Gmail Gone, and the Risk of Undocumented APIs

The latest version of the Gmail application for Android 2.3.5 apparently has android:protectionLevel="signature" on its content provider, meaning that third-party applications will no longer be able to read messages straight from the on-device Gmail app.

This will undoubtedly cause much wailing and gnashing of teeth, some of which has already started.

OTOH, you’ve been warned for some time that relying upon undocumented APIs is risky behavior. Whether it’s a simple authority change (as happened to the Calendar content provider in the 2.x timeframe) or locking it down entirely as occurred here, these are all well within Google’s rights. Google has been telling you repeatedly, through blog posts and Google Groups and StackOverflow that undocumented APIs are unreliable. I’ve emphasized this countless times in StackOverflow answers and comments, to the point where I’ve considered programming a keyboard macro just to save me some typing time.

If you find yourself hard-wiring in com.google or com.android or content:// somewhere, make sure that what you’re using is documented and supported via the Android SDK. Just because it is reachable by various means does not indicate that it is safe and stable for use.

Now, if you want to debate whether Google should have a documented and supported Gmail API, that’s certainly a worthwhile discussion to have. I’m personally skeptical on the Gmail front, but I’d argue there should be standard and supported providers for stuff unique to the device, like SMS, that cannot be accessed by other APIs (e.g., getting to the user’s Google Calendar by the Google Calendar GData API).