Re: [android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
Right.. the permission that shows up when I access account manager isn't as clear as the permissions when you first download the app. It strikes me funny that the ability to access the account manager is a manifest permission, but then you need to bother the user at runtime for yet another permission. Why not just make it part of the app installation permissions from the start.. although I suppose the answer for that is that most users won't know what it means at that time, so I am OK with that I suppose. I just wish there was a way to customize the permission popup that occurs so we could make it more app specific user friendly. It seems the only thing I can do is provide info in my description and hope users read it so they understand why my app is asking for that permission and what benefit they get from allowing my app to use it on their behalf. On Tue, Jan 15, 2013 at 9:39 PM, Kristopher Micinski krismicin...@gmail.com wrote: I don't see why this would necessarily be a bad thing: it's just part of the security policy of the app. Of course, there's not really a let an app send email as me permission, but you could imagine making this as an app's configuration. (Of course, there is a permission that allows you access to accounts, but it doesn't convey the same idea..) Kris On Sun, Jan 6, 2013 at 12:01 PM, Lew lewbl...@gmail.com wrote: Nikolay Elenkov wrote: Kevin Duffey wrote: This article seems to indicate an XOAUTH2 with email.. going to give it a shot.. but still can't find anything indicating that this is allowed or supported. It would be good to find out if we can use the email service without user intervention (except for the initial pop-up in the app that asks for user permissions), or if google does not want apps to send out emails on behalf of users using their gmail accounts even IF the app describes it and the user accepts. OAuth 2.0 is certainly not deprecated. You already have the link in the SO answer, but here it is again: https://developers.google.com/google-apps/gmail/oauth_overview Whether or not it is OK to use this in an app is another matter. You should make it clear to users that you want to send email from their account and give them an option to opt out. To make sure the whole thing is legal, etc. hire a lawyer to draft your terms of use/privacy policy, etc. Also make sure users actually accept it before using the app. Disclaimer: IANAL, so take this with a grain of salt. And tell us the name of the app so I can be sure *NEVER* to use it. -- Lew -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
On Thu, Jan 17, 2013 at 12:56 PM, Kevin Duffey andjar...@gmail.com wrote: ... It strikes me funny that the ability to access the account manager is a manifest permission, but then you need to bother the user at runtime for yet another permission. Why not just make it part of the app installation permissions from the start.. Because there are an infinite number of tokens possible and permissions are granted per-token. You can grant an app access to your Google Reader feed, but not to your GMail inbox, etc. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
Yes..true.. and there isn't a way for the manifest to know what your code tries to access at runtime either. My primary issue is the current pop-up at runtime isn't very friendly. I will provide a video of using my app and explain why that pop-up occurs.. but still would be nice if we could customize it. I haven't looked to see if we can so if there is a way, great. On Wed, Jan 16, 2013 at 8:04 PM, Nikolay Elenkov nikolay.elen...@gmail.comwrote: On Thu, Jan 17, 2013 at 12:56 PM, Kevin Duffey andjar...@gmail.com wrote: ... It strikes me funny that the ability to access the account manager is a manifest permission, but then you need to bother the user at runtime for yet another permission. Why not just make it part of the app installation permissions from the start.. Because there are an infinite number of tokens possible and permissions are granted per-token. You can grant an app access to your Google Reader feed, but not to your GMail inbox, etc. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
On Thu, Jan 17, 2013 at 2:48 PM, Kevin Duffey andjar...@gmail.com wrote: Yes..true.. and there isn't a way for the manifest to know what your code tries to access at runtime either. My primary issue is the current pop-up at runtime isn't very friendly. I will provide a video of using my app and explain why that pop-up occurs.. but still would be nice if we could customize it. I haven't looked to see if we can so if there is a way, great. You can't customize it. You can use Google Play Services to get a token which offers a somewhat more user friendly dialog though. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
I don't see why this would necessarily be a bad thing: it's just part of the security policy of the app. Of course, there's not really a let an app send email as me permission, but you could imagine making this as an app's configuration. (Of course, there is a permission that allows you access to accounts, but it doesn't convey the same idea..) Kris On Sun, Jan 6, 2013 at 12:01 PM, Lew lewbl...@gmail.com wrote: Nikolay Elenkov wrote: Kevin Duffey wrote: This article seems to indicate an XOAUTH2 with email.. going to give it a shot.. but still can't find anything indicating that this is allowed or supported. It would be good to find out if we can use the email service without user intervention (except for the initial pop-up in the app that asks for user permissions), or if google does not want apps to send out emails on behalf of users using their gmail accounts even IF the app describes it and the user accepts. OAuth 2.0 is certainly not deprecated. You already have the link in the SO answer, but here it is again: https://developers.google.com/google-apps/gmail/oauth_overview Whether or not it is OK to use this in an app is another matter. You should make it clear to users that you want to send email from their account and give them an option to opt out. To make sure the whole thing is legal, etc. hire a lawyer to draft your terms of use/privacy policy, etc. Also make sure users actually accept it before using the app. Disclaimer: IANAL, so take this with a grain of salt. And tell us the name of the app so I can be sure *NEVER* to use it. -- Lew -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
This article seems to indicate an XOAUTH2 with email.. going to give it a shot.. but still can't find anything indicating that this is allowed or supported. It would be good to find out if we can use the email service without user intervention (except for the initial pop-up in the app that asks for user permissions), or if google does not want apps to send out emails on behalf of users using their gmail accounts even IF the app describes it and the user accepts. http://stackoverflow.com/questions/12503303/javamail-api-in-android-using-xoauth On Sat, Jan 5, 2013 at 11:59 PM, Kevin Duffey andjar...@gmail.com wrote: I found some info on that, but from what I have read, it is deprecated.. still available but no longer supported. I don't want to release an app on a deprecated way of doing so. If you have a link to a valid way of doing this that is still supported, I'd appreciate that, but thus far it appears google does not allow the auth token to be used to send emails on behalf of the user's device. On Sat, Jan 5, 2013 at 10:11 PM, Nikolay Elenkov nikolay.elen...@gmail.com wrote: On Jan 6, 2013 12:43 PM, Kevin Duffey andjar...@gmail.com wrote: Hi all, I've been doing quite a bit of googling on this topic and so far despite several examples that seem to fit the bill, nothing quite takes me to an understanding of whether or not I can obtain a device owner's permission to send email out on their behalf. I am testing examples of AccountManager#getAuthToken, but I am not sure if it's possible, even with a pop-up dialog asking the user (in my app) for their permission to do so.. whether or not I can obtain a token that can then be used with gmail api's to send out email with. Yes. You can obtain an OAuth token which lets you authenticate to gmail's SMTP sever and send email with the user's account. Check Google's documentation for the exact protocol. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
On Sun, Jan 6, 2013 at 5:34 PM, Kevin Duffey andjar...@gmail.com wrote: This article seems to indicate an XOAUTH2 with email.. going to give it a shot.. but still can't find anything indicating that this is allowed or supported. It would be good to find out if we can use the email service without user intervention (except for the initial pop-up in the app that asks for user permissions), or if google does not want apps to send out emails on behalf of users using their gmail accounts even IF the app describes it and the user accepts. OAuth 2.0 is certainly not deprecated. You already have the link in the SO answer, but here it is again: https://developers.google.com/google-apps/gmail/oauth_overview Whether or not it is OK to use this in an app is another matter. You should make it clear to users that you want to send email from their account and give them an option to opt out. To make sure the whole thing is legal, etc. hire a lawyer to draft your terms of use/privacy policy, etc. Also make sure users actually accept it before using the app. Disclaimer: IANAL, so take this with a grain of salt. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
Nikolay Elenkov wrote: Kevin Duffey wrote: This article seems to indicate an XOAUTH2 with email.. going to give it a shot.. but still can't find anything indicating that this is allowed or supported. It would be good to find out if we can use the email service without user intervention (except for the initial pop-up in the app that asks for user permissions), or if google does not want apps to send out emails on behalf of users using their gmail accounts even IF the app describes it and the user accepts. OAuth 2.0 is certainly not deprecated. You already have the link in the SO answer, but here it is again: https://developers.google.com/google-apps/gmail/oauth_overview Whether or not it is OK to use this in an app is another matter. You should make it clear to users that you want to send email from their account and give them an option to opt out. To make sure the whole thing is legal, etc. hire a lawyer to draft your terms of use/privacy policy, etc. Also make sure users actually accept it before using the app. Disclaimer: IANAL, so take this with a grain of salt. And tell us the name of the app so I can be sure *NEVER* to use it. -- Lew -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
Dang.. hire a lawyer.. getting more expensive to publish an app every day! What's that cost.. a few grand at least? lol. Nikolay.. not sure why you made that comment? While I can understand that authorizing an app to use some of your information is not for everyone.. I believe part of why AccountManager is part of the Android APIs is to ensure that a person's info is secure and an app can only access tokens of some sort that could not be abused by an app... furthermore.. an app, I would assume, would gain a bad following and not do well at all if it were misusing the tokens. In my case, I am learning Android and since there are 700,000+ apps out there.. there really isn't much not thought of these days... so while learning I am just trying to think of things that would make my life easier. One of them is.. not having to manually type in email addresses using the external email intent when sending out emails. I hate an app that takes me away from it to use other apps features, like cameras, emails, sms, etc. If one app can, with some permissions, save me time and be of use, then I am fine with allowing it to do so. I would ALSO depend on the description being clear (and/or a video, pics, separate web site, etc) and explaining WHY permissions would be required. I think as I've read on some blogs on polishing apps.. an app that just pops up permission requests with no clear reason as to why it's needed.. I would not trust it either. In my case, I would/will explain all the reasons for what permissions a user might need to auth in the app itself, and would provide a video and web site to provide more info, plus email to support any questions. As for not being able to use it.. it's part of the google API on their site so I would assume it should be OK. On Sun, Jan 6, 2013 at 10:01 AM, Lew lewbl...@gmail.com wrote: Nikolay Elenkov wrote: Kevin Duffey wrote: This article seems to indicate an XOAUTH2 with email.. going to give it a shot.. but still can't find anything indicating that this is allowed or supported. It would be good to find out if we can use the email service without user intervention (except for the initial pop-up in the app that asks for user permissions), or if google does not want apps to send out emails on behalf of users using their gmail accounts even IF the app describes it and the user accepts. OAuth 2.0 is certainly not deprecated. You already have the link in the SO answer, but here it is again: https://developers.google.com/**google-apps/gmail/oauth_**overviewhttps://developers.google.com/google-apps/gmail/oauth_overview Whether or not it is OK to use this in an app is another matter. You should make it clear to users that you want to send email from their account and give them an option to opt out. To make sure the whole thing is legal, etc. hire a lawyer to draft your terms of use/privacy policy, etc. Also make sure users actually accept it before using the app. Disclaimer: IANAL, so take this with a grain of salt. And tell us the name of the app so I can be sure *NEVER* to use it. -- Lew -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
On Mon, Jan 7, 2013 at 7:24 AM, Kevin Duffey andjar...@gmail.com wrote: Nikolay.. not sure why you made that comment? Because you said you are worried whether this is allowed. While I can understand that authorizing an app to use some of your information is not for everyone.. I believe part of why AccountManager is part of the Android APIs is to ensure that a person's info is secure and an app can only access tokens of some sort that could not be abused by an app... APIs for sending SMS and reading your contacts are also part of the API, but that doesn't mean it's OK to send messages to premium numbers or spy on your users. If you can read and send email with someone's account you can reset their password(s) for other sites and gain access to what not, that's why it's somewhat sensitive. The platform will try to make sure the user knows what's happening, but can't really prevent abuse by a potentially malicious app in every possible case (not saying your app is malicious). It's your app, so you can't really say 'Android allows (whatever) so it's not my fault'. Whether or not you need a full-blown privacy policy/EULA/other scary legal document or just a simple confirmation dialog is for you to decide. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
Not sure I agree with your sentiment with regard to how you are saying it. Millions upon millions have trusted facebook with login.. and google with checkout and paypal, etc. Not sure why they wouldn't trust their own device's capabilities to prevent apps from using their username/password.. it's not asking for that.. and maybe I don't understand OAuth very well..but I thought one of it's purposes was to provide tokens that are limited in time and/or use, and/or at least protect end users by not providing full access to all their information. Furthermore, from what I can tell, the token I get to access mail only allows me to access mail, not other accounts. I am new to this so maybe it does allow for more.. but then like I said, if an app abuses it, I would hope the voting system, and if need be google removing it stop it short of being too destructive. I do agree though that users should be cautious, and that is why at least for me, providing information that explains why the permissions are needed at least allows end users to decide if they want to make use of the feature of my app. In my case, it's one of several things my app will do, and end users can choose to authorize my app to use their token, or end up using the external email client. The latter case will be more cumbersome because of all the typing/touching involved to find email addresses (or enter them completely), but it would be an option if they do not trust my app to send out emails on their behalf. On Sun, Jan 6, 2013 at 5:40 PM, Nikolay Elenkov nikolay.elen...@gmail.comwrote: On Mon, Jan 7, 2013 at 7:24 AM, Kevin Duffey andjar...@gmail.com wrote: Nikolay.. not sure why you made that comment? Because you said you are worried whether this is allowed. While I can understand that authorizing an app to use some of your information is not for everyone.. I believe part of why AccountManager is part of the Android APIs is to ensure that a person's info is secure and an app can only access tokens of some sort that could not be abused by an app... APIs for sending SMS and reading your contacts are also part of the API, but that doesn't mean it's OK to send messages to premium numbers or spy on your users. If you can read and send email with someone's account you can reset their password(s) for other sites and gain access to what not, that's why it's somewhat sensitive. The platform will try to make sure the user knows what's happening, but can't really prevent abuse by a potentially malicious app in every possible case (not saying your app is malicious). It's your app, so you can't really say 'Android allows (whatever) so it's not my fault'. Whether or not you need a full-blown privacy policy/EULA/other scary legal document or just a simple confirmation dialog is for you to decide. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
Hi all, I've been doing quite a bit of googling on this topic and so far despite several examples that seem to fit the bill, nothing quite takes me to an understanding of whether or not I can obtain a device owner's permission to send email out on their behalf. I am testing examples of AccountManager#getAuthToken, but I am not sure if it's possible, even with a pop-up dialog asking the user (in my app) for their permission to do so.. whether or not I can obtain a token that can then be used with gmail api's to send out email with. I know there is the GMailSender example that uses username/password, but naturally that's not going to fly with end users.. at least most of them would not allow my app to store their username/password for gmail. Given that as far as I know just about everyone with an android device sets up a google account and thus can use gmail (even if they dont).. I was hoping there is a way I can ask the user for permission to use their account info to send out emails from their device as if they had manually sent the email. The purpose is not to send out spam emails or bad emails.. my app would send out emails exactly the way a user would without my app.. only my purpose is to save them time. In other words, the end user, reading my app description, will understand that my app is intended to save them time and would use it for that reason, so typically they would allow my app on their behalf to send gmail emails out for them to save them time. So.. is that possible? Is there a google api that takes an auth token, instead of user/password to send emails out with? I liken this to a site asking a user to use Facebook to login.. if a user accepts, that site has a token for some amount of time they can use to log in the user via facebook login. I'd like to do the same thing in my app.. only with various apis, google mail being one of them. Thank you. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
On Jan 6, 2013 12:43 PM, Kevin Duffey andjar...@gmail.com wrote: Hi all, I've been doing quite a bit of googling on this topic and so far despite several examples that seem to fit the bill, nothing quite takes me to an understanding of whether or not I can obtain a device owner's permission to send email out on their behalf. I am testing examples of AccountManager#getAuthToken, but I am not sure if it's possible, even with a pop-up dialog asking the user (in my app) for their permission to do so.. whether or not I can obtain a token that can then be used with gmail api's to send out email with. Yes. You can obtain an OAuth token which lets you authenticate to gmail's SMTP sever and send email with the user's account. Check Google's documentation for the exact protocol. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Is it possible to obtain credentials to send emails via gmail on behalf of a user?
I found some info on that, but from what I have read, it is deprecated.. still available but no longer supported. I don't want to release an app on a deprecated way of doing so. If you have a link to a valid way of doing this that is still supported, I'd appreciate that, but thus far it appears google does not allow the auth token to be used to send emails on behalf of the user's device. On Sat, Jan 5, 2013 at 10:11 PM, Nikolay Elenkov nikolay.elen...@gmail.comwrote: On Jan 6, 2013 12:43 PM, Kevin Duffey andjar...@gmail.com wrote: Hi all, I've been doing quite a bit of googling on this topic and so far despite several examples that seem to fit the bill, nothing quite takes me to an understanding of whether or not I can obtain a device owner's permission to send email out on their behalf. I am testing examples of AccountManager#getAuthToken, but I am not sure if it's possible, even with a pop-up dialog asking the user (in my app) for their permission to do so.. whether or not I can obtain a token that can then be used with gmail api's to send out email with. Yes. You can obtain an OAuth token which lets you authenticate to gmail's SMTP sever and send email with the user's account. Check Google's documentation for the exact protocol. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
