Why Google is deleting some apps

Google is planning to block access to the Gmail account for some apps that don't use the OAuth protocol: here's what they are

New things are coming, in 2020, for business users of Google's G Suite and, in particular, for those who access their Gmail inbox through a third-party client. That's a big chunk of users, since email clients are still very common in the business world.

Google, however, has announced that starting June 15, 2020, it will begin restricting access to its suite by "less secure apps" (LSAs). By February 15, 2021 these apps will be completely blocked. It should be noted that among these apps there are also some old versions of Microsoft Outlook, still used by millions of users worldwide. Google's choice is a security measure: the less secure apps are those that do not use the OAuth protocol for user authentication, but use only the username and password, and are more easily subject to phishing attacks.

What is OAuth

The OAuth protocol is an open standard and not proprietary to Google. In fact, Amazon, Twitter, Facebook and Microsoft itself use it in their latest apps. OAuth integrates account protection measures, while maintaining a good flexibility and convenience of use and implementation. For example, through OAuth a third-party app can access the user's data, but without having access to the user's credentials. In other words: an email client can let us read and write messages, but without knowing our username and password, which remain in the hands of OAuth.

The problem is phishing

If Google pushes for the massive implementation of OAuth it is to protect G Suite users from phishing attacks, made easier by simple authentication with user and password. The new restrictions will apply to accessing Gmail as well as Calendar, Docs and other Google services. Until February 15, 2021, users who have connected to G Suite apps that don't use OAuth will be able to continue using them, if they haven't already been disabled by Google in the meantime.

Is OAuth secure?

It should also be said, however, that in the past the OAuth protocol hasn't proven to be perfect. In 2017, for example, it failed to block a malware attack on Gmail users: an infected app used precisely OAuth to gain access to some Gmail accounts. If users granted access, the app started sending phishing messages disguised as a normal email message containing a fake attachment in Google Docs format with a malicious link inside. After that episode Google decided to continue using OAuth as an authentication system, but strengthened a lot the security measures related to its management.