14 DAY TRIAL // Google has just announced a great, new feature in Gmail, which enables third-party apps to access your email securely using the OAuth authorization protocol. Developers can now gain access to your Gmail account without being forced to ask for your password. This creates a much safer and friendlier environment for developers and users alike and could mean that you'll be seeing a lot more apps building additional functionality to your email service. In fact, it's happening right now, as a couple of companies have already announced support for the new feature.
"In addition to making it easier for users to export their data, we also enable them to authorize third party (non-Google developed) applications and websites to access their data at Google," Eric Sachs, senior product manager at Google, said.
"While it is possible for a user to authorize this access by disclosing their Google Account password to the third party app, it is more secure for the app developer to use the industry standard protocol called OAuth which enables the user to give their consent for specific access without sharing their password. Most Google APIs support this OAuth standard, and starting today it is also available for the IMAP/SMTP feature of Gmail," he announced.
Gmail has been offering support for IMAP/SMTP since 2007. With IMAP, email desktop clients or any other third-party app can access all the basic Gmail features like messages or contacts and can send or receive emails but also keep in sync with the email server, for example when marking a message as 'read.' However, to access Gmail through IMAP, users have to provide the apps with their Google-account credentials including their password. This creates a big security issue, it's enough for one app to fail for your account to be compromised.
With OAuth, which is the emerging web standard for authorizing data access for third parties, users won't have to disclose their passwords. When an application needs to access their Gmail account, they can grant it access to the data in a secure and manageable way. This access can be revoked at any time and the password is only known by Google. One company, Syphir, is already using the OAuth for Gmail feature in its SmartPush app for the iPhone. Web backup service Backupify is also expected to announce support very soon. Google says it is now working with other major web players, like Yahoo and Mozilla, to create a standard way of combining OAuth with IMAP/SMTP, which could then be implemented by any email provider.