Support » Plugin: WP Issues CRM » Gmail identifies this as a ‘less secure app’

  • Resolved enquirer32


    In attempting to use this and collect emails from gmail (through ssl etc) Google still identifies this as a ‘less secure’ app and suggests blocking it. Why is this and are you working on a fix?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Will Brownsberger


    Thanks for writing.

    I don’t think that is a comment on the app, but on how it is logging in to google.

    Google also offers a new very complex login interface for its apps, know as OAuth 2.0. This protocol is desirable and basically a replacement for traditional password access.

    I don’t support Oauth 2.0 at this time. It is a bear to set up on the google side (for you, the user — each account has to go through the process ) and unless you are using a lot of apps from google, it may not be worthwhile. I don’t think many users would be ready to go through that. But let me know how you feel about it after reading this page.

    Are you using two factor identification for your google account? I use two factor identification for my regular google login. Then, to set up WP Issues CRM, I use an app specific password. That is one much easier way to improve security.

    I am near the end of preparing a major upgrade of this app which will include big user interface improvements in the email functionality. It will be more intuitive — more like a typical inbox.

    This is a good time to request enhancements in the email functionality, so please do follow up with more questions and comments and let me know if you really want Oauth — I might be able to work it in.

    Plugin Author Will Brownsberger


    I’ve further researched this issue. See my further comment under the title “Gmail and WP Issues CRM” in this forum.

    WP Issues CRM is really not an “app” in the same way that other apps might be “less secure” — each WP Issues CRM user is creating their own app; there is no central place where passwords might be compromised.

    Plugin Author Will Brownsberger


    Bottom line of this piece is: If you are using gmail, you should be using two-factor identification security anyway and WP Issues CRM works with an app specific password.

    WP Issues CRM supports both reading and sending of email through industry standard SSL/TLS encrypted connections. For incoming email, it uses the standard PHP extension that implements the industry standard Internet Message Access Protocol. For sending email, it support several different protocols, most importantly, SMTP which allows you to connect with essentially any outgoing mail server.

    Gmail supports access for both sending and receiving using IMAP and SMTP over SSL. Google has also been part of an industry effort to develop a new login (“authentication”) approach for initiating IMAP and SMTP connections over SSL. That approach is known as Oauth. WP Issues CRM does not, at this time, support Oauth.

    The central idea of Oauth is to allow apps to access to user-specific data (e.g. email messages ) that reside at Google without actually sharing Google login passwords with the apps. Instead, the app developer manually registers with Google and when users want to grant the app access to Google data, they do so directly from their Google account and Google then sends a unique access token to the app.

    This approach is most important in the case of centralized apps like say your favorite sports activity logging application which you might want to give access to your Google (or Facebook) account to gather some personal data. Without Oauth, your sports app would have to know your Google account password and everyone else’s Google account password. So would every app that wanted to get Google information about you. The result would be multiple copies of login information for Google users residing on lots of servers and Google would be much less secure.

    Oauth is not so relevant in the case of a WordPress plugin like WP Issues CRM. WP Issues CRM does not store information in any central place. You get your own copy of WP Issues CRM and it does not “phone home” to send data about you in any way. It is not like an app that runs on your phone and interfaces with a central server that supports other users. Your copy of WP Issues CRM only supports you.

    WP Issues CRM does store the passwords that you supply for logging in to email and if your WordPress server was hacked, they could be exposed. But at that point, the app specific credentials that you get through the Oauth process would also be exposed. So, although the marginal security advantage offered by Oauth is not zero for a WordPress plugin like WP Issues CRM, it is much less than in it is for an app that is served centrally.

    The best alternative to Oauth to protect your password is to use two-factor identification. That way if someone ever does steal your password, they will have a hard time logging into your account. Once you set up two factor security on your account, you can also get an application specific password that allows WP Issues CRM to login.

    So, for now, if you wish to use WP Issues CRM to access a gmail account, you should be using two-factor identification to protect your password, but cannot use Oauth.

    We’ve researched what would be entailed to add Oauth support to WP Issues CRM — overall, it would force big changes. On the outgoing side, it is not hard. It is easy enough, using standard libraries that could be packaged with the plugin, to access Google to obtain Oauth credentials. It is also straightforward to use those credentials for outgoing email. The standard PHPMailer, which is packaged with WordPress and which WP Issues CRM uses for SMTP outgoing mail, does support Oauth. However, the IMAP functions in PHP, which we use for reading email do not support Oauth, so we would have to switch to using a completely different library of IMAP functions. The only candidate we know about, the Zend framework does not support all actions that WP Issues CRM currently takes through IMAP (e.g., folder creation). Additionally, it does not appear to support message access by UID.

    An interesting alternative would be to depart completely from the IMAP/SMTP framework and use the direct GMail API but Google does not seem to recommend this for heavier read/send activities.

    One additional reason that adding Oauth for WP Issues CRM does not make sense is the burden involved for users. Since there is no central app, each copy of WP Issues CRM is its own app from the standpoint of Oauth. Each person who installed WP Issues CRM would have to master the Google credentialing process to create their app credentials. Google has made the process clearer, but it is still involves many steps in an environment that is unfamiliar to most users.

    Given the availability of two factor identification as a password protection approach, it doesn’t seem like the benefit remotely approaches the cost and uncertainty involved in getting away from the PHP IMAP functions. That is especially the case since Oauth is not truly a standard, it is really an approach and the development involved for Google Oauth would not necessarily improve the interface with any other email provider. The main reason for us to do it would be to avoid having Google call us a “less-secure” app, but that labeling advantage does not seem like enough reason to invest in it.

    But let us know if we are wrong — we’d be very interested to hear if you feel Oauth support would be valuable for you and why.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Gmail identifies this as a ‘less secure app’’ is closed to new replies.