Email - which apps keep it private

[Feonor]

I think is a real concern about blue mail (also type mail is the same app)

 

[Hadron]

Blue Mail's privacy policy is quite clear about their use of analytics, which is offputting. The latest Aquamail does include an option to turn off analytics, though it would have been better to add this at the same time that they were added (and better yet not to add them).

I also much prefer a client which is retrieving mail directly from the provider to my phone, rather than storing it in some other company's cloud server, which is what Blue Mail does. That is actually the reason I've never used Blue Mail.

 

[Feonor]

Blue Mail's privacy policy is quite clear about their use of analytics, which is offputting. The latest Aquamail does include an option to turn off analytics, though it would have been better to add this at the same time that they were added (and better yet not to add them).

I also much prefer a client which is retrieving mail directly from the provider to my phone, rather than storing it in some other company's cloud server, which is what Blue Mail does. That is actually the reason I've never used Blue Mail.

Which one is your favorite app now?

 

[Hadron]

I have mainly used Aquamail the last couple of years, but with their purchase by Mobisystems I'm keeping that under review. I have of course got a copy of the last version from before the acquisition, which you can download from their website, so there's always the option of just installing that and not updating again (as I did with QuickPic when it was bought by Cheetah Mobile).

I have used MailDroid Pro as well, so can always switch to that (it seems more tablet-friendly than I remember it being a year or so ago, so I've got it on my tablet in addition to Aquamail at the moment). The venerable K9 is also an option, works fine though a bit aethetically challenged. But I've not made a proper survey recently, so there may be options I'm missing. Aquamail does what I want just fine, just that it's now owned by a company who I don't particularly trust which means I'm unsure where it will go in future.

Of course I've also got ProtonMail for when I want it to be more private

 

[Feonor]

I have mainly used Aquamail the last couple of years, but with their purchase by Mobisystems I'm keeping that under review. I have of course got a copy of the last version from before the acquisition, which you can download from their website, so there's always the option of just installing that and not updating again (as I did with QuickPic when it was bought by Cheetah Mobile).

I have used MailDroid Pro as well, so can always switch to that (it seems more tablet-friendly than I remember it being a year or so ago, so I've got it on my tablet in addition to Aquamail at the moment). The venerable K9 is also an option, works fine though a bit aethetically challenged. But I've not made a proper survey recently, so there may be options I'm missing. Aquamail does what I want just fine, just that it's now owned by a company who I don't particularly trust which means I'm unsure where it will go in future.

I think maildroid also have analytics and I think you can't disable it, as you can do it in aquamail.

K-9 must be the best in privacy now.

Aquamail is the best app but mobisystems...

 

[slappyx]

Just signed up to offer some additional results after my testing, cheers to op for the post was very helpful.

So being forced to upgrade my phone as my now 4 year old phone has had its last drop I'm using the latest version of Cyanogen for my device.

I was initially going to test 3 apps listed in here: K9, Aquamail and boxer (as i've read its now the default for cm firmware); But after seeing the wall of permissions for Aqua and reading @Hadron 's post above about a new takeover, i decided too drop that one;

I set up a new email account on my server specifically for this test so no tarring the results etc and installed and setup k9 and boxer to this account using pop; I used the privacy email tester, mentioned above I believe (or here), and then ran a packet capture app on my device.

So i found that K9 is (generally) privacy safe in terms of opening the email & boxer only red flagged on link prefetch, which then changed when downloading remote content / showing pictures! Both had several red flags from the privacy checker, K9 having the most this time?? (listed below)

In both cases the IP shown was the one for my device meaning remote data doesn't go via any "external company" servers. I cant say the same for fetching of the email as i have been unable to get hold of the email access logs, I will post back if my hosting company gets back to me.

I then ran the packet capture app on my device whilst checking and sending emails. Looking at the logs tells me that K9 only ever connected to my servers IP and nowhere else which is great imo. Unfortunately not for boxer: I had more than one extra IP address in the logs. They resolved to: amazonaws.com, sl-reverse.com & a blank entry;

So far i've decided to stick with K9 & see how the interface goes. Apologies for the length of the post, i didn't have time to write a shorter one.

------------------------
RED FLAGS ON REMOTE CONTENT LOAD

K9:
Object tag - data
CSS background-image
CSS content
Audio tag
Object tag - Flash
Video MP4
Video tag
Video poster
Image Submit Button
Link Prefetch
Image tag
CSS link tag
Iframe tag


BOXER:
CSS content
Image tag
Object tag - data
Image Submit Button
CSS background-image


---EDIT---
I realise K9 has more Red Flags on remote loading but this to me is a secondary issue after the ip issue. I rarely click on show remote content within emails, let alone open spam; So i am the one who controls this privacy whereas i have no control over what is sent to the ips logged in the packets;

 

[El Presidente]

No need to apologise for the long post, the detailed run down is very much appreciated.

 

[Feonor]

Just signed up to offer some additional results after my testing, cheers to op for the post was very helpful.

So being forced to upgrade my phone as my now 4 year old phone has had its last drop I'm using the latest version of Cyanogen for my device.

I was initially going to test 3 apps listed in here: K9, Aquamail and boxer (as i've read its now the default for cm firmware); But after seeing the wall of permissions for Aqua and reading @Hadron 's post above about a new takeover, i decided too drop that one;

I set up a new email account on my server specifically for this test so no tarring the results etc and installed and setup k9 and boxer to this account using pop; I used the privacy email tester, mentioned above I believe (or here), and then ran a packet capture app on my device.

So i found that K9 is (generally) privacy safe in terms of opening the email & boxer only red flagged on link prefetch, which then changed when downloading remote content / showing pictures! Both had several red flags from the privacy checker, K9 having the most this time?? (listed below)

In both cases the IP shown was the one for my device meaning remote data doesn't go via any "external company" servers. I cant say the same for fetching of the email as i have been unable to get hold of the email access logs, I will post back if my hosting company gets back to me.

I then ran the packet capture app on my device whilst checking and sending emails. Looking at the logs tells me that K9 only ever connected to my servers IP and nowhere else which is great imo. Unfortunately not for boxer: I had more than one extra IP address in the logs. They resolved to: amazonaws.com, sl-reverse.com & a blank entry;

So far i've decided to stick with K9 & see how the interface goes. Apologies for the length of the post, i didn't have time to write a shorter one.

------------------------
RED FLAGS ON REMOTE CONTENT LOAD

K9:
Object tag - data
CSS background-image
CSS content
Audio tag
Object tag - Flash
Video MP4
Video tag
Video poster
Image Submit Button
Link Prefetch
Image tag
CSS link tag
Iframe tag


BOXER:
CSS content
Image tag
Object tag - data
Image Submit Button
CSS background-image


---EDIT---
I realise K9 has more Red Flags on remote loading but this to me is a secondary issue after the ip issue. I rarely click on show remote content within emails, let alone open spam; So i am the one who controls this privacy whereas i have no control over what is sent to the ips logged in the packets;

Really interesting, but IMO k-9 is far from aquamail in terms of UI. Privacy in aquamail isn't a concern for now, but we don't know what will happen in the future.

 

[maildroiddev]

I think maildroid also have analytics and I think you can't disable it, as you can do it in aquamail.

K-9 must be the best in privacy now.

Aquamail is the best app but mobisystems...

MailDroid does not have analytics. This is not true. It does have ads

 

[maildroiddev]

Since I was asked in an email about the unroll.me situation and how email apps keep it private, I will point this out. Most top email app lists fail to look at the details on the apps. It also does not consider some of the oldest and most feature rich apps in the Play Store such as K9 and MailDroid. Both these two apps also support PGP (MailDroid supports sMIME as well) to encrypt your emails when sending.

1. BlueMail and TypeMail are the same company and they both make money somehow. They have their own server which your mail passes through. Do they mine data like unroll.me did? The Terms Of Service they have is very unclear. I am not saying they do, but articles like this dated back in 2014 (http://www.sklar.com/2014/10/14/blue-mail/), is it a sister company of https://www.bluemailmedia.com/ which does marketing and promotion? I can not say for sure that any of this is true, do you own investigation. Look at their TOS (https://bluemail.me/tos/) and if it is acceptable, use them, they make a very good app.

2. Outlook is owned by Microsoft, Yahoo Mail by Yahoo, Alto by AOL, Inbox by Google, myMail by Mail.ru. Most of these companies likely don't mine your data, but you may get solicited somehow to join their sites. I think Yahoo shows ads and myMail may also show ads, so this is the revenue model.

3. Newton Mail charges a $50 a year subscription after 14 days. Their revenue model is now clear (it used to be not clear).

4. Proton Mail is a good provider which likely falls in the category of ones that don't sell your data. They have end to end encryption which costs per year.

5. AquaMail was bought by Mobi who is known to have shady practices. Before Mobi bought them, I would have agreed with earlier comments that this was a client that was respected, now I can't say that.

Make sure everyone knows all the details so they can decide on a commercialized mail client vs a mail client like K9 or MailDroid which both have no servers and no tracking (K9 is open source and free and MailDroid is ad based or pay for no ads). They are both well tested and have been on the play store since Android version 1.5

Again, do your own research into this. It could very well be that all these companies have a different revenue model and they are all legit, but you need to look.

 

[spocko]

I just noticed that MailDroid Pro is on currently sale for $4.49 instead of the usual $6.99 on the Play Store in the US.

I have no affiliation with them, just sharing the info. MailDroid does seem to be one of the only full-featured and well-supported email clients that can be trusted to "keep it private".

 

[pacman10]

You write "AquaMail was bought by Mobi who is known to have shady practices.". What exactly are these shady practices ? I'm considering installing Aqua-Mail and need to know what to look out for.

 

[phayes72]

I got this response from Blue Mail...

Our push service and sync require servers, which are hosted securely on Amazon AWS.

Below are our basic principles:

1. Our app does not store any of your emails on its servers. This is different from most cloud solutions, including Microsoft Outlook for mobile, as far as we are aware.

2. Our app connects to your email provider with secured and encrypted protocols and when applicable, both to send and receive emails from the client directly.

3. When using instant push mode for notifications over IMAP and EWS protocols, our servers notify the app about new email, which in turn directly fetches the email from your own provider. This process requires your credentials, which are stored securely on our servers, and are used for this sole purpose only. You can disable push mode (by changing to fetch or manual mode), which does not require your credentials on our servers, and can be taken as an extra security step. Please note that accounts that use OAuth do not require your password, but use a token.

4. For POP3 and ActiveSync (EAS) accounts, there is no token or passwords used at all.

5. For Gmail, Outlook and Yahoo, we have implemented OAuth 2.0, where we at no time, have access to the account password (not even the app on the device). More about OAuth: https://oauth.net/2

We primarily care about the security of our users, and therefore keep updating to the latest secured protocols and methods.

 

[maildroiddev]

You write "AquaMail was bought by Mobi who is known to have shady practices.". What exactly are these shady practices ? I'm considering installing Aqua-Mail and need to know what to look out for.

Considering they just pushed in code to have ads all over aqua mail and did not let people know and did not even tell them about a changed privacy policy...that is a start.

 

[maildroiddev]

I got this response from Blue Mail...

Our push service and sync require servers, which are hosted securely on Amazon AWS.

Below are our basic principles:

1. Our app does not store any of your emails on its servers. This is different from most cloud solutions, including Microsoft Outlook for mobile, as far as we are aware.

2. Our app connects to your email provider with secured and encrypted protocols and when applicable, both to send and receive emails from the client directly.

3. When using instant push mode for notifications over IMAP and EWS protocols, our servers notify the app about new email, which in turn directly fetches the email from your own provider. This process requires your credentials, which are stored securely on our servers, and are used for this sole purpose only. You can disable push mode (by changing to fetch or manual mode), which does not require your credentials on our servers, and can be taken as an extra security step. Please note that accounts that use OAuth do not require your password, but use a token.

4. For POP3 and ActiveSync (EAS) accounts, there is no token or passwords used at all.

5. For Gmail, Outlook and Yahoo, we have implemented OAuth 2.0, where we at no time, have access to the account password (not even the app on the device). More about OAuth: https://oauth.net/2

We primarily care about the security of our users, and therefore keep updating to the latest secured protocols and methods.

So the main question still remains, how do they make money? They have a huge team supporting the app, they need to make money somehow ;-) No one is doing this for free and working there just for the fun of it.

 

[jayanda]

I got here by clicking on the first page of this thread in a web search. I looked at Blue Mail...has anyone noticed that their privacy policy states that they collect information from your browser about which web pages you visit....To improve their service ...Really??? So difficult, I am discovering, to find a truly private and secure mail client for android. Am looking into 'Mail' which used to be called EasilyDo on iphone. Anyone here have anything to say about them?

 

[maildroiddev]

I got here by clicking on the first page of this thread in a web search. I looked at Blue Mail...has anyone noticed that their privacy policy states that they collect information from your browser about which web pages you visit....To improve their service ...Really??? So difficult, I am discovering, to find a truly private and secure mail client for android. Am looking into 'Mail' which used to be called EasilyDo on iphone. Anyone here have anything to say about them?

EasilyDo came out a year or two after MailDroid was released and did not do well. I know they rebranded, but don't know much about their revenue process at this point. Again, a company with developers will need to pay those developers somehow. K9 is open source and free and MailDroid has ads and a pay version...these are the only 2 that don't have servers, don't have a huge development team that needs to be paid a lot and have been around a while with loyal users (and no major advertising).

 

[zuben el genub]

Considering they just pushed in code to have ads all over aqua mail and did not let people know and did not even tell them about a changed privacy policy...that is a start.

No ads so far in the paid version. I bought Aquamail years ago. It doesn't even pick up the spam that comes with GMX mail.

 

[phayes72]

So the main question still remains, how do they make money? They have a huge team supporting the app, they need to make money somehow ;-) No one is doing this for free and working there just for the fun of it.

And who are they? Private WHOIS info, no location or owner information on their website... red flags for me.

 

[StRanger]

So the main question still remains, how do they make money? They have a huge team supporting the app, they need to make money somehow ;-) No one is doing this for free and working there just for the fun of it.

While the question about business model is legitimate in this case, I would argue with the last statement in your post: Some people do it "for the fun of it".
Just one example: https://play.google.com/store/apps/developer?id=SECUSO+Research+Group

As for Blue Mail, there is a phrase in the privacy policy that concerns me as well (and has not been mentioned yet):

"Some of the information Blue Mail uses to communicate with your device – like its IP address – can be used to approximate the device’s location. This information may be used to administer, analyze and improve Blue Mail."​

In view of the other information about what they do, my question is: how exactly are they collecting IP address(es) of my device and how are they using location information? Are they analyzing that for each message, or do they continuously poll my IP?
Or, maybe it is about the access to their website via browser?​

 

[mikedt]

And who are they? Private WHOIS info, no location or owner information on their website... red flags for me.

On their website....1540 Market Street, San Francisco CA 94102

Anyone in SF want to check it out?

 

[StRanger]

On their website....1540 Market Street, San Francisco CA 94102

Anyone in SF want to check it out?

Privacy in Whois is done by many small companies, - this reduces spam: There are web-scrapers who collect e-mail addresses (as well as snail mail and phone numbers) and sell them to spammers. The only reason I am not using private registration for the domains I own is that I am not willing to pay extra fee for that.

As for the street address in question, it is "Anchor", shared office space: https://www.yelp.com/biz/anchor-san-francisco

 

[jayanda]

EasilyDo came out a year or two after MailDroid was released and did not do well. I know they rebranded, but don't know much about their revenue process at this point. Again, a company with developers will need to pay those developers somehow. K9 is open source and free and MailDroid has ads and a pay version...these are the only 2 that don't have servers, don't have a huge development team that needs to be paid a lot and have been around a while with loyal users (and no major advertising).

Thanks for that info. Do either of these clients give the option to access app with a p/w, encrypt mail on the device, and delete emeils from webmail inbox on a mail-by- mail basis?

 

[Hadron]

Thanks for that info. Do either of these clients give the option to access app with a p/w, encrypt mail on the device, and delete emeils from webmail inbox on a mail-by- mail basis?

That sounds exactly like ProtonMail, except that app does those things for a ProtonMail account rather than for any webmail service of your choice.

I know that MailDroid has a password protection option and supports an encryption plugin, but have not used either so can't say more. It certainly allows you to delete mails as requested (long press mail in list to select, then select whichever others you want, then delete) and you can set it to delete from server when you delete from device, so that box is ticked.

I've not used K9 for a few years, so can't answer for that one.

 

[maildroiddev]

That sounds exactly like ProtonMail, except that app does those things for a ProtonMail account rather than for any webmail service of your choice.

I know that MailDroid has a password protection option and supports an encryption plugin, but have not used either so can't say more. It certainly allows you to delete mails as requested (long press mail in list to select, then select whichever others you want, then delete) and you can set it to delete from server when you delete from device, so that box is ticked.

I've not used K9 for a few years, so can't answer for that one.

Yup, as was noted, MailDroid supports basic password and oAuth2, as well as PGP and sMIME.