The plan for K-9 Mail 6.200

Current status: The basic functionality has been implemented. We’re still going through Google’s verification process. Apparently they’re only allowed to communicate using template emails. As you can imagine, this is a very frustrating experience.

Here’s a video that I recorded for the verification process:

You can ignore the end. They insisted on being shown all features of the requested scope: “Read, compose, send, and permanently delete all your email from Gmail”.


4 posts were split to a new topic: Google’s two factor authentication

Please add the address autocomplete function in the next release after 6.00
this is sooooooo necessary

With that quote above I would not expect it in 6.200

This should be split off to separate thread as it has IMO nothing to do with the original posting


Update: Google wants to make sure your accounts are safe by requiring K-9 Mail to… checks notes… add a “Sign in with Google” button that complies with the Sign-In Branding Guidelines.

It will take a while to change the implementation and then for Google to have another look.


If I want to use K-9 Mail with multiple GMail accounts, will the new OAuth/OAuth2 method require adding all of them as “on-device” Google accounts on Android?

By “on-device”, I mean will they be visible on the phone’s Android Settings → Accounts → Manage Accounts screen?

For privacy / targeted ad avoidance reasons, I’d prefer if the phone as a whole was signed in to only one Google account and the other GMail addresses remained “invisible” to the Android OS, like it is in say K-9 version 6.00. Will this be possible?

Is it just me or does that make no sense at all lol? Like since when does an email app need that? I’m sure some people don’t even use Gmail, so why would Google require a Google login for, say, Yahoo mail or mail?
I swear, those Google devs are getting sillier every day :roll_eyes:

I hope not, but I guess I am not 100% certain. From the video, it looks like a pure web flow. On Android, you can log into Google within Firefox/Chrome without Android noticing and adding a system-wide account, so I assume this would be the same.

Not sure exactly what you are concerned about. Oauth2 makes sense because it allows you to do things like just revoking just one device’s access to your account without needing to reset your password and having devices signed in without needing to trust them to store your password securely/safely. It even opens the possibility of undoing everything that just one device did to your account (e.g., undeleting emails/seeing all sent emails) upon that device being compromised. It is cleaner/more right.

It is just too bad that Google requires an app-specific key. It’d be nice if the flow could be implemented once and just accepted by all email providers. Now some parts are Google-specific, requiring their API key and the review process…

I was talking about Google’s weird requirement to add a “Sign in with Google” button in K-9 - I’m not “concerned” about it, I merely find it very odd since I’m sure there are users out there that don’t even use a Gmail account. Also I’ve never seen that on any other email client either and the app itself doesn’t even require a login anyway.
Just another way for Google to make life difficult for app devs I guess.

1 Like

But that one is only for your Google mail address. If you look at other MTAs with Google support, the login button is only displayed in the moment you add a new Google mail address. It’s not there constantly.

1 Like

Ahhhh ok, that wasn’t clear … I haven’t used any other email client in ages since none push/pull as reliably as K-9, so I wasn’t aware that others have that button.

Thanks for the clarification :slightly_smiling_face:

Update: It didn’t take long to make the changes Google requested (see comment: The plan for K-9 Mail 6.200 - #11 by cketti). And after a few more very frustrating email exchanges they seemed to be satisfied with the video of the app they made me record.
Then they requested we “whitelist [their] test account” :person_facepalming: so they can test the app. I resisted the urge to tell them (again) that the app is connecting to their service, not ours. But I figured they actually need the app and sent them an APK for testing. They acknowledged that they received the APK on Monday. I assume they’re very diligent in their work because I haven’t received any updates since then.


So OAuth is a cut-rate Kerberos?
“Those who don’t know the past, are doomed to re-invent it. Badly. … Err, webBadly.” :wink:


Just joined here from the Thunderbird news, and will help out with Swedish translations and Beta testing as i do now with Thunderbird on Desktop :slight_smile:

Writing here to get updated when the first Beta is released


Update: Google finally approved our “OAuth App Verification request”. We’ll release a beta version with support for using OAuth 2.0 with Google and Yahoo accounts later today.


Google tracking code moist likely.

They don’t anything for your benefit - only their own. So this suits them, not you.

I won’t be using K9 for this - and we have essentially stopped using all our Gmail accounts now.

Please see The plan for K-9 Mail 6.200 - #17 by tchara . There is no use of the Google application ID/key if you are not logging into Gmail. It is just that doing OAuth2 with Google requires an app key—you can not get them to issue you a token if your app/website is not approved by Google. This lets them disallow people from logging into Google with K-9 if they deem the K-9 app to be insecure and want to protect their users from K-9. It could make sense if some security bug in K-9 resulted in it sharing your access code with some hacker upon opening some specially crafted HTML email, for example, or if the app store entry for K-9 was controlled by malicious people. It does reduce the freedom and openness, but it’s a way to combat people who just click through security warnings and then blame Google for themselves falling prey to phishing.

1 Like

I understand how it works thanks, but it doesn’t change what I said. Most will want to use gmail - lord knows why.

Remember, this is not for your benefit, just theirs. They don’t do this for fun. Just for cash. Oauth can ‘helpfully’ be used across sites.

That means tracking you across sites.

And it’s unlikely to stop spammers, of which they host bucket loads.

K9 is no more or less secure today than it was yesterday. The “less secure” narrative is just marketing baloney as oAuth doesn’t guarantee anything much, apart from more data & ad cash for them. You are just the product being sold.

I have not upgraded beyond 5.600 because the new interface was completely useless, and the devs were not bothered, despite mountains of criticism. From.experience that will be a perfect fit with Mozilla.

In the meantime I have dropped my use of gmail and shifted slowly to FairEmail.

Hey ho. YMMV.

1 Like