Less Secure Apps:Google considers apps that directly use your account email address and password less secure. Many older apps request your login details in order to access Google's services on your behalf. This is not ideal from a security perspective for several reasons:
- You must trust that app to not be dishonest.
- You are also trusting these apps to adequately protect the password information from being compromised by 3rd parties. For example, storing the password un-encrypted in the registry or a file on your hard drive would leave it open to easily being compromised should someone or some malicious software gain access to your computer.
- Finally, you are also giving that app access to all of your Google account's features, including e-mail, contacts, calendar, drive, etc. If that app only needs to access your contacts, giving it permission to access all your other services opens up permissions more than necessary.
More Secure Apps:Google supports an improved method to give apps access to your Google services with a protocol called OAuth2. Using this authentication method allows apps to access only the Google services within your account that they need. OAuth2 also eliminates the need for the user to provide the app with an account password. Instead you get an access code, specific to that app, your account, and needed permissions. The details of how you obtain this access code vary depending on the platform of the app. The basic idea is that the app directs you to a Google website where you log into your Google account and view the permission request from this app. The permission request lists all the specific services this app will be able to access. If you approve, you will be given an access code to enter into the app. (Some apps can accept this access code automatically, behind the scenes, once you approve the request.)
OAuth2 eliminates the need for users to enter their Google account password. It also solves the issue of only providing permissions to the necessary services, instead of your whole account. Also, the access code can only be used by the requesting app. To use the access code the app must also provide a clientID and client secret, which are registered with Google by the app developer. Therefore, even if the access code were compromised the malicious party couldn't use it unless it knew the clientID and client secret. If the malicious party had the access code, clientID, and client secret it could use this, but then it would at least be restricted to the services approved. Access codes can also be easily revoked when desired.