Hacker News new | ask | show | jobs
by malinens 1495 days ago
There is only one thing why this is done: to make impossible to move from gmail (also with custom domains) to another provider. We have the same problem. We spent hundreds of hours implementing their legacy auth (less secure apps), gmail oauth2 and domain-wide delegation to be later stuck in approval process. Until our app is not approved users can not use e-mail import/migration tool to our inbox.eu service. And there is lot of demand for that because people do not want to pay so much for e-mail. Shame on google... they also do not provide reas-only access to IMAP which is more than enough to export your mailboxes to other e-mail providers
2 comments
tptacek 1495 days ago
This isn't true at all. The reason Google does this is that there is a huge ecosystem of random apps that request full access to people's mail accounts, which are the most sensitive accounts on the entire Internet, and many of those apps were hot garbage that generated a huge account takeover problem. It's perfectly fair to not like the policy (I don't like some things about it), but it's not reasonable to caricature it.
link
malinens 1495 days ago
You seem to had never gone trough this approval process. There are many dark patterns there:

* Asking for huge amount of money in the of the process (after you wasted hundreds of hours of expensive developer time) * forcing to use restricted scope (read,White,delete) for standard IMAP access even if you need only read-only access or use their proprietary API with read-only scope with unknown rate limits and which is difficult and time-consuming to use * cryptic messages why app is not approved and ignoring arguments made for their questions * often changing APIs (access token formats)

They do everything to avoid competition not making better product but by locking existing customers to their ecosystem.

And this is not only google. We had similar issues Apple and Meta.

link
tptacek 1495 days ago
I am, because reasons, quite familiar with the security review portion of the process. Not only is it mostly/probably not run this way for anticompetitive reasons, but Google doesn't even run the audits; they picked specific auditors (last I checked, Bishop Fox and Leviathan), both of which have gold-plated reputations.

Like I said, there are things I don't love about the program. But it's not an elaborate hazing ritual.

link
Alex3917 1495 days ago
> many of those apps were hot garbage that generated a huge account takeover problem

Are there any publicly known examples of this? I'm not doubting that it's happened, I've just never actually heard about any cases of this with respect to the Gmail OAuth API specifically.

link
w3ll_w3ll_w3ll 1495 days ago
Searching "gmail oauth malicious"

https://duo.com/blog/gmail-oauth-phishing-goes-viral

link
NavinF 1495 days ago
Eh why not ask users to upload their takeout files and forward their incoming mail to the new address? https://takeout.google.com/

Read only access to the user’s inbox is enough to reset every password so I’m unsurprised that they make this hard.

link