|Recent Android app update prevents third-party apps from using com.google.android.gm.permission.READ_GMAIL. Why?||kebab3000||7/29/11 12:27 AM|
Explain your issue in full detail here:
After installing the update from 29th July 2011. My apps are no longer granted the com.google.android.gm.permission.READ_GMAIL permission. LedMeKnow also has a similar problem. Why can we no longer use this?
Please Also Include:
Operating system (e.g. WinXP): Android 2.3.3
Program and version you use to access Gmail (e.g. Internet Explorer 7 or Outlook 2003): Android Gmail 2.3.5
Your antivirus software (e.g. Norton 2007): N/A
Any extensions, toolbars or plug-ins: N/A
LedMeKnow, Gmail Label Speaker and ADWNotifier are affected
LauncherPro GMail widget also affected
|Re: Recent Android app update prevents third-party apps from using com.google.android.gm.permission.READ_GMAIL. Why?||Joël Bourquard||7/29/11 4:27 AM|
Yes, I can confirm this problem. Very annoying! My own test project doesn't work anymore, and the "Gmail unread count" app from the Market doesn't work anymore either.
I have also posted about this on Google+. It's back to GMail 188.8.131.52 for me, until this is fixed. Google, please fix this!
|Re: Recent Android app update prevents third-party apps from using com.google.android.gm.permission.READ_GMAIL. Why?||ratson||7/29/11 7:44 AM|
basically this was a great feature we miss....
|Re: Recent Android app update prevents third-party apps from using com.google.android.gm.permission.READ_GMAIL. Why?||codedroid||7/29/11 2:59 PM|
This affected all apps that requested the permission, including my own open sourced "Gmail Notifier". On July 8th, Tim Bray sent out the following email to all developers of apps that would be affected. In a nutshell they are saying that the permission system in Android "does not meet modern security standards". Before the change the user had to grant the permission. If not granted, Gmail data was unaccessible and safe. After the change, the permission has "signature" protection so the users' doesn't matter (thus my conclusion about the permission system). As can be seen below Google is aware of all this so I don't expect them to change stuff back in the near future unfortunately.
Tim Bray twb...@google.com to <me>
Dear Android Developer
In the near future, we are going to make a change which may affect your apps. Historically, the Gmail app has exposed an undocumented Content Provider, protected by a non-public Permission value, that allows apps granted permission by the user to read users' email and also execute live queries. We have determined, as part of our continuous effort to improve the level of security of Gmail, that this API does not meet modern security standards. Therefore, we will be disabling it in the next update to Gmail on Android devices running Froyo and later releases.
We have tested the change against a number of apps in market, including yours, and there were very few crashes. Most developers have been intelligent about dealing with Security Exceptions. So we expect the visible impact of this change to be low. We encourage you to update your app to handle the change as gracefully as possible, and then test your app against Gmail 2.3.5 as soon as it is available in Android Market.
We regret any extra trouble and effort this change may cause you. Having said that, these APIs were undocumented and never part of the official SDK; thus there has never been a commitment from us to maintain them.
Thanks for your attention.
- Tim Bray, on behalf of Android Developer Relations
|kebab3000||7/30/11 4:15 AM|
Jonas... thanks for clearing that up. It would have been nice if Tim Bray contacted everyone. He certainly didn't contact me, and judging by the fact ADWNotifier and LedMeKnow just stopped working makes me think he didn't contact them either.
That aside, I think this was a poor decision to block it without providing more secure alternative. If there was some immediate vulnerability, then blocking it immediately would be fair enough. However, it was 21 days between the warning and the actual update being put on the market, so there wasn't much urgency.
Android allows apps to sign into a Google account. e.g. when Astrid wants to sync with my Google Calendar tasks, it asked me for my permission the first time. GMail should provide a similar way of allowing third party apps to access it.
Maybe a better Android-wide alternative is to change the fact that you can just hit 'accept' for the permissions, and instead force people to accept each individual permission. Sure, some less tech-savvy people won't understand why they have to do it, but it's better than them blindly accepting everything. The way permissions work in Android is nicely done, however what I've mentioned above is a weakness.
Whoever at Google is reading this thread: please comment, and bring this up in your next scrum, development meeting, prioritisation meeting or whatever kind of meetings you have to discuss bugs and new app developments. Ta.
|Lucian PHX||7/30/11 7:21 PM|
You know, it's a very thin line between ignorance and pointing fingers and having google team and devs shifting the blame looks a lot like amateurs and google should k.ow better. They should be a lot more on top of things and communicate with devs so the final product wont be subpar and affect the customers, which ultimately would blame google, as I do, because it's their name and product people are using. So, the way I see it, google says:"I don't care about customer, whatever..if something stops working, let'em choke on it"...way to go google!
This is way Apple tests the products on their App Store and communicates better with devs so people wont have apps that aren't working after an "update"
|p0w4p0ty||7/31/11 7:54 AM|
I was looking for the 'new way' to access gmail unread mails and got here... Very bad news!
I understand that publishing a content provider to read user's mails it's probably a bad idea but just for getting accounts, labels and unread mails per label is that risky?
There will be no option to build an app arround gmail but using the regular gmail API (I guess...) so you will have 2 services running on your phone to gather the same information. Hopefully google will change its mind...
|jtbrown3||7/31/11 4:07 PM|
My favorite Android app "Gmail Label Notifier" is now broken because Google has apparently now BLOCKED access to the Gmail database with it's latest update (v2.3.5) - see this link here for more info: http://www.senab.co.uk/2011/07/29/android-gmail-app-block-3rd-party-tools/
PLEASE REMAIN OPEN GOOGLE (hundreds of Programs, Widgets, and utilities have been affected by this!!)
|andrewpmoore||7/31/11 11:52 PM|
I agree. A really bad approach to blocking it. My app (Light Flow) also broke and there was no communication out beforehand, so I woke to about 50 e-mail from people saying my app didn't work and all my new ratings for the app were 1 star.
It's nice to know they got in touch with some developers! Lucky them, it turned my weekend into one I totally wasn't expecting.
There must be some better approach, even if users have to acknowledge the security issues as in the same way they have to when using a custom keyboard or an app that uses the accessibility service. They come up saying that the app could be capturing you credit card details etc. At least then it's the users choice as to whether to trust the app instead of blindly blocking it all of a sudden.
|andrewpmoore||7/31/11 11:59 PM|
Also, one thing that doesn't really stack up with that. There's a public content provider for SMS data as it's not a google app, it's and android app.
Are they saying that is also not secure enough? Why haven't they done anything about that? It's quite easy to get peoples phone numbers and text details from that database.
|p0w4p0ty||8/1/11 6:16 AM|
I'm absolutely agree with you andrewpmoore. Android should have a mail content provider just like SMSs does and mail clients should use that content provider in order to allow third party apps use it extending its functionalities... If you are free enought to allow one app to read your SMSs you should be free enought to allow an app to get info about your mail too.
Maybe those permissions should be more specifics like allow get labels, allow read mail body, allow get unread number of mails, etc... I know that gmail is not part of android but probably it should be :P
|nickstumpos||8/2/11 1:04 AM|
My app gmailwidget+ is also now broken. This design is very poor Google.
|Joël Bourquard||8/2/11 4:19 AM|
Although I don't personally rely on this functionality, I have to agree with fellow developers here. I don't understand how this quote from Tim Bray (at Google) could be true for any developers affected by this change:
"(...) we expect the visible impact of this change to be low. We encourage you to update your app to handle the change as gracefully as possible, and then test your app against Gmail 2.3.5 as soon as it is available in Android Market."
How could the "visible impact" of this change possibly be "low", if at least 15 well-known apps on the Market rely on it, and they are now broken without any possible solution except using root privileges? From a developer's *and* user's point of view, this change is just a regression which suppresses genuinely useful functionality.
Now of course, the API was never documented so Google could change it or scrap it any time - yes - but why is there no alternative to it? As others have already mentioned, it's just plain stupid to require root privileges or to increase data traffic (ie: poll Google's servers) to obtain information that is already on the phone.
Google, please consider enabling this API for 3rd party apps again. The permissions system does work, and you can rely on it!
|Joël Bourquard||8/2/11 4:22 AM|
Oh, and suppressing API's will not solve the problem of users not looking at permissions when they install stuff. There must be a better way to fight rogue apps that read your e-mail, I'm sure.
|Enrique Suárez||8/3/11 3:43 AM|
I have uninstalled 2.3.5 version
|danieln||8/3/11 11:23 AM|
"Gmail Notifier" was one of my favorite apps in the Android market. The ability to customize the functionality of my android phone, including whether or not an irritating LED blinks every time I receive an email unless I disable notifications altogether, is probably the reason I prefer my Android phone to the iPhone.
If Gmail has the prerogative to remove this popular functionality, I hope they also have the sense to improve their own app to allow us to further customize notifications.
jonasl1983 , thanks for your awesome app.
|Bluepork||8/8/11 5:54 AM|
I am not a developer, nor do I work for the Goog. I'm just a user of widgets. The unread Gmail counter widget suddenly stopped working, then I started getting loads of bugs being thrown up. Being the geek that I am, a trail of websearches led here.
I have to say that from the user end of things, this isn't great.
I'm actually quite surprised that Google themselves haven't provided a gmail widget of their own, as it's such a useful feature of an email system.
I'm posting here in the hope that the more people kick up a fuss, the more likely it is that Google may do something about it!
|RachelColoredGlasses||8/8/11 7:36 AM|
I don't have anything original to contribute, but as I can find no other forum I think Google is likely to attend, let me add my voice to the complaints against their ostensible attempt to fix a non-issue by punishing their customers.
|durgis||8/9/11 8:31 AM|
@RachelColoredGlasses I agree completely.
This new security feature seems ill conceived, and poorly communicated to the developers. I believe that replacing the API with a documented email provider system and deprecating the old API would have been a better choice than simply removing it. Then at least the developers would have been able to respond to the update.
Thanks again for adding the final nail to the coffin of my favorite home screen replacement. Thanks a ton for killing off needed Apps and Widgets without any recourse.
|Liface||8/10/11 8:23 AM|
Please open your API, Google! Labelert depends on it: https://market.android.com/details?id=com.labelert
|REDMAPLELEAF||8/22/11 5:57 AM|
Guys, I began to sense that Google is beginning to think that they rule the world now and we all have to live on their terms no matter how inconvenient it becomes. This is exactly the same attitude that the blackberry folks shown me a couple of years ago. I was asking for a database to be supported on their smart phone and they turned around and asked me: 'why would a phone need a database?'. They didn't know that it was extremely difficult for their developers to have to use a flat file system in place of the database for software development. But they didn't care - the world was revolving around them at that time. Now let see how long the world will be with Google if they keep doing this to us.
|blackmoon01||8/24/11 9:02 AM|
The fact that so many apps are written and have now been shut down because of this decision should show you a HUGE hole in the system. You did well having an integrated database engine, Contacts provider, etc. but why is there no email provider with fine grained permissions so that we can make Android the BEST mobile OS in the world? I have an app that was killed with this change only because there is no other way to get the attached file's filename. Seriously Google, why should I even need to read their email in order to retrieve metadata like that? I guess the question is moot now.
|gnugu||8/24/11 9:05 AM|
I have an app that actually needs to read the email.
For those devs out there who just need to know if there is new message and how many, there is still a way to do it! I can provide a sort of code if anybody interested (haven't tested myself since I NEED to read the mail).
|bartm915a1||9/1/11 11:38 AM|
I have recently had an app I use all the time start shutting down since getting my new Droid 3 installed with Gmail 2.3.5. I am really disappointed that Google has decided to turn off this integration cold, instead of providing an alternative. I would have preferred Google allowed the users, me, to approve third party access to the database instead of the all-or-nothing approach without providing an alternative. I have tried to uninstall Gmail 2.3.5 and use Gmail 184.108.40.206 but my app still is shutting down. I am guessing Google's "fix-update" does not uninstall this way?
|gnugu||9/1/11 11:45 AM|
If you downgrade GMail, you need to uninstall that third party app and install it again when older version of Gmail is in place.
That should make it work.
|gnugu||9/1/11 11:55 AM|
Here are the steps to downgrade http://koxx3.wordpress.com/my-gmail-database-is-locked-how-can-i-unlock-it/
|Paristo||9/8/11 2:46 AM|
I can very well understand the change of API to not allow application have full access to user emails.
BUT. What seems to be why people are upset, is that notifications does not work.
Really Google? Did GMail app allow before this change to any application what just needed notification of new/unreaded/unseen email to have full access to emails (topics, sender, addresses, mail content etc)?
What Google really should do, is to tie up the Android security. I have always had worries when application asks permission to contact list. I wish Google would give user a permit to allow/deny specific functions of the application.
Few things for starter.
1. By permission, any application should be possible to get information how many new emails are there. Nothing else than just the number. This would give user a change to use notifications "Hey, you have five unread emails".
2. Same thing for SMS/MMS that you do not know from who, but at least you get the number how many is there. Giving a sender name is just extra permission what should be allowed by user only.
3. Internet permission. Google really should build own ad service and trought that all ads would be delivered. That way it should be asked from the user does the application have permit to use Ads. By that, user knows that application causes small amount of data traffic, but can be sure it does not use internet connection to example copy the whole addressbook and send it over.Then if application would ask permit to Ads and full Internet and contacts, person could be very very very caution that there is something bad.