What are the dangers of allowing "less secure apps" to access my Google account?

In my understanding, "less secure apps" refers to applications that send your credentials directly to Gmail. Lots of things can go wrong when you give your credentials to third party to give to the authentication authority: the third party might keep the credentials in storage without telling you, they might use your credentials for purposes outside the stated scope of the application, they might send your credentials over a network without encryption, etc.

Additionally, it could be an app that a user has installed locally such as an IMAP client (see the following support note from google: https://support.google.com/accounts/answer/6010255?hl=en)

"Less secure" isn't meant to say that apps that use your credentials are necessarily full of security holes or run by criminals. Rather, it is the category of behavior -- giving your credentials to a third party -- that is fundamentally less secure than using an authorization mechanism like OAuth. With authorization, you never allow the third party to see your credentials, so an entire category of problems are instantly eliminated.

In OAuth, you authenticate directly to Gmail with your credentials and authorize an app to do certain things. The third-party app only sees an authorization token provided by Google as proof that you authenticated correctly and agreed to authorize that app.

As for why it would be dangerous to enable less secure apps (versus using a particular app that may be untrustworthy), I'm not totally sure. Google's refusal to authenticate happens after you've already given away your credentials to the application. It seems to me that any time you provide your credentials to a third party, it doesn't matter whether or not you've allowed authentication by "less secure apps" -- someone can just load up a log-in screen and directly log in as you. The only possible cases I can think of are:

  • Possibly "app-based" login attempts are treated differently from "human-based" login attempts, in particular how they treat sudden changes in location. Maybe the "less secure" app you're trying to use has servers on another continent, so it's not suspicious to Gmail when an app tries to log in as you somewhere else, while an attempt to use the log in screen from another continent by a human would be suspicious.

  • Possibly "less secure" auth methods include some other login method that doesn't directly reveal your credentials to the third-party but are less secure than OAuth 2.0 in some other way (e.g., they're vulnerable to eavesdropping by an attacker, or they make it somehow easier for an attacker to access your account without knowing your password).

Those two points are pure conjecture and very well may not be true in actual fact.


I don't have enough reputation to comment, but I want to add my own experience on when I've "found" the issue...

I was setting up a new email client Airmail 2.0 to use Google's SMTP server to send mail on behalf on a Gmail account.

Now, my setup might not be too "common": I have this specific Gmail address forwarded to a different address, which is the one I'm using from Airmail, and I'm setting the gmail address as an "alias" of that account. Likely to avoid looking like Spam, Airmail allows to configure a specific SMTP server to use when sending "from" an alias.

I have another Gmail account set up on Airmail without any "funky" configuration or redirections, and that one is working fine (no messages about "reduced security", for example). So I copied the SMTP settings from the "normal" account to the new one:

These are the settings for the "classical" account:

Old Gmail Account SMTP Settings

And these are the ones for the "alias" SMTP server:

New Gmail Account SMTP Settings

Notice any differences? Me neither!!

I've been having a look around, and I've also found the page mentioned previously, Google's Security article New Security Measures Will Affect Older (non-OAuth 2.0) Applications where the change is announced - this paragraph (emphasis mine!) seems to imply that apps will need to be "authorised" to access to the account in similar way as many other "app clients" (Dropbox, etc) do:

That's why, beginning in the second half of 2014, we'll start gradually increasing the security checks performed when users log in to Google. These additional checks will ensure that only the intended user has access to their account, whether through a browser, device or application. These changes will affect any application that sends a username and/or password to Google.

I'm not against the idea, by itself, but I'd appreciate having more info what apps need to do to be considered safe so we can ask our app providers to implement the necessary changes...

More info on the topic here: GMail starts to block less secure apps: how to enable access again.

What is more puzzling is that my "other" Gmail account doesn't trigger this type of messages, as I don't have 2FA enabled so according to the previous article I should've got some of those errors!

UPDATED 2014-12-31, 17:52 GMT: Out of curiosity, I've checked the settings for my old Gmail account, and I've seen that it's actually set to "less security" (as Google calls it). I guess that when Google introduced the feature, the default for existing accounts that are being accessed by "less-secure" (as per Google terms) clients, is to allow them to keep on being accessed.

On the other hand, as some of the comments on the original Google Blog Post say, it's great that Google worries about our security, but the could have started by supporting things like CRAM-MD5 or DIGEST-MD5 for authentication instead of just plain LOGIN.