[jaapz]

I don't think the problem here is that users can still use app passwords instead of OAuth2 - it's that the developer went through the trouble of developing a OAuth2 implementation, went through the necessary laborious steps to submit the application and then was faced with this message:

> The cost of the assessment typically varies between $10,000 -$75,000 (or more) depending on the size and complexity of the application; smaller applications may see costs at a lower threshold of $4,500

That's just bad, but pretty typically google.

[tssva]

The Google documentation regarding Oauth access to Google APIs including Gmail explicitly mentions this requirement. It should not have been a shock to the author. Also this requirement only applies if the app is intended to store the data on a server. An email client which directly accesses and locally stores the email would not require a security audit. Pegasus would not be the 1st email client to use OAuth2 with Gmail and others have not required an audit. Some of the newer email client services which implement advance features by downloading email directly from Gmail to their own servers on the backend to do processing of the email would require a security audit.