POP Peeper v5.6.3 is a minor release that re-enables the Oauth2 option for Gmail. A new popup will be displayed when an Oauth2 error occurs during the “reset Oauth2” phase.
POP Peeper v5.6.1 is a minor release for one specific update (full list of changes).
With v5.6 deprecating Gmail/Oauth2, many people had questions why their Gmail accounts were reporting a login error. v5.6.1 adds new information to the error report when a Gmail accounts results in a login error. The error will mention that an app-password is necessary and provide a link for more information.
v5.6.1 also adds the option to create a keyboard shortcut for the “move to folder” action (for IMAP accounts). The keyboard shortcut can be added: main menu: Tools / PPtweaker / Shortcuts / (Main or Message) / Move to folder
POP Peeper v5.6 has several fixes and minor improvements (full list).
v5.6 has changes related to the end of Oauth2 support for Gmail, as previously announced (Important Gmail-Oauth2 news).
Oauth2 for Gmail will continue to work in v5.6 until the deadline, but if you need to add a new Gmail account or reset Oauth2, you will need to switch to an app password (see the previous link regarding Important Gmail Oauth2 news for guidance).
Update: For the latest information and alternatives to using 2FA, refer to this post
As of April 23, 2025, Gmail accounts accessed in POP Peeper will require you to use an app password instead of Oauth2. It is strongly recommended that you switch to app passwords as soon as possible (and before April 23); you can do this with your current version of POP Peeper. If your Google account already has two-factor authentication (2FA) enabled, creating an app password is a very simple process; but otherwise, you will need to setup 2FA which may take an extra 2-15 minutes. Google will make it seem like you must provide your phone number, but this is not mandatory as the guide will explain. The Esumsoft guide for setting up 2FA and app passwords is provided here: https://www.esumsoft.com/pop-peeper/faq/?q=GmailAppPw
Please note: app-passwords and 2FA are not directly related. Enabling 2FA on your account does not mean that you will need to authenticate POP Peeper’s connection to your email. The app-password is a substitute for 2FA.
POP Peeper v5.6 will be released soon which has updates related to these changes (such as removing Oauth2 as an option for Gmail and providing in-app links to help guide you through creating app passwords). POP Peeper v5.6 will be able to use Oauth2 for your existing Gmail accounts and will continue to work until the deadline or if an account requires you to re-authenticate. New accounts added into POP Peeper will require you to use an app password.
To determine if your POP Peeper account is using Oauth2 or a password: – v5.5 or older: edit the account in POP Peeper; the dropdown to the right of your “Login name” will either be “Oauth2” or “Password”. You need to switch to “Password” if it’s currently “Oauth2”. – v5.6 or newer: edit the account in POP Peeper; if you see a disabled control that says “Password” to the right of your “Login name”, this means that Oauth2 is still being used and you need to update your password (if there’s an existing password, it could be your main password which Gmail no longer accepts and so you may still need to create a new app-password and use it to replace your existing password in POP Peeper). The disabled “password” control will be removed after you save a password. The following image shows a case where Oauth2 is still being used because the “Password” dropdown is visible but disabled:
POP Peeper v5.6 – Oauth2 still in usePOP Peeper v5.6 – Password being used (no disabled “password” above “confirm”)
Why is this necessary?
POP Peeper first introduced Oauth2 support in v4.2 (June 20, 2016). Oauth2 is considered more secure for various reasons, such as the email client not needing to store your password. Over the last few years, Google started requiring a CASA review (“Cloud App Security Assessment”) for certain activities that used Oauth2, including access to Gmail. This review was first required for POP Peeper in 2024; it was an extremely stressful and time-consuming process, but POP Peeper passed the assessment and this is why Oauth2 was still available. This was mentioned in the POP Peeper v5.5 released announcement.
The need for the CASA review came around again this year, but this time Google required the use of 3rd party assessors which had fees of over $700 USD; this is a reduced rate from several thousands of dollars because of a partnership with Google. Based on the experience so far, it is reasonable to believe that the reduced rate will only be available for a limited time and will not be offered for future required assessments. The vast majority of people running POP Peeper use it for free and POP Peeper does not bring in enough money to absorb this fee on top of all the other expenditures (such as web hosting and code signing), especially considering that this is just one email service of thousands (albeit, probably the most popular one).
This was not an easy decision to make, but it came down to the resources (time and money) involved with the CASA review, especially with the alternative of using app passwords. Using Oauth2 does not provide any special privileges, it is only used to log into your email account. Google could (and, in my opinion, should) allow email clients to use Oauth2 without requiring the CASA review for this very reason. Considering that there is an alternative method that allows the same level of access to your email which Google claims is less secure, the necessity of the CASA review seems questionable, and that’s especially true for desktop apps like POP Peeper where your data goes directly between your computer and the server.
Recap
This only affects POP Peeper’s capability to login using Oauth2 for Gmail. It does not affect other services that use Oauth2 (Outlook, Yahoo, AOL). You can still use POP Peeper to access Gmail by using an app passwords
As of September 16, 2024, Outlook/Hotmail accounts will require you to use Oauth2, which they refer to as “modern authentication.” This replaces the login method that sends your password and is more secure. It is recommended that you switch to Oauth2 before the deadline so that you don’t have any downtime.
If you receive an email from Outlook that says you’re using “basic authentication”, this means that you need to switch to Oauth2; you shouldn’t receive this email if you’re already using Oauth2.
To verify that you’re using Oauth2 for Outlook in your POP Peeper accounts:
1) Edit the Outlook account in POP Peeper
2) On the right-side of your “Login name” is a dropdown box: – If it currently says “password”, change it to “Oauth2” – If it’s already Oauth2, you can cancel and proceed to step #4 – If you don’t see a dropdown, it’s because only certain types of accounts (Gmail, Yahoo, AOL, Outlook) support Oauth2
3) If you change the dropdown to Oauth2, follow the instructions to grant POP Peeper permission to access your email
4) Repeat if you have other Outlook accounts
Update: POP Peeper v5.5.2 added Outlook Oauth2 support for POP3 and Oauth2 is recommended when creating/editing Outlook accounts.
Important: Because of the security updates (improved encryption), data saved in this version is not backward-compatible with previous versions. What this means is that once you update to v5.5, you should not restore the program files of an older version (e.g. v5.4.6) without also restoring a backup of the data files.
OpenSSL has been updated to v3.0. v1.1 is no longer being updated. OpenSSL v3.0 was chosen because it will be supported until September 2026, whereas support for v3.1/v3.2 ends in 2025.
Sensitive data is now encrypted using a more powerful and standard algorithm. This includes your login information as well as message data.
Norton 360 users have reported some issues with v5.5; specifically with the ‘Data protector’ module in Norton. Norton may prevent the Installer from installing the program and there may be other issues once running (e.g. reporting problems when saving certain file attachments such as .pdf). It is recommended that you add POP Peeper and the installer to the white list / exclusion list in Norton. A report has been submitted to Norton.
Windows XP — it has been reported that OpenSSL v3 no longer works on Windows XP. v3 is required for POP Peeper v5.5+, so it is recommended that you stay on POP Peeper v5.4.6 if you have Windows XP.
Behind-the-scenes changes
Digital signature — since the last release, Esumsoft has obtained a new provider for the code signing/digital signature. This change took significant effort to replace the old procedure and this change may be why Norton360 is reporting potential issues. ie. Norton may think it’s suspicious that the provider has changed. The good news is that Esumsoft has paid for a 10-year subscription, so if that is the problem, it shouldn’t be a problem again anytime soon. I hope that it also shows my commitment to POP Peeper and all other existing and future Esumsoft products.
Google / CASA Tier 2 security assessment — Google now requires a rigorous security review for apps that access your email and login with Oauth2. This review process is why many apps (not just email) have chosen not to use Oauth2 or are using ways to circumvent it. I am pleased to announce that POP Peeper has recently passed the assessment and is verified. This means that POP Peeper is one of the limited, independent email clients that can continue to use OAuth2 when logging into your Gmail accounts.
