K-9 Mail (future Thunderbird for Android) adds OAuth 2.0 support
A new update for the open source Android email client K-9 Mail introduces support for OAuth 2.0. The long-requested feature adds authentication support for Google's Gmail, Yahoo Mail, AOL Mail, and personal Microsoft accounts.
K-9 Mail, which will become Thunderbird for Android in the near future, is a popular mobile email client for Android. The app will stick to the original name for now, but will be renamed eventually. New features and improvements will be introduced before that happens to make sure Thunderbird desktop users have a positive user experience.
One of the main issues that users of K-9 Mail ran into was missing OAuth support, as it prevented Gmail from working with the client. Google made OAuth 2 mandatory for Gmail, dropping support for other authentication options.
The new K-9 Mail release for Android addresses the issue. Once updated, K-9 Mail users may once again integrate Gmail with the client to use all of the client's functionality with their Gmail accounts. The other supported services work with OAuth as well now.
K-9 Mail 6.2 is already available on Google Play and the project's GitHub website. Users who have installed the email app via Google Play should receive the update automatically, provided that automatic updates are enabled via Google Play. The K-9 Mail listing on F-Droid has not been updated, but this will happen in the near future.
A pre-release version of K-Mail 6.2 was released two days ago. One of its changes "made the transition of existing Gmail accounts to OAuth 2.0 a bit easier" according to the changelog. K-9 Mail users who have configured Gmail to authentication using other schemes, e.g. POP3, need to switch the scheme to OAuth 2.0.
The latest version of the email application adds an unsubscribe action to the menu when viewing messages that have an unsubscribe header.
The full changelog is available on the project's GitHub website. FairEmail is another popular choice when it comes to free email clients for Android.
Now You: do you use email apps on your mobile devices?
K-9 Version 6.201 uses WEB OAuth2 authentication to authorize Office365 and Google email accounts. This latest version does NOT create a Google Mothership Tracking Account on your phone if you don’t already have one (which nobody should have but most people do).
Not only did they add Oath 2 support but they are also the ONLY client that supports Oath 2 for non-device accounts. i.e. you can have as many gmail accounts as you want setup on K9 without having to add them to your android device.
I’ve been looking for this feature for a long time and no other client ever supported it (apparently a very expensive google audit is necessary for it). It’s great to have this in K9/Thunderbird (which I’ve been using for years).
I have always loved & respected Martin Brinkmann over the years, but in this case Martin left out a critically important detail which is OAUth2 on K-9 Mail will NOT work UNLESS the user ALSO has a Google Account set up on his Android device (which most have, but MANY do not).
The reason this particular K-9 Mail implementation of OAUth2 REQUIRES that Google Account is obvious ONLY if you know the key detail that Martin surely knows which is there are two ways to authorize with OAuth2 that Google will accept, but K-9 Mail is using only one of those two ways.
What Martin didn’t mention is that Google requires an annual security audit if OAuth2 is done the way Thunderbird on the PC does it (notice that TB does NOT require a Google Account set up on the device!).
That’s because Mozilla pays for the yearly annual audit to Google’s satisfaction but K-9 Mail does NOT (at least not yet).
This makes K-9 Mail still worthless to many of us who do NOT have a Google Account on Android but we can HOPE that Martin will let us know when/if the Thunderbird-supported K-9 Mail of the future will allow OAuth2 authorization the same way that Thunderbird does it on the PC.
It’s working fine with non-device accounts. The ONLY client that I’ve found that does.
It’s implemented via Android’s “Add Account” option and thus I refuse to use it.
Still no gmail on my phone then. Thanks for the heads-up.
This. Why is there not an option to use browser for sign-on is baffling, but then again it is Google. Kinda defeats purpose if at the end of the day I have to use Google account on android device to use an email client.
I agree with Yash, where the problem arises for those who do not want to use 2SV/2FA/MSV/MSV (whatever you want to call it, where you need a “second something” which Google is so desperate to get from you) for privacy reasons.
Given privacy is different than security for this purpose, those of us who do NOT want to give Google permanently a “second something” relish that OAUth2 for PC based clients such as Thunderbird utilize “web authorization” of OAUth2. Google REQUIRES an annual security audit for anyone using that type of OAUth2 authorization, which K-9 Mail did not perform (obviously).
The point is that those of us who loved K-9 Mail until May 30th 2022 when Google changed the rules on them can no longer use K-9 Mail if we also don’t have a Google Account set up on our phones (as part of the Android settings in “Accounts”, which we do for privacy reasons).
Unfortunately, we STILL can no longer use K-9 Mail without a “second something”, where that second something is either we have to set up a Google Account on our phone (which we will NEVER do) or we have to give Google a private “second something”, which I admit takes the form of lots of things (tokens, email, phone, etc.) all of which REDUCE our privacy.
Keep in mind if you enhance security the way Google is trying to do here, you REDUCE privacy (which is the reason we want OAUth2 to be authorized in K-9 Mail via the web which we can HOPE will be done when K-9 Mail is fully integrated with Thunderbird given we already KNOW that Mozilla pays for that yearly audit to allow OAuth2 via the web).
Currently I have 2FA enabled(with authentication key and backup codes stored in Bitwarden). To use an email client I’ve created app passwords. I’m no security expert but it is more than sufficient. Of course Google wants to push Oauth down our throat. Hopefully like you said with Thunderbird team along, browser sign-on will be possible. This current implementation is pointless.
Yash and many others have 2FA enabled which means that they don’t need OAuth2 because they’re already handing over to Google critical permanent identifiable portions of their privacy via the 2FA for app passwords.
That critical privacy hole could be an app such as FreeOTP Authenticator, Google Authenticator, Authy, FreeOTP+, etc., or it could be via USB tokens, or Time-based one-time passwords (TOTP), or maybe SMS 2FA, or maybe the phone has a built-in security key, or maybe they own a physical security key, or they obtained a one-time security code from another device, or enabled 8-digit backup codes, or connected via QR codes, or set up the device as a “trusted computer for sign in”, or whatever.
Every one of those is trading privacy for security because they all require 2FA. At least OAuth2 via the web trades LESS privacy for security than what most people give Google for their 2FA second critical piece of data about them.
@Pedro D’Anza
Mate you’re enabling 2FA in a Google account. There isn’t anything remotely close to protect privacy in the first place. 2FA doesn’t reduce privacy unless you’re using phone numbers and Android device for prompts and even then your account hasn’t become more unique.
> The K-9 Mail listing on F-Droid has not been updated, but this will happen in the near future.
I’m using v 6.100 from F-Droid, and it already has OAuth 2.0 for Google, AOL and Yahoo. I know because I could disable 2FA on my Google accounts, needed for app passwords, like three weeks ago. I believe the difference is tha 6.2 is a stable release, and I don’t know if F-Droid shows pre-releases by default.
Thanks for your journalism Martin!
It is inevitable fact that mozilla will transform excellent k9 software into bloated telemetry collecting platform. So 6.0 version is good version to stop updating this application.
And who cares about inabillity to use gmail?
Who cares about Gmail? Maybe the hundreds of millions of Gmail users, both free and paying? I personally use Google Workspace myself.
If like to share your personal/work info with multiple special angencies so go ahead than use it.
Doesn’t matter if you like it or not. It’s the most popular email on the planet.
Enjoy your outdated app.
muh muh muh muh telemetry!!!1!!
“Google made OAuth 2 mandatory for Gmail, dropping support for other authentication options.”
This is not true. It is still possible to access Gmail via third-party clients by using app passwords.
Thanks for this post. I’m really happy K9 is getting new life injected into it.
I was really, really surprised to read in the opening of this post that apparently, AOL Mail still does exist! This so surprised me that I immediately ducked it, to verify that indeed, this was no weird foggy-boomer mistake.
I must give it to Ghacks: from time to time, one will learn the most unexpected new (or old) facts here…
My unscientific observation is that many lawyers in the US who got an AOL email address decades ago tend to stay with their choice forever.
“Now You: do you use email apps on your mobile devices?”
I use Gmail on my iPhone SE (3rd gen). The only minor problem is it only shows the last 200000 emails vs the 500000 that are in All Mail.