Is Access to Google Safe?

FlowCrypt is asking me to connect the plugin to my Gmail account. Is it safe? Where can I read more about this?


It’s the same as setting up a new email client on your computer or phone. It will need access to your email to be able to pull the emails to your computer and show them to you. In FlowCrypt’s case, it also encrypts and decrypts them using PGP end-to-end encryption.

There are a few resources that may help. One of them is the “Email Access Token” section of the FlowCrypt Privacy Policy:

An Access Token is required to access the user’s email. The Local App will request this access during the setup process. Tokens are then exclusively stored in the Local App on the user’s Local Machine, with no exceptions. The Access Token is used solely within the Local App for user authentication, sending and receiving of Encrypted Messages, and other related actions that make the Local App work smoothly.

The Privacy Policy just puts into words what the code does. The code is available for review at FlowCrypt GitHub repository.

Ideally, you want to be using full-disk encryption on your laptop, and locking it when you leave it. Additinally, the moment you suspect your laptop stolen or tampered with, you should use another device to log into your Google account, navigate to the Connected Apps section, and revoke access to “FlowCrypt”. That will make these tokens useless.

Finally, you shouldn’t use any browser extension with over-reaching permissions such as “manage other extensions”.