Beyond the Benefits: The Real Risks of "Sign up with Google"

June 9, 2026 ยท Written by Raghu Kumar

In a previous post, I talked about how every email cleaning app out there asks for full Gmail permissions. This is done through a process called OAuth - a system that lets apps access your account without needing your password, by issuing them a special access token instead. The trade-off is simple on the surface: you hand over access to your inbox, and the app helps you clean it up.

But it's worth slowing down on that trade-off. Because what you're actually agreeing to is more significant than a consent screen seems to suggest.


The trade-off is bigger than it appears

When an email cleaning app asks for "Read, compose, send and delete all your email", take a pause.

Think about what lives in your inbox: receipts and financial statements, medical correspondence, your work related emails, years of personal conversations and so on. An app that promises to unsubscribe you from newsletters technically has access to all of it. That's the trade-off we are talking about.


That access doesn't disappear when you stop using the app

Here's what most people don't realise: OAuth tokens don't expire just because you forgot about the app. Once granted, access persists for a long time (many months to years) until you go out of your way to revoke it. The email cleaner you tried for a week a few months back and never opened again? It almost certainly still has full access to your inbox today.

Over time, these connections quietly accumulate. Permissions get forgotten. And apps you once trusted - or apps whose servers have since been acquired, compromised, or sold - still hold the keys.


A compromised app means your data is compromised too

You don't have to make a mistake for this to go sideways. Even if an app was legitimate when you connected it, that can change. If an app's servers are breached, attackers can access the OAuth tokens that app collected - which means your data is exposed through no fault of your own. The app was the weak link, not you.

This is the part the clean consent screen doesn't mention: you're not just trusting the app, you're trusting everyone who will ever have access to that app's infrastructure.


The "just click Allow" problem

Consent screens are designed to minimise friction, not maximise understanding. Most people click through them without reading the details - and honestly, that's partly by design. Some apps ask for broad permissions even when they don't need them. Users approve because it's too much work to verify why an app is asking for certain permissions.


There's a better way - and it doesn't need any access at all

This is exactly the problem I set out to solve with Clear Mail.

Clear Mail works very differently. There's no OAuth flow, no "Sign up with Google" button, no syncing your inbox to a third-party server. Everything happens locally, on your device. Your emails never leave your machine.

The way it works is simple: Clear Mail lets you sort your inbox by sender, so you can instantly see who's been filling your inbox and bulk-delete by sender in a few clicks. Since no OAuth connection is required, there are no OAuth tokens sitting on someone else's server, waiting to become a liability.

For a quick walkthrough, check out our Getting Started Guide. And if you're ready to dive in:

๐Ÿ‘‰ Go here to install.



Go back to Blog