ubuntu-touch-coreapps team mailing list archive

[Dan Chapman <dpniel@xxxxxxxxxx>]

On 04/07/15 21:27, Bartosz Kosiorek wrote:
> Hi,
>
> I tried to login on my Google Account but it was block by Google,
> because Dekko is not enough secure.
> More info:
> https://support.google.com/accounts/answer/6010255?hl=en
> https://www.google.com/settings/security/lesssecureapps
>
> This issue also exists on my phone.
> Do you know if there is already bug for that?
>
> What needs to be done to improve security of Dekko?
>
> Best Regards
> Bartosz

Hi there,

We have a couple of bugs for this:

https://bugs.launchpad.net/dekko/+bug/1439479
https://bugs.launchpad.net/dekko/+bug/1378330

A lot of the major MUA's are hit by this issue. In Dekko this isn't a 
trivial thing to solve and requires some quite intrusive changes & 
additions.

This term "less secure app" really bugs me, as what it really means is 
"this app sends your credentials directly to gmail". This doesn't mean 
an app is malicious and full of security holes, but instead they are 
saying an app doesn't use googles OAuth through their self made 
*non-standard* XOAUTH2[1] SASL mechanism.

Now on the flip side OAuth does solve the problem of not having to give 
an app your credentials and taking an authorization over an 
authentication approach. Which does remove the need to expose your 
credentials to a third party app. *But* the fact that at the moment you 
have to enter your credentials to find out this is a "less secure app" 
makes this approach useless, and a malicious app could just pop open a 
browser and access your account.

Any MUA worth it's salt would not *require* a password be saved to be 
able to function and would ask for it only when needed. Also sending 
credentials over a TLS/SSL connection is secure (which google requires), 
but even for services where SSL/TLS isn't enabled there are already 
non-plaintext authentication mechanisms like CRAM-MD5, GSSAPI, 
SCRAM-SHA-1, NTLM etc which will keep credentials secure on non SSL/TLS 
connections.

In my opinion no average user is going to understand or even have 
knowledge of any of this and the use of the coined phrase "less secure 
app" is just scaremongering and another google domination attempt hidden 
behind a security concern.

Maybe it's google trying to ensure only *they* can invade your privacy ;-)

Anyway, as a start for this in Dekko we need to implement XOAUTH2 which 
is a custom implementation of an early version of the sasl-oauth[3] rfc 
draft. I've done some of the work for IMAP oauth already but it's not 
complete.

I would actually be more inclined to support the spec outlined in 
sasl-oauth draft[3] for OAUTHBEARER as that will most likely become 
official later this year. After a quick read of the draft should also 
work for XOAUTH2. Thunderbird has recently landed a first 
implementation[2] and is a good read for some more info on the subject.

If anyone fancies helping out with this let me know :-)

Cheers

Dan

[1] https://developers.google.com/gmail/xoauth2_protocol
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=849540
[3] https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-23