Should You Allow “Less Secure Apps” to Access Your Gmail?

Gmail is an extremely widely used email platform and as such has a ton of malicious actors out there. People are constantly trying to find exploits, to hack the system, to gain access to Gmail data for millions of people.

Google, to their credit, does a lot of work both up-front and behind the scenes to make it a safer platform to use. Everything in their spam filters, their attachment scanning, and their email warnings is part of their user protection system. They’ve even turned their machine learning systems towards the problem, to intelligently identify almost unnoticeable signs that an email may be fake.

No system will ever be perfect and nothing can protect a user from themselves, but what Google can do is protect users from as many incidental threats as possible.

One such means of protection is the “less secure apps” setting in Gmail. So what is this setting, and is it safe to allow?

All About Less Secure Apps

First of all, where do you find this setting, if you want to enable or disable it? It’s not difficult to find.

• Log into your Gmail account.
• Click on your profile image in the upper right corner.
• Click on “Google Account”
• In the left sidebar, click Security.
• Scroll down to the Less Secure App Access box.

Here you can turn on or off access for less secure apps.

So what does this setting do? Well, as it says on the tin, it either allows or disallows apps Google deems “less secure”. If it’s enabled, those apps can access your Google/Gmail account. If it’s disabled, which Google recommends and which is usually the default, those apps will not be able to access your account.

Apps that are less secure may not have proper security on their own authentication, or may have known security issues, or may have been compromised in the past. They may also want to access certain parts of the Gmail or Google APIs that are sensitive, like authentication or payments. The primary reasons an app may be considered less secure are:

• The app does not specify what permissions or access it is requesting and simply asks you to grant them.
• The app requests permission to access more of your account than is necessary for its purposes. For example, a game requesting access to your calendar app.
• The app requires you to give your password to their system to access your Google account, rather than using the standard Google oAuth system.
• The app makes it difficult to disconnect your Google account from its system.

There are generally four reasons why an app might be considered less secure.

1. The app was created by a novice developer. New developers don’t tend to think in terms of scope, they just request all permissions and build their apps from there. If they never prune down permissions later, the app will be deemed less secure.
2. The app requests permissions it doesn’t need, but that the developer thinks it might need in the future. Some developers try to plan ahead and request permission for features they don’t yet use. Until they expand those features, the app will likely be considered less secure.
3. The app is an advanced tool that needs access to sensitive systems, but is otherwise trustworthy. Many great tools and Gmail expansions are considered less secure because of the features they manage, but are trustworthy themselves.
4. The app is malicious. There will always be bad actors out there. Sometimes the app developer is a Trojan horse, waiting until they have a sufficient user base to cut and run. Sometimes they just harvest information in the background and sell it. You never know for sure.

One thing to note here is that the “less secure apps” setting is a Google account setting, not just a Gmail setting. It applies to Gmail apps, as well as games for your mobile device using Google Play, and other app sources that request access to Google services, like Calendar or Drive.

You can read more details straight from Google in this help center article.

Digging Deeper

This section is a bit more technical. If you don’t care about what, specifically, Google permissions are and how they’re divided, you can go ahead and skip to the next section. I find it fascinating, so I’m covering it.

Google divides up app permissions into different chunks. If you’ve ever, say, downloaded a new phone app from Google Play, you’ve likely encountered the app asking for permissions related to your phone and your Google account. It might ask for the ability to:

• See basic profile information. This is a very basic level of access where the app can request information about you from your profile. This is basically just your name, email address, and profile picture, which it can then use to auto-fill fields in the app. This is automatically granted when you allow an app to use your system.
• See some information in your Google account. This setting allows the app to request access to additional information from your account, such as YouTube playlists, contacts, and photos. For a mobile game, this isn’t something you want to allow. For a YouTube app, a photo app, or a contacts app? Sure.
• Edit, upload, or create content. This allows the app to do things like upload content to a linked YouTube channel, upload photos to your photo stream, or add new events to your Google calendar. This is common among Gmail apps that manage appointments, for example.
• Full access. Full account access allows an app to do anything you can do. Some high-end profile management suites require this, but if a mobile game or a one-note Gmail plugin is asking for this kind of permission, it’s probably a bad idea to grant it. The only thing this access doesn’t allow is system-level tasks like changing passwords, deleting your account, or using Google Pay.

All manner of “apps” can be considered less secure and can be given various levels of access to Google accounts and Gmail in particular. This includes actual phone apps, web-based apps, websites, and plugins. Anything that wants to access a feature of Gmail to allow the app to change it will need access of some form or another.

Should You Enable Access by Less Secure Apps?

So here’s the real question: should you allow less secure apps to connect to your Gmail account?

I’m going to be unhelpful here and tell you the answer is “yes and no.”

What should you consider before you enable less secure app access? Answer these questions:

1. How secure is the app, site, or plugin that is using this access? If you’re giving your own company access, do you trust your company with that access? If you’re giving a third party access, do you trust their security? After major breaches like Equifax’s reveal that even major corporations make beginner-level security mistakes, it’s a good idea to distrust pretty much everything you can’t control. Remember that if their servers are compromised and hackers gain access to their data, they can use that data to compromise whatever information you’ve given them through Google permissions.
2. How does the app use the access it asks for? If the app is, say, a productivity app that converts emails into tasks on your calendar, sure, it needs access to your calendar and the associated permissions. On the other hand, if it’s something like a Gmail signature storage plugin, it probably doesn’t need access to anything other than the ability to copy and paste, which don’t require Google permissions.
3. How much control do you have over the data the app collects and harvests? Can you approach the company and request a copy of the data they’ve harvested, or can you ask them to delete data you don’t want them to have, and will they honor the request?
4. Is the site or app up-front about when they change their policies or terms? If they change their privacy policy to allow them to harvest more of your data, will they tell you, or do you just have to read the privacy policy every few months to make sure it hasn’t changed?

All of this will help you determine whether or not an app is actually deserving of access, or whether you should look for a more secure alternative.

No, you should not allow access by less secure apps. This is the primary answer. This is why Google’s system defaults to disallowing such access, and it’s why, if you don’t use any of your less secure apps for several months, Google will automatically change the setting to disallow access again, forcing you to re-enable it if you want to use one of those apps again.

The primary driving factor for whether or not an app is considered less secure is if it uses oAuth 2.0. If it uses an older or less secure version of the login protocol, Google will consider it less secure. Updating the login protocol is enough to get an app to be secure again.

Many less secure apps have alternatives that are fully secure. For example, Outlook for Windows is less secure, but the web-based Outlook is secure. Apple Mail with POP3 is less secure, but configuring it to use Google oAuth is more secure. Thunderbird is less secure, but using Thunderbird IMAP is more secure.

Yes, you should allow access by less secure apps if and only if you need to use a less secure app and cannot upgrade to a more secure version of the app.

For example, I know that a lot of businesses use old legacy tools with institutional knowledge but no working developers. How many times have you encountered a horror story about having to, say, install a specific old version of Java to get an app to work, or installing a specific old version of Outlook to get certain proprietary software to work with it?

If it is critical to your business infrastructure and workflow, then fine, enable access from less secure apps. However, it is strongly recommended that you either switch to a more secure version as soon as possible, or that you get a developer to upgrade your in-house app to make it more secure so you can use it without having to tweak this setting.

By the way, if you’re an IT specialist for your company or if you’re the head of information security, you may want more overall control over your enterprise G Suite security. You can get domain-level access and monitoring through G Suite with the tools they provide. I haven’t dug deep into it – I don’t manage a corporate office information security division – but you can read about it here. In addition to having selective or overall control over who can allow access, you can also use account activity reporting to monitor who has less secure access enabled, and what they’ve been doing with it.

Since less secure access can be a security liability, it’s a good idea to keep an eye on who is using it and for what purpose, so you can make sure they aren’t installing apps they shouldn’t.

So, there you have it. In general, I recommend staying away from less secure apps as much as possible, limiting permission to your information, and keeping yourself safe. Once the cat is out of the bag, there’s no putting it back.