From the 1st January 2020, in an effort to improve security, Google are implementing tighter access controls on Gmail accounts. As a result, we are required to change the way you login and connect your Gmail accounts to Leave Me Alone.
Here is everything you need to know about the changes we are making and what you need to do to continue using Leave Me Alone with your Gmail.
What is changing?
We are making two main changes;
Login
Currently we allow you to login directly with your Google account using OAuth.
From the 1st January, signing up with Google OAuth will no longer be supported.
If you previously logged in directly with your Google account then you can still authenticate, but if you wish to signup to Leave Me Alone you will need to do so with a username and password, or Microsoft OAuth.
Connecting Google accounts
Currently we request your mail from Gmail using their API. From 1st of January we will instead use IMAP to fetch your mail.
Google are making it more difficult for third-party apps to access your mail independently, which is why we can no longer make use of the API. However, IMAP is a well developed and secure protocol that we currently use to fetch mail for Yahoo, iCloud, Fastmail, and many other mail providers.
The setup process for IMAP is slightly more complicated, requiring it to be enabled manually from within Gmail;
- Go to your Gmail settings Forwarding and POP/IMAP tab.
- In the "IMAP access" section, select Enable IMAP.
- Click Save Changes (don't forget this step ⚠️).
Is it safe to give you my Gmail password?
To connect your Gmail to Leave Me Alone you will generate a unique one-time app password for Leave Me Alone that is different to your Gmail login password. We do not need, and will never ask for your Gmail password.
We are still committed to securing your data and we have taken several precautions to ensure the safety of your app password and your account. Here’s how we secure your information:
- Your Gmail authentication details are encrypted by your personal master password (the password you sign in to Leave Me Alone with), and can only be decrypted when you login and fetch your mail. This is similar to security methods used by password management systems, so we are confident your details are secure.
- When you login, your Gmail authentication details are only stored on your session, and are wiped when you log out. There is no way for someone else to access them, even if they were able to get into our system.
Is it still safe to use Leave Me Alone?
Absolutely! Our commitment to your privacy and data security has not changed and never will. As always, we don’t store the content of your emails and we will NEVER sell your data.
Why are you making these changes?
Earlier this year Google announced that they would require developers who use sensitive Gmail APIs to complete an audit to remain a verified app.
We think that the move is the start of a positive shift and that developer verification is a step in the right direction to preventing any more data grabbing scandals. However, the cost of the audit, which is anywhere from $15,000 to $75,000, is currently beyond our means as an independent bootstrapped company.
After many discussions James and I have decided that we love working on Leave Me Alone and that we will continue to support Gmail. Fortunately, we are not reliant on the Google API to continue providing support for Google mailboxes. We will continue supporting Gmail using a different authentication method (IMAP) so that you can still keep your inboxes clean of spam no matter what email provider you use!
If you have any questions about these changes, or anything else, please send us an email to hello@leavemealone.app or reach out on Twitter.
Cover photo from Unsplash