[MlMt] Notes on latest test release and Gmail OAuth application verification

[Benny Kjær Nielsen]

On 1 May 2019, at 0:42, Annamarie Pluhar wrote:

> As a non-geek (and a grateful MM user!) what I think I’m 
> understanding is that google might require some type of pricey audit 
> that Benny can’t afford out of his own pocket. Is that right?

Well, this is still not quite clear to me. I'm mainly writing about it 
on the mailing list as a very early warning of a possible future problem 
if I cannot complete the verification process. It might be premature and 
there might not be a problem at all, but I have to somehow complete the 
verification process.

> If that’s true perhaps all of us users could contribute to a 
> crowd-sourced fund to pay for same. ??

It's possible that MailMate cannot survive without Gmail-users, but 
crowd funding an audit is not the solution. The higher end of an audit 
($75000) is far more than I currently make in a year and I assume 
security audits would be needed again for future releases of MailMate. 
And in theory, other companies might follow the example of Google and 
then an audit might be needed for Apple, Microsoft, Yahoo, etc. 
(Currently, OAuth2 is only used for Outlook and Gmail.)

For now, I'm assuming the problem will go away when I figure out how to 
complete the verification process without an audit.

> Before we jump to that - does someone understand why Google might want 
> this audit? I don’t know how many users there are but perhaps google 
> could not require the audit? What does it do?

I think it's all about protecting user data. A security assessment would 
likely focus on any data stored/cached on remote servers. MailMate is a 
Desktop email application which only uses a local cache, but one could 
argue that moving emails to a different account (or even forwarding 
emails) gives MailMate “the ability to send Google user data from a 
Restricted Scope to remote servers” and then MailMate is a candidate 
for a “security assessment”. But I *think* this only makes sense if 
MailMate (Freron Software) stored anything on its own servers which I 
naturally do not do.

Part of the problem is perhaps that the OAuth authentication flow is 
“too easy”, that is, evil (web)apps can easily ask for user 
permission to, e.g, access emails and if the user clicks Ok then that 
application can “quietly” fetch everything. Given that the user 
explicitly fetches MailMate to handle email then that doesn't really 
apply in my case.

I don't really think that MailMate is the target of what Google is 
trying to stop, but that doesn't solve the problem of me being stuck in 
the verification process.

The best protection provided is that Apple ensures that only releases 
created by me (with my secret developer certificate) will run on macOS 
without warnings. Something similar does not exist for OAuth. Anyone can 
create an application with a different developer certificate and then 
(mis-)use my verified Google OAuth registration -- including if I had to 
go through a security assessment to get it.

I'm just thinking out loud here. Given that MailMate is a single-person 
business, consider the above what I would be discussing with colleagues 
at the coffee machine in the company office :-)

-- 
Benny
https://freron.com/become_a_mailmate_patron/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20190502/b0be4371/attachment-0001.html>