without needing to trust them to store your password securely/safely. It even opens the possibility of undoing everything that just one device did to your account (e.g., undeleting emails/seeing all sent emails) upon that device being compromised. It is cleaner/more right.
It is just too bad that Google requires an app-specific key. It’d be nice if the flow could be implemented once and just accepted by all email providers. Now some parts are Google-specific, requiring their API key and the review process…
I was talking about Google’s weird requirement to add a “Sign in with Google” button in K-9 - I’m not “concerned” about it, I merely find it very odd since I’m sure there are users out there that don’t even use a Gmail account. Also I’ve never seen that on any other email client either and the app itself doesn’t even require a login anyway.
Just another way for Google to make life difficult for app devs I guess.
But that one is only for your Google mail address. If you look at other MTAs with Google support, the login button is only displayed in the moment you add a new Google mail address. It’s not there constantly.
Ahhhh ok, that wasn’t clear … I haven’t used any other email client in ages since none push/pull as reliably as K-9, so I wasn’t aware that others have that button.
Update: It didn’t take long to make the changes Google requested (see comment: The plan for K-9 Mail 6.200 - #11 by cketti). And after a few more very frustrating email exchanges they seemed to be satisfied with the video of the app they made me record.
Then they requested we “whitelist [their] test account” so they can test the app. I resisted the urge to tell them (again) that the app is connecting to their service, not ours. But I figured they actually need the app and sent them an APK for testing. They acknowledged that they received the APK on Monday. I assume they’re very diligent in their work because I haven’t received any updates since then.
Update: Google finally approved our “OAuth App Verification request”. We’ll release a beta version with support for using OAuth 2.0 with Google and Yahoo accounts later today.