I have an enterprise account and they added this button today. Guess what used to be there? The profile image where you could so conveniently swipe up or down to switch between gmail accounts. This is the kind of UI garbage that makes you want to move your entire company to another service just because you can.
I used to use FairEmail, and IMO it’s one of the best email clients available on any platform, but it started acting weird as my account got larger. Taking forever to sync, not sending emails (just keeping them in the outbox), etc. I switched to K9 Mail, which has now become Thunderbird for Android.
On one hand, I think audits are a reasonable idea. Some of the most sensitive data is in people’s emails, and most accounts can have their passwords reset via email. You really wouldn’t want malicious code touching that stuff. On the other hand, that’s definitely a large expense for an open source project :/
I’m glad some providers are moving towards OAuth or OIDC for logging in to email. Regular auth is very outdated and doesn’t support two-factor auth. It’ll just take a while to get there.
for FOSS projects, google itself could sponsor the certification, if they really cared about security and not just closing the garden. The code is public and they could definitely write automated tests to check all they need to check, and at every single commit, and not just yearly, done in secret by some auditor.
For google drive integration, i saw that most devs are just removing support for it because doesn’t make sense to pay $500 yearly to support it when there’s a million of better alternatives
The other thing they’d need to verify is that the app that’s uploaded to the Play Store or whatever other platform it’s on matches the code, which can be hard to deal if the build isn’t reproducible (that is, if every build produces a binary that differs in some way, like if there’s a timestamp embedded in it). This is one reason I like F-Droid - F-Droid build and package the apps on their end, so you can guarantee that the compiled app matches the source code.
I’ve worked on both sides of this (a big tech company providing an API to access data, and a smaller company or open source project utilizing said API) so I understand both arguments.
In addition to cost, there’s also complexity, as often the big tech company’s compliance issues/requirements become the small developer’s compliance requirements too. For example, there can be issues with storing data from European users outside of the EU, you may need a terms of service or privacy policy that explains what you do with the data, you may need to handle erasing the data if the user deletes their Google account, etc. Other companies like Facebook have similar concerns, and the Facebook Graph API is relatively restrictive as a result (to prevent third party apps from abusing data, like what happened with Cambridge Analytica).
All of that adds a lot of overhead for people that are just creating small apps and want easy integrations.