The secure email apps I use

What is a secure email client? Which app to use on Android to read and write emails? How to balance convenience VS security? I have 4 main email addresses and I am paying for some of my email servers. I am owning domains. To stay in control on my email, I am now using a set of 3 systems.

I like to be independent and free. For my email, this means that I take care about email servers and email addresses I use. I own my domain and that I can run any email server I like for my domain. Nobody can take away my email address. I am free to write whatever I want and I am free to switch email providers. I do not use yahoo, gmail,  gmx, or outlook.com, where you are chained to a provider. I do use google hosting for my gnowsis.com domain, domainfactory for leobard.net, world4you for burners.at and google provides email service to Burningman.org, where I also have an address. I am working from multiple devices, so I leave all email on the servers in IMAP folders.

Besides servers and domains, what is a secure system for me?

  • reasonably secure email server software and provider (I trust google, world4you, and domainfactory)
  • reasonably secure transport protocol (ssl/tls)
  • reasonably secure email client (trustable provider like Microsoft or Mozilla)
  • possibility to encrypt mails with pgp/gpg (I still wait for the day to receive an encrypted email, but, you know, crypto is cool in itself)

Since today, my email clients are:

  • Thunderbird for the desktop – the de facto open source standard for desktop email. They stopped adding new features, formatting is weird. It has  PGP and is pretty secure, and there is a google addressbook sync. I am happy.
  • K-9 Mail for Android – this is an interesting one. I was googling for some time to look for sensible email clients for android, and the ONLY one I found suitable is K-9.
  • A shiny new Leo Sauermann PGP/GPG key which you lovelies can use to encrypt emails going out to me. You find it on the good ol MIT key server, or linked from my foaf file. Just search for my email addresses there.

The interesting catch today was K-9. I was really digging into the google play android app store to find something.

The following insecure apps were on my shortlist, but they are insecure and I now shunn them:

Why are they insecure in my eyes?

Good:

What I expect: my email client connects to my IMAP email server using a secure connection and authenticates using my secure password and reads my emails. No one else has my password. No one in the middle. No one else reads my emails, deletes them, or changes them. This is how Thunderbird and K-9 Mail work. To somehow visualize it:

Thunderbird –internet–> my IMAP server

Bad:

What I do not expect: my email client asks me for my password and server, then transmits this sensitive data to an “email service” owned by the company providing the email client, the “email service” connects to my IMAP email server and reads my email, and my email client connects to the “email service” instead of connecting to my own IMAP servers.

BlueMail –internet–> the BlueMail Server –internet–> my IMAP server

In this setup, Blue Mail has all my emails going through their server.  Why do they do this? To send my cell phone “push” messages when a new email comes through. IMAP does not support push, and since Blackberry, Push is cool, so to push, you need a server-in-the-middle.

Why is it Bad?

  1. NSA could read my emails by sitting at BlueMail. This is most unlikely and stupid and wishful thinking of hackers, but you know, it deserves to be on the list, because it sounds cool.
  2. Corrupt BlueMail employee could go to PayPal, click “reset password”, capture the password reset email going through BlueMail server, click my reset password link, take over my PayPal account, and empty my Bank Account.

I do not care about the NSA reading my email, I am not a threat to anyone. But it is reasonable guard myself against corrupt employees of man-in-the-middle companies. You know, I love my bank account.

There is another thing about BlueMail: its free.

And that makes me suspicious.

How do they make money?

Disclaimer: I used Bluemail the last year because I think its the best GUI for reading email on Android. But after re-reading their TOS, it hit me – I should not risk someone emptying my bank account just because I like a shiny gui. So today I exchanged BlueMail for K-9. At least the business model of K-9 is clear: its free open source software. You donate when you use it.

Disclaimer: I may not know everything about email, so this article may be completly wrong. But other people wrote the same stuff using the words “security desaster”, so I guess I am on track: https://mobilsicher.de/aktuelles/sicherheits-desaster-mail-apps-uebertragen-passwoerter