Password and Account Security When Using Third Party Email and Calendar Apps

Apr 13, 2017
10
0
510
Hi All,

I've always wondered... if you use a 3rd party email program, like Mozilla Thunderbird, or the Mail app in iOS, and you type in to it your Gmail account and password, doesn't that basically give that company total access to your email account? Couldn't Apple or Mozilla then technically read all your emails and stuff like that?

Same question for 3rd party calendar apps. Anything that syncs with your Gmail account and calendar.

I know many people do this, and it appears safe, but it always felt not safe somehow.

Any insights will be appreciated!
Thanks
 
Solution
Unfortunately, not really. You're always going to be trusting them at least a little - even if they couldn't send your password, they could still send everything in your inbox, or send an email you didn't tell them to...

OAuth2 tries to reduce the danger a little - the app directs you to an e.g. Google webpage, you enter your password there, then google sends a token back to the app. But the page can still be forged, and the app can usually still do a lot with the token.

There is also the possibility of e.g. iOS capturing everything you enter with the keyboard (including passwords), and sending it back to apple.


No.
The conversation exists between the mail client on your PC and gmail. Mozilla does not enter into it.
And this is HTTPS. Encrypted.
 


Thank you. How about non open-source ones? Like what about Apple on the iPhone? Or other 3rd party apps that ask for your Gmail login? I know you can't vouch for all their security systems, but is it possible that these would send your user name and password back to the parent company? And they could then log into your account and gather data or read your emails?

 
Unfortunately, not really. You're always going to be trusting them at least a little - even if they couldn't send your password, they could still send everything in your inbox, or send an email you didn't tell them to...

OAuth2 tries to reduce the danger a little - the app directs you to an e.g. Google webpage, you enter your password there, then google sends a token back to the app. But the page can still be forged, and the app can usually still do a lot with the token.

There is also the possibility of e.g. iOS capturing everything you enter with the keyboard (including passwords), and sending it back to apple.
 
Solution