1. Download our Official Android App: Forums for Android!

General Email - which apps keep it private

Discussion in 'Android Apps & Games' started by Crashdamage, Aug 10, 2015.

  1. Crashdamage

    Crashdamage Android Expert
    Thread Starter
    Rank:
    None
    Points:
    643
    Posts:
    4,446
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    4,446
    2,753
    643
    Mostly retired
    Kansas City, Mo.
    Sharing your information and keeping private information or downloading your emails on a company's servers bothers a lot of users and rightfully so. Out of curiosity, privacy statements and other information was checked for some of the most popular email clients to see how they treat security and privacy and if they download your email to their servers rather than giving direct access from your device to your email server.

    Below is a list of the results. It's not complete but it does include many of the most popular email clients. Hopefully this will be of some use to those who are concerned about how their email is routed and what is happening to their information.

    The more stars a client is assigned, the more strikes against it. So one star is good, six stars is bad. The information in this report is a combination of information from the email client's websites, their privacy statements, and product reviews from various sources. Rankings may be, admittedly and necessarily, somewhat subjective but that was a minor factor. A sincere effort has been made to stick to the facts and just the facts and that is the real basis for the rankings.

    Additions and corrections to the list are always welcome, of course. Please contribute any information to help make this complete and accurate.

    Unfortunately, the results were very disappointing. Most of the clients failed to meet the very basic privacy requirements as defined for the purposes of this list. Which are simply:

    1. A client is considered insecure if it does keep information about you on their servers and/or may share it for various purposes.
    2. A client is considered insecure if email is downloaded to their servers.
    3. A client is considered secure if it does not keep your email or information about you on their servers and/or share it.

    Email Security Test: In addition to the findings of this survey, run a security test of your email client. Email Privacy Tester is a free and effective way to test your email client for privacy leaks and security bugs:

    https://emailprivacytester.com/

    To be clear, no effort was made to install and test the email clients listed on the test site. Rankings below are based on other information. Remember, I do not install and test the email clients listed. I HIGHLY recommend installing any client you are considering and testing it at the above site.

    THE RESULTS

    Insecure email clients:
    Boxer**
    Inbox**
    Gmail**
    MailWise**
    CloudMagic*****
    TypeMail******
    MyMail******
    Microsoft Outlook******
    BlueMail******
    Mailbox*****
    Alto******
    Solmail**
    Yahoo Mail**

    Secure email clients:
    AquaMail*
    K-9*,
    Nine*
    Maildroid***
    K-@ Mail*

    Status unknown:
    Touchdown****

    * Has privacy statement, does not store or share information.
    ** Has privacy statement, does store and share information.
    *** No privacy statement or could not find. Developer says no information is kept or shared.
    **** No privacy statement or could not find.
    ***** Has privacy statement, does not share information. Does download email to their servers.
    ****** Has privacy statement, does share information. Does download email to their servers.

    NOTE: Not all sites ranked '**' store passwords. Some do. However, if assigned a 2 star rank they admit they may share information for ads or other purposes. Read the privacy statements for details.

    NOTE: Clients ranked '*****' (5 stars) or '******' (6 stars) download your email to a server for distribution, rather than the email client accessing and downloading your email directly to you from the mailserver. The email client server may be operated by another party under contract to the email client company. For example, TypeMail uses Amazon Web Services servers.
    Any client that downloads your email to a server must be considered very questionable!

    NOTE: The AquaMail privacy policy statement linked below is not the usual boring legalese. Written in plain language, it's actually informative and interesting, and is the only one to mention any security testing.
    AquaMail Privacy Policy
    This is how it should be done! A must read!
    http://www.aqua-mail.com/?page_id=1878

    Privacy statemeñt links'

    K-9' https://github.com/site/privacy:
    TypeMail' https://github.com/site/privacy: http://www.typeapp.com/privacy/
    MyMail: http://legal.my.com/us/mail/privacy/
    CloudMagic: https://cloudmagic.com/k/privacypolicy
    Mailwise: http://mail-wise.com/privacy/
    Outlook: https://www.acompli.com/privacy-policy/
    Gmail: http://www.google.com/policies/privacy/ (generic Google)
    Inbox: http://www.google.com/policies/privacy/ (generic Google)
    Nine: No formal privacy statement, but this was taken from Play store description: "** Note: Nine is not cloud based. It stores your accounts’ passwords only on the actual device. It connects only to the actual mail servers. It stores your messages only on the device."
    Mailbox (by Dropbox): https://www.dropbox.com/privacy?mobile=1
    Note: Mailbox is shutting down operations on Feb 26, 2016.
    Boxer: http://www.getboxer.com/privacy/
    BlueMail: https://bluemail.me/privacy/
    Maildroid: None found. Nice new website here: http://flipdogsolutions.com/
    Alto: http://privacy.aol.com/privacy-policy
    Solmail: http://mail.sol.daum.net/mail?lang=en
    Yahoo Mail: https://policies.yahoo.com/us/en/yahoo/privacy/topics/mobile/index.htm
    K-@ Mail: https://github.com/site/privacy
     

    Advertisement

    #1 Crashdamage, Aug 10, 2015
    Last edited: Mar 2, 2016
  2. JoeHill

    JoeHill Lurker
    Rank:
    None
    Points:
    16
    Posts:
    4
    Joined:
    Mar 19, 2011

    Mar 19, 2011
    4
    1
    16
    Could you post links to these privacy statements? I can't find the one for K-9, for instance. As far as I know, K-9 is an open-source project currently hosted on github and I'm not sure what you mean by "their server". Is a user expected to register and set up an account with K-9 in order to use the mail client? Or do you mean that K-9 transfers emails from, e.g., your IMAP server to a K-9 host before transferring them to your Android device?
     
  3. Crashdamage

    Crashdamage Android Expert
    Thread Starter
    Rank:
    None
    Points:
    643
    Posts:
    4,446
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    4,446
    2,753
    643
    Mostly retired
    Kansas City, Mo.
    Here is K-9:

    **Sorry, my mistake, should have been listed as unable to find. Corrected the original post.

    The rest are easy to find. There's either a link in the Play store description or you can find it on their website.

    By 'their server' I simply meant whatever server is used to stash collected information.

    From the information provided, it seems likely that collecting some email or parts of email is happening. That doesn't mean all email goes through their servers. There's different ways of skimming information.
     
    #3 Crashdamage, Aug 10, 2015
    Last edited: Aug 10, 2015
  4. JoeHill

    JoeHill Lurker
    Rank:
    None
    Points:
    16
    Posts:
    4
    Joined:
    Mar 19, 2011

    Mar 19, 2011
    4
    1
    16
    It doesn't look to me like the URL you gave has anything to do with the K-9 mail client.

    http://www1.k9webprotection.com says "K9 Web Protection is a free Internet filter and parental control software for your home Windows or Mac computer." That seems to be something completely unrelated to the K-9 mail client for Android, with the only connection being the similar (but not identical) name.

    I tried K-9 with an IMAP server I control. As far as I can tell from the logs, the only relevant connection is from the IP address associated with the Android device I was using. I have not, however, done a code review on the K-9 email app and I can't say that it isn't doing something nefarious once the emails are downloaded to the Android device. But I certainly couldn't find any information on the K-9 project website or wiki indicating that they collect information and store it on "their server". Of course, whether an email client is "insecure" or "secure" has to do with a lot of other factors besides whether the producer stores information about users.

    I haven't checked anything on the other mail apps.
     
    Crashdamage likes this.
  5. Crashdamage

    Crashdamage Android Expert
    Thread Starter
    Rank:
    None
    Points:
    643
    Posts:
    4,446
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    4,446
    2,753
    643
    Mostly retired
    Kansas City, Mo.
    Fixed my mistake on K-9. Apologies. I knew I put that "*** No privacy statement or could not find." condition in there for a reason...it was for K-9.

    Don't crucify me if I made other mistakes, possible I did It's just something I put together because out of curiosity I was looking up privacy statements and I thought somone else might want to know what I found. Jeez, I did the whole thing messin' around on a tablet. If I goofed somewhere just let me know and I'll fix it quick.
     
  6. Crashdamage

    Crashdamage Android Expert
    Thread Starter
    Rank:
    None
    Points:
    643
    Posts:
    4,446
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    4,446
    2,753
    643
    Mostly retired
    Kansas City, Mo.
    EDIT: Links to Privacy Statements have been moved to the first post in this thread to consolidate all the information in one place.
     
    #6 Crashdamage, Aug 10, 2015
    Last edited: Sep 28, 2015
    AZgl1500, codesplice and Hadron like this.
  7. El Presidente

    El Presidente Beware The Milky Pirate!
    Moderator
    Rank:
     #5
    Points:
    3,118
    Posts:
    32,120
    Joined:
    Jan 3, 2011

    Jan 3, 2011
    32,120
    24,096
    3,118
    Scotland
    Ditched Cloudmagic and went with Aqua based on your findings, thanks!
     
    Crashdamage likes this.
  8. Fakharuddin Manik

    Rank:
    None
    Points:
    16
    Posts:
    5
    Joined:
    Apr 10, 2015

    Apr 10, 2015
    5
    1
    16
    Male
    Blogger
    Dhaka
    Currently I'm using MyMail email clients, but how can I confirmed that this is insecure for me?
     
  9. Crashdamage

    Crashdamage Android Expert
    Thread Starter
    Rank:
    None
    Points:
    643
    Posts:
    4,446
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    4,446
    2,753
    643
    Mostly retired
    Kansas City, Mo.
    Whether or not it is "secure" is kinda left up to you, what you consider secure.

    I'm just putting out some information for people to take into account when choosing an email client. Privacy statements are one of the most boring things known to exist. I'm trying to lighten the load a bit.

    It's really pretty simple...

    1. If no information is stored on 3rd party servers, no information is distributed or sold without knowledge or permission, then common sense tells me that should be considered to be secure.

    2. But if information is stored on 3rd party servers, if information is distributed or sold either with, or especially without knowledge or permission, then common sense tells me that should be considered to be insecure.

    3. No privacy statement or definitive information could be found regarding storage or distribution of information.

    So I used the KISS rule and just made three classifications and some notes.

    Let me be clear - I'm not saying that if your email client is on the Insecure list that your email is in danger of theft or will actually be read by unknown people or organizations. But the privacy statements for those on the Insecure list leave open the possibility that your information could end up in places you would not want and are troubling.

    As for me, I take security seriously but I'm not extremely worried about it. No tinfoil hat on me. I mean, I use Google services a lot, including Gmail addresses, syncing contacts, Google Voice, Google Drive, etc. But given a choice between an email client that does nothing with my information and one that does almost anything they want with it, well, that's an obvious choice. That's why I wrote this up.

    But back to Mr. Manik's question...Read the privacy statement for MyMail. IMHO it has some bad language in it, but it's your decision whether or not to keep using MyMail.
     
    #9 Crashdamage, Aug 11, 2015
    Last edited: Aug 11, 2015
    El Presidente likes this.
  10. Crashdamage

    Crashdamage Android Expert
    Thread Starter
    Rank:
    None
    Points:
    643
    Posts:
    4,446
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    4,446
    2,753
    643
    Mostly retired
    Kansas City, Mo.
    Just a quick update...Added a few more clients and did some editing of previous posts for clarity.

    Also just wanted to stress again how impressed I was by the AquaMail statement. Written in plain English instead of legal-speak, it not only makes it clear that no information is stored or shared. It actually is informative. Take a few minutes to read it and you can learn something useful.

    And AquaMail is the only client that mentioned testing, claiming to have passed emailprivacytester.com unconditionally. (The statement has a typo in the website, emailprivacytester.com is correct). I ran the test a couple of times and AquaMail did pass 100%.

    I have not tested other email clients. Maybe I'll do a little project on that next, if there's some interest in it.

    Read the statement. It's an easy read and worthwhile.
     
    #10 Crashdamage, Aug 11, 2015
    Last edited: Aug 11, 2015
    AZgl1500 and Hadron like this.
  11. electricpete

    electricpete Android Expert
    Rank:
     #62
    Points:
    393
    Posts:
    2,073
    Joined:
    Jan 7, 2012

    Jan 7, 2012
    2,073
    1,029
    393
    Male
    Electrical Engineer
    It's a good post. I'm in emphatic agreement on importance of email security since email is part of the process of establishing identify, involved in verification of password changes, notification of suspicious activity etc.
    To summarize, your view is the obvious choice is NOT gmail.

    I'm of the opposite opinion. Personally I don't mind targeted ads (I actually prefer them to random irrelevant ads) and I don't mind seeing reminders of tracked packages, flights etc stuffed mysteriously into my personal Google Now widget which is not visible to anyone else on the planet (they are occasionally quite handy). If I don't want those things, I'm pretty sure I could opt out of them in gmail/google settings. I'm also pretty sure a company valued in hundreds of Billions that relies so heavily on user trust/confidence has got a lot more to lose than to gain by abusing my personal info in some way that would harm me, or selling it to someone. So I trust their integrity. I also trust their competence to protect my private info from malicious intercept by 3rd parties. So I'm curious what it is that bothers you about gmail.. just the principle of the thing?

    I realize there are plenty that feel the same way (I think) you do. My perception is their reaction is based primarily on the shock of seeing that Google doesn't try to hide at all that that info is being harvested from email (for benign purposes like targeted ads and google now).

    Other email domains surely do the same. They are just not so in-your-face about it, so you probably won't even know it unless you study the privacy agreements.

    Example MS summary with embedded supporting links:
    http://www.rockpapershotgun.com/2015/07/30/windows-10-privacy-settings/
    Sorry if this is too far a diversion from the main thread. Let me know if it is and I'll take it up some other place or time.
     
    #11 electricpete, Aug 11, 2015
    Last edited: Aug 11, 2015
  12. Crashdamage

    Crashdamage Android Expert
    Thread Starter
    Rank:
    None
    Points:
    643
    Posts:
    4,446
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    4,446
    2,753
    643
    Mostly retired
    Kansas City, Mo.
    ??? Not sure what gave you the notion I have a thing about Gmail. Not at all. I use Gmail a lot. I don't use the Gmail app because I don't like it much. But I have no problem with Gmail itself.

    I have gone into Google Dashboard and opted out of pretty much everything. I don't tweet. I don't Facebook. I try to stay away from that stuff. I do agree that Google is reasonably upfront and honest about how they make their money.

    Now, I have no illusions about Gmail being truly private. Or ANY electronic communications being truly private. Someone somewhere is monitoring everything. Or you should assume they are. You're a fool to think not.

    And I agree that because email is used for more critical communication than tweets or Facebook Messenger, we need to pay attention to keeping email relatively secure.

    But that's not what my little survey is about. It's simply about whether or not your email client is storing passwords and/or sharing or selling your information to advertisers or other entities you may not want to share it with.

    And that's really all I tried to do.

    Unfortunately, ya gotta find and look through privacy statements to find out. My life is boring enough that, God forbid, I found myself actually looking at privacy statements. Since nobody else was ever gonna do it, and to keep the time I already had spent at it from being a complete waste, I decided to share my misery and write it up in a post.
     
    #12 Crashdamage, Aug 11, 2015
    Last edited: Aug 11, 2015
  13. electricpete

    electricpete Android Expert
    Rank:
     #62
    Points:
    393
    Posts:
    2,073
    Joined:
    Jan 7, 2012

    Jan 7, 2012
    2,073
    1,029
    393
    Male
    Electrical Engineer
    The sentences I quoted led me in that direction. The "but" seemed to imply a problem with the subject of the previous sentence (about google). The punchline to the "but" seemed to be an email client that does anything they want with your information.

    I guess I read too much into your choice of coordinating conjunction ;-)

    Never mind.
     
    Crashdamage likes this.
  14. Crashdamage

    Crashdamage Android Expert
    Thread Starter
    Rank:
    None
    Points:
    643
    Posts:
    4,446
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    4,446
    2,753
    643
    Mostly retired
    Kansas City, Mo.
    No problem. We agree to agree. We can get together sometime for milk and cupcakes and sing in perfect harmony.

    Or maybe not...
     
    Slidejoy and electricpete like this.
  15. Crashdamage

    Crashdamage Android Expert
    Thread Starter
    Rank:
    None
    Points:
    643
    Posts:
    4,446
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    4,446
    2,753
    643
    Mostly retired
    Kansas City, Mo.
    Mods...anyone think this might be worthy of a sticky?
     
  16. Unforgiven

    Unforgiven OK Google
    Moderator
    Rank:
     #1
    Points:
    4,238
    Posts:
    36,321
    Joined:
    Jun 23, 2010

    Jun 23, 2010
    36,321
    42,477
    4,238
    Male
    Douglas, MA
    It's already been highlighted on the AF G+ feed.:)
     
    Crashdamage likes this.
  17. Crashdamage

    Crashdamage Android Expert
    Thread Starter
    Rank:
    None
    Points:
    643
    Posts:
    4,446
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    4,446
    2,753
    643
    Mostly retired
    Kansas City, Mo.
    I didn't know there was such a thing. Where do I find it?
     
  18. Unforgiven

    Unforgiven OK Google
    Moderator
    Rank:
     #1
    Points:
    4,238
    Posts:
    36,321
    Joined:
    Jun 23, 2010

    Jun 23, 2010
    36,321
    42,477
    4,238
    Male
    Douglas, MA
    Feonor and electricpete like this.
  19. codesplice

    codesplice Elite Recognized Moderator
    Moderator
    Rank:
     #14
    Points:
    1,563
    Posts:
    8,804
    Joined:
    Oct 29, 2013

    Oct 29, 2013
    8,804
    10,192
    1,563
    Male
    SysAdmin
    Huntsville, AL
    https://plus.google.com/+Androidforums/posts

    Pro-tip: Feel free to Report any posts that you think should be highlighted on the social site. :thumbsupdroid:
     
    Unforgiven and Crashdamage like this.
  20. codesplice

    codesplice Elite Recognized Moderator
    Moderator
    Rank:
     #14
    Points:
    1,563
    Posts:
    8,804
    Joined:
    Oct 29, 2013

    Oct 29, 2013
    8,804
    10,192
    1,563
    Male
    SysAdmin
    Huntsville, AL
    Back on topic, though, since Google uses a blanket Privacy Policy for most (if not all) of their services and apps, it can be kind of tricky to separate whether the client or the service is responsible for taking a peek at your info (for benign purposes like relevant ads or Google Now integration).

    I'd wager that it's done on the server (service) side - which means that Google is looking at your data regardless of what email client you use to access it.
     
    electricpete likes this.
  21. Hadron

    Hadron  
    VIP Member
    Rank:
     #7
    Points:
    2,218
    Posts:
    22,844
    Joined:
    Aug 9, 2010

    Aug 9, 2010
    22,844
    16,270
    2,218
    Spacecorp Test Pilot
    Dimension Jumping
    Oh aye, I'm sure that Google look at GMail content regardless. I see the question as whether other parties, such as the people providing the email app, are potentially doing so as well (or providing another place where your information could leak from even if they are not abusing it).
     
    codesplice likes this.
  22. Crashdamage

    Crashdamage Android Expert
    Thread Starter
    Rank:
    None
    Points:
    643
    Posts:
    4,446
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    4,446
    2,753
    643
    Mostly retired
    Kansas City, Mo.
    What you're saying is, encryption aside, there's 2 parts that determine the relative security of our email:

    1. The email service provider.
    Well, they're gonna do what they do, as will any 3-letter agencies along the way between sender and recipient. IMHO only a fool would assume that ANY electronic communication goes through without someone peeking at it.

    I did not try to determine what service providers or 3-letter agencies are doing. And they haven't called lately to let me know.

    2. The email client.
    Obviously, the email client cannot be held responsible for what the sender's email service provider, or the recipient's service provider, may be doing regarding peeking at email. What we can and should hold email clients responsible for is what *they* do with regards to storing passwords, data mining and data sharing.

    Does an email client route email through company servers for info skimming? Or does the email client look for certain information and send it back to company servers?
    They're not telling.

    Is such data and/or passwords stored by the client company? Do they sell or otherwise share saved info?
    Sometimes they're telling.

    I did try and give very basic answers to some of these questions. VERY basic. More exact, and therefore more meaningful answers would need a lot more research. And cooperation from those involved, which might not be easy to get.
     
    #22 Crashdamage, Aug 12, 2015
    Last edited: Aug 12, 2015
    codesplice likes this.
  23. StRanger

    StRanger Lurker
    Rank:
    None
    Points:
    6
    Posts:
    9
    Joined:
    Aug 26, 2015

    Aug 26, 2015
    9
    6
    6
    This is a useful compilation!

    For completeness: In Google Play, this website is referenced for MailDroid: http://flipdogsolutions.com/
    (The earliest dates of the posts in the forum there are from mid-August of 2015. It looks like this website is very fresh, 1-2 weeks old.)
     
    Crashdamage and El Presidente like this.
  24. Crashdamage

    Crashdamage Android Expert
    Thread Starter
    Rank:
    None
    Points:
    643
    Posts:
    4,446
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    4,446
    2,753
    643
    Mostly retired
    Kansas City, Mo.
    Thanks StRanger. Rating for Maildroid updated and did some more editing to the original post, again to add some clarity.

    The Maildroid website is definitely new. I still couldn't find a privacy statement on it though.
     
    #24 Crashdamage, Aug 27, 2015
    Last edited: Aug 27, 2015
  25. Crashdamage

    Crashdamage Android Expert
    Thread Starter
    Rank:
    None
    Points:
    643
    Posts:
    4,446
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    4,446
    2,753
    643
    Mostly retired
    Kansas City, Mo.
    Some changes: I did some more editing for clarity of the criteria for secure/insecure. It's the 3 points above the list itself.

    Also, I had a complaint about the rating for CloudMagic, saying it should be moved to Secure because their privacy statement clearly says that information is not shared and everything is encrypted.

    I re-read the privacy statement for CloudMagic and decided I had kept things too simple. Plus, CloudMagic is kind of a special case. It required adding another definition. Check the new 5 star rating definition.

    IMHO an email client that downloads your email, creates an account, collects "certain data" and "store your data: emails" and "surfaces contextual Cards that help you get your work done. CloudMagic pulls the data from respective tools." (what 'tools'?) simply cannot be considered to be a secure email client, regardless of their use of encryption, etc.

    Therefore, CloudMagic remains on the insecure list.
     

Share This Page

Loading...