[MlMt] Notes on latest test release and Gmail OAuth application verification

Benny Kjær Nielsen mailinglist at freron.com
Fri May 31 06:16:45 EDT 2019


Hi MailMate users,

a couple of updates on the subjects I wrote about a month ago.

First some very good news: I've finally passed the verification process 
for the Google OAuth API. It has been a bit frustrating and involved 
weird steps including making a YouTube video essentially showing that 
MailMate is an email client. In the end I was again asked to go through 
the security audit, but after yet another appeal it was revealed that 
this was a mistake. This means that MailMate will continue to support 
Gmail -- also after January 2019. Well, at least until the next time 
Google decides to threaten to pull the OAuth plug.

My work on WKWebView (the new message view) continues. It's still not 
ready for testing (because of a lack of essential features like image 
blocking and signing/encryption results), but I've added important major 
features like the “Find” interface to do text searches. A new 
feature is that this now also works for the headers. Scrolling behavior 
has been tricky to implement, but this is almost complete. Next up are 
changes needed for how HTML is created for the message view. The new 
message view allows multiple HTML segments to be created and displayed 
in separate HTML views. This is both more flexible and more robust with 
respect to security when dealing with signed/encrypted content and/or 
when displaying complex and/or multiple messages.

(And the bad news: When I work on major features I tend to fall behind 
on answering emails and updating support tickets.)

-- 
Benny
https://freron.com/become_a_mailmate_patron/

On 30 Apr 2019, at 16:56, Benny Kjær Nielsen wrote:

> Hi MailMate users,
>
> I know I'm behind on answering emails (also on the mailing list), but 
> it doesn't mean I'm not working :)
>
> ## WKWebView
>
> Right now I'd just like to note that I'm busy working on replacing the 
> main message view in MailMate. It currently uses the so-called WebView 
> class provided by Apple, but this was deprecated a long time ago (by 
> Apple) and it should be replaced by a so-called WKWebView. Both 
> classes are used to display HTML (which MailMate also generates to 
> display plain text messages) and if that is all that is needed then 
> it's a simple replacement. But MailMate also has image blocking, 
> context sensitive menus, text search, etc. and all of this has to work 
> in a completely different way. In some cases, it's not even clear that 
> I can provide the same features as before. We'll see about that. 
> WKWebView is 10.10+, but right now it looks like image blocking can 
> only work on 10.13+. I'm not quite sure what to do about that yet...
>
> The latest test release includes the new message view, but it's 
> disabled for now because too many things don't work yet. I'm mainly 
> writing about this since some changes might also affect the old 
> message view in the latest test release.
>
> The good news is that when the replacement is finished then I should, 
> at least in theory, be able to fix various old issues.
>
> ## Google OAuth API Application Verification
>
> MailMate uses the so-called OAuth2 authentication method for Gmail 
> IMAP/SMTP access. This works far better than password-based access 
> which I suspect is eventually going to be dropped completely by 
> Google. I had (and still have) some reservations about OAuth2 support 
> which I outlined in [this blog 
> post](https://blog.freron.com/2015/is-oauth2-support-a-good-thing/). I 
> expressed that I worried that Google would some day use OAuth2 to 
> “hit the kill switch” on MailMate...
>
> ...and recently I was told by Google that I needed to start a 
> verification process for MailMate. I've done that and if I understand 
> correctly I have until the end of 2019 to complete this process.
>
> Now, the problem is that I'm not really sure I can (or is willing to) 
> complete the verification process at all. It *might* include a 
> security audit with a price tag between $15000 and $75000+ (I'm 
> clearly in the wrong business). There seems to be exemptions for 
> desktop email applications and I've asked Google to clarify this, but 
> I also feel that I'm obligated to tell my users that I think it's a 
> potential risk that MailMate cannot support Gmail starting January 
> 1st, 2020. As soon as I fully understand what's going to happen, I'll 
> make sure to clearly state it wherever it's relevant on the homepage 
> and in the documentation.
>
> Here's a [link to the Google 
> FAQ](https://support.google.com/cloud/answer/9110914) on the subject 
> if anyone is interested.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20190531/50b9663e/attachment.html>


More information about the mailmate mailing list