Email - which apps keep it private

[Crashdamage]

Sharing your information and keeping private information or downloading your emails on a company's servers bothers a lot of users and rightfully so. Out of curiosity, privacy statements and other information was checked for some of the most popular email clients to see how they treat security and privacy and if they download your email to their servers rather than giving direct access from your device to your email server.

Below is a list of the results. It's not complete but it does include many of the most popular email clients. Hopefully this will be of some use to those who are concerned about how their email is routed and what is happening to their information.

The more stars a client is assigned, the more strikes against it. So one star is good, six stars is bad. The information in this report is a combination of information from the email client's websites, their privacy statements, and product reviews from various sources. Rankings may be, admittedly and necessarily, somewhat subjective but that was a minor factor. A sincere effort has been made to stick to the facts and just the facts and that is the real basis for the rankings.

Additions and corrections to the list are always welcome, of course. Please contribute any information to help make this complete and accurate.

Unfortunately, the results were very disappointing. Most of the clients failed to meet the very basic privacy requirements as defined for the purposes of this list. Which are simply:

1. A client is considered insecure if it does keep information about you on their servers and/or may share it for various purposes.
2. A client is considered insecure if email is downloaded to their servers.
3. A client is considered secure if it does not keep your email or information about you on their servers and/or share it.

Email Security Test: In addition to the findings of this survey, run a security test of your email client. Email Privacy Tester is a free and effective way to test your email client for privacy leaks and security bugs:

https://emailprivacytester.com/

To be clear, no effort was made to install and test the email clients listed on the test site. Rankings below are based on other information. Remember, I do not install and test the email clients listed. I HIGHLY recommend installing any client you are considering and testing it at the above site.

THE RESULTS

Insecure email clients:
Boxer**
Inbox**
Gmail**
MailWise**
CloudMagic*****
TypeMail******
MyMail******
Microsoft Outlook******
BlueMail******
Mailbox*****
Alto******
Solmail**
Yahoo Mail**

Secure email clients:
AquaMail*
K-9*,
Nine*
Maildroid***
K-@ Mail*

Status unknown:
Touchdown****

* Has privacy statement, does not store or share information.
** Has privacy statement, does store and share information.
*** No privacy statement or could not find. Developer says no information is kept or shared.
**** No privacy statement or could not find.
***** Has privacy statement, does not share information. Does download email to their servers.
****** Has privacy statement, does share information. Does download email to their servers.

NOTE: Not all sites ranked '**' store passwords. Some do. However, if assigned a 2 star rank they admit they may share information for ads or other purposes. Read the privacy statements for details.

NOTE: Clients ranked '*****' (5 stars) or '******' (6 stars) download your email to a server for distribution, rather than the email client accessing and downloading your email directly to you from the mailserver. The email client server may be operated by another party under contract to the email client company. For example, TypeMail uses Amazon Web Services servers.
Any client that downloads your email to a server must be considered very questionable!

NOTE: The AquaMail privacy policy statement linked below is not the usual boring legalese. Written in plain language, it's actually informative and interesting, and is the only one to mention any security testing.
AquaMail Privacy Policy
This is how it should be done! A must read!
http://www.aqua-mail.com/?page_id=1878

Privacy statemeñt links'

K-9' https://github.com/site/privacy:
TypeMail' https://github.com/site/privacy: http://www.typeapp.com/privacy/
MyMail: http://legal.my.com/us/mail/privacy/
CloudMagic: https://cloudmagic.com/k/privacypolicy
Mailwise: http://mail-wise.com/privacy/
Outlook: https://www.acompli.com/privacy-policy/
Gmail: http://www.google.com/policies/privacy/ (generic Google)
Inbox: http://www.google.com/policies/privacy/ (generic Google)
Nine: No formal privacy statement, but this was taken from Play store description: "** Note: Nine is not cloud based. It stores your accounts’ passwords only on the actual device. It connects only to the actual mail servers. It stores your messages only on the device."
Mailbox (by Dropbox): https://www.dropbox.com/privacy?mobile=1
Note: Mailbox is shutting down operations on Feb 26, 2016.
Boxer: http://www.getboxer.com/privacy/
BlueMail: https://bluemail.me/privacy/
Maildroid: None found. Nice new website here: http://flipdogsolutions.com/
Alto: http://privacy.aol.com/privacy-policy
Solmail: http://mail.sol.daum.net/mail?lang=en
Yahoo Mail: https://policies.yahoo.com/us/en/yahoo/privacy/topics/mobile/index.htm
K-@ Mail: https://github.com/site/privacy

 

[JoeHill]

Could you post links to these privacy statements? I can't find the one for K-9, for instance. As far as I know, K-9 is an open-source project currently hosted on github and I'm not sure what you mean by "their server". Is a user expected to register and set up an account with K-9 in order to use the mail client? Or do you mean that K-9 transfers emails from, e.g., your IMAP server to a K-9 host before transferring them to your Android device?

 

[Crashdamage]

Here is K-9:

**Sorry, my mistake, should have been listed as unable to find. Corrected the original post.

The rest are easy to find. There's either a link in the Play store description or you can find it on their website.

By 'their server' I simply meant whatever server is used to stash collected information.

From the information provided, it seems likely that collecting some email or parts of email is happening. That doesn't mean all email goes through their servers. There's different ways of skimming information.

 

[JoeHill]

It doesn't look to me like the URL you gave has anything to do with the K-9 mail client.

http://www1.k9webprotection.com says "K9 Web Protection is a free Internet filter and parental control software for your home Windows or Mac computer." That seems to be something completely unrelated to the K-9 mail client for Android, with the only connection being the similar (but not identical) name.

I tried K-9 with an IMAP server I control. As far as I can tell from the logs, the only relevant connection is from the IP address associated with the Android device I was using. I have not, however, done a code review on the K-9 email app and I can't say that it isn't doing something nefarious once the emails are downloaded to the Android device. But I certainly couldn't find any information on the K-9 project website or wiki indicating that they collect information and store it on "their server". Of course, whether an email client is "insecure" or "secure" has to do with a lot of other factors besides whether the producer stores information about users.

I haven't checked anything on the other mail apps.

 

[Crashdamage]

Fixed my mistake on K-9. Apologies. I knew I put that "*** No privacy statement or could not find." condition in there for a reason...it was for K-9.

Don't crucify me if I made other mistakes, possible I did It's just something I put together because out of curiosity I was looking up privacy statements and I thought somone else might want to know what I found. Jeez, I did the whole thing messin' around on a tablet. If I goofed somewhere just let me know and I'll fix it quick.

 

[Crashdamage]

EDIT: Links to Privacy Statements have been moved to the first post in this thread to consolidate all the information in one place.

 

[El Presidente]

Ditched Cloudmagic and went with Aqua based on your findings, thanks!

 

[Fakharuddin Manik]

Currently I'm using MyMail email clients, but how can I confirmed that this is insecure for me?

 

[Crashdamage]

Currently I'm using MyMail email clients, but how can I confirmed that this is insecure for me?

Whether or not it is "secure" is kinda left up to you, what you consider secure.

I'm just putting out some information for people to take into account when choosing an email client. Privacy statements are one of the most boring things known to exist. I'm trying to lighten the load a bit.

It's really pretty simple...

1. If no information is stored on 3rd party servers, no information is distributed or sold without knowledge or permission, then common sense tells me that should be considered to be secure.

2. But if information is stored on 3rd party servers, if information is distributed or sold either with, or especially without knowledge or permission, then common sense tells me that should be considered to be insecure.

3. No privacy statement or definitive information could be found regarding storage or distribution of information.

So I used the KISS rule and just made three classifications and some notes.

Let me be clear - I'm not saying that if your email client is on the Insecure list that your email is in danger of theft or will actually be read by unknown people or organizations. But the privacy statements for those on the Insecure list leave open the possibility that your information could end up in places you would not want and are troubling.

As for me, I take security seriously but I'm not extremely worried about it. No tinfoil hat on me. I mean, I use Google services a lot, including Gmail addresses, syncing contacts, Google Voice, Google Drive, etc. But given a choice between an email client that does nothing with my information and one that does almost anything they want with it, well, that's an obvious choice. That's why I wrote this up.

But back to Mr. Manik's question...Read the privacy statement for MyMail. IMHO it has some bad language in it, but it's your decision whether or not to keep using MyMail.

 

[Crashdamage]

Just a quick update...Added a few more clients and did some editing of previous posts for clarity.

Also just wanted to stress again how impressed I was by the AquaMail statement. Written in plain English instead of legal-speak, it not only makes it clear that no information is stored or shared. It actually is informative. Take a few minutes to read it and you can learn something useful.

And AquaMail is the only client that mentioned testing, claiming to have passed emailprivacytester.com unconditionally. (The statement has a typo in the website, emailprivacytester.com is correct). I ran the test a couple of times and AquaMail did pass 100%.

I have not tested other email clients. Maybe I'll do a little project on that next, if there's some interest in it.

Read the statement. It's an easy read and worthwhile.

 

[electricpete]

It's a good post. I'm in emphatic agreement on importance of email security since email is part of the process of establishing identify, involved in verification of password changes, notification of suspicious activity etc.

I use Google services a lot, including Gmail addresses, syncing contacts, Google Voice, Google Drive, etc. But given a choice between an email client that does nothing with my information and one that does almost anything they want with it, well, that's an obvious choice

To summarize, your view is the obvious choice is NOT gmail.

I'm of the opposite opinion. Personally I don't mind targeted ads (I actually prefer them to random irrelevant ads) and I don't mind seeing reminders of tracked packages, flights etc stuffed mysteriously into my personal Google Now widget which is not visible to anyone else on the planet (they are occasionally quite handy). If I don't want those things, I'm pretty sure I could opt out of them in gmail/google settings. I'm also pretty sure a company valued in hundreds of Billions that relies so heavily on user trust/confidence has got a lot more to lose than to gain by abusing my personal info in some way that would harm me, or selling it to someone. So I trust their integrity. I also trust their competence to protect my private info from malicious intercept by 3rd parties. So I'm curious what it is that bothers you about gmail.. just the principle of the thing?

I realize there are plenty that feel the same way (I think) you do. My perception is their reaction is based primarily on the shock of seeing that Google doesn't try to hide at all that that info is being harvested from email (for benign purposes like targeted ads and google now).

Other email domains surely do the same. They are just not so in-your-face about it, so you probably won't even know it unless you study the privacy agreements.

Example MS summary with embedded supporting links:
http://www.rockpapershotgun.com/2015/07/30/windows-10-privacy-settings/

the long and short of it is the operating system assigns you a unique advertising ID, which is is tied to the email address you’ve associated with Windows and fed data from a great many facets of your computer usage. Including the contents of messages and calendars, apps and networks, some purchases and whatever you upload to Microsoft’s unreliable OneDrive cloud storage. Using the Cortana search assistant makes the harvest even more aggressive, and of course the OS claims it’s all in the name of a better, more accurate online experience for you.

Sorry if this is too far a diversion from the main thread. Let me know if it is and I'll take it up some other place or time.

 

[Crashdamage]

??? Not sure what gave you the notion I have a thing about Gmail. Not at all. I use Gmail a lot. I don't use the Gmail app because I don't like it much. But I have no problem with Gmail itself.

I have gone into Google Dashboard and opted out of pretty much everything. I don't tweet. I don't Facebook. I try to stay away from that stuff. I do agree that Google is reasonably upfront and honest about how they make their money.

Now, I have no illusions about Gmail being truly private. Or ANY electronic communications being truly private. Someone somewhere is monitoring everything. Or you should assume they are. You're a fool to think not.

And I agree that because email is used for more critical communication than tweets or Facebook Messenger, we need to pay attention to keeping email relatively secure.

But that's not what my little survey is about. It's simply about whether or not your email client is storing passwords and/or sharing or selling your information to advertisers or other entities you may not want to share it with.

And that's really all I tried to do.

Unfortunately, ya gotta find and look through privacy statements to find out. My life is boring enough that, God forbid, I found myself actually looking at privacy statements. Since nobody else was ever gonna do it, and to keep the time I already had spent at it from being a complete waste, I decided to share my misery and write it up in a post.

 

[electricpete]

The sentences I quoted led me in that direction. The "but" seemed to imply a problem with the subject of the previous sentence (about google). The punchline to the "but" seemed to be an email client that does anything they want with your information.

I guess I read too much into your choice of coordinating conjunction ;-)

Never mind.

 

[Crashdamage]

No problem. We agree to agree. We can get together sometime for milk and cupcakes and sing in perfect harmony.

Or maybe not...

 

[Crashdamage]

Mods...anyone think this might be worthy of a sticky?

 

[Unforgiven]

It's already been highlighted on the AF G+ feed.

 

[Crashdamage]

It's already been highlighted on the AF G+ feed.

I didn't know there was such a thing. Where do I find it?

 

[Unforgiven]

I didn't know there was such a thing. Where do I find it?

https://plus.google.com/u/0/+Androidforums/posts

 

[codesplice]

I didn't know there was such a thing. Where do I find it?

https://plus.google.com/+Androidforums/posts

Pro-tip: Feel free to Report any posts that you think should be highlighted on the social site.

 

[codesplice]

Back on topic, though, since Google uses a blanket Privacy Policy for most (if not all) of their services and apps, it can be kind of tricky to separate whether the client or the service is responsible for taking a peek at your info (for benign purposes like relevant ads or Google Now integration).

I'd wager that it's done on the server (service) side - which means that Google is looking at your data regardless of what email client you use to access it.

 

[Hadron]

Oh aye, I'm sure that Google look at GMail content regardless. I see the question as whether other parties, such as the people providing the email app, are potentially doing so as well (or providing another place where your information could leak from even if they are not abusing it).

 

[Crashdamage]

...it can be kind of tricky to separate whether the client or the service is responsible for taking a peek at your info (for benign purposes like relevant ads or Google Now integration...I'd wager that it's done on the server (service) side - which means that Google is looking at your data regardless of what email client you use to access it.

What you're saying is, encryption aside, there's 2 parts that determine the relative security of our email:

1. The email service provider.
Well, they're gonna do what they do, as will any 3-letter agencies along the way between sender and recipient. IMHO only a fool would assume that ANY electronic communication goes through without someone peeking at it.

I did not try to determine what service providers or 3-letter agencies are doing. And they haven't called lately to let me know.

2. The email client.
Obviously, the email client cannot be held responsible for what the sender's email service provider, or the recipient's service provider, may be doing regarding peeking at email. What we can and should hold email clients responsible for is what *they* do with regards to storing passwords, data mining and data sharing.

Does an email client route email through company servers for info skimming? Or does the email client look for certain information and send it back to company servers?
They're not telling.

Is such data and/or passwords stored by the client company? Do they sell or otherwise share saved info?
Sometimes they're telling.

I did try and give very basic answers to some of these questions. VERY basic. More exact, and therefore more meaningful answers would need a lot more research. And cooperation from those involved, which might not be easy to get.

 

[StRanger]

...
Maildroid****
...
**** No website, developer says no info kept or shared.

This is a useful compilation!

For completeness: In Google Play, this website is referenced for MailDroid: http://flipdogsolutions.com/
(The earliest dates of the posts in the forum there are from mid-August of 2015. It looks like this website is very fresh, 1-2 weeks old.)

 

[Crashdamage]

Thanks StRanger. Rating for Maildroid updated and did some more editing to the original post, again to add some clarity.

The Maildroid website is definitely new. I still couldn't find a privacy statement on it though.

 

[Crashdamage]

Some changes: I did some more editing for clarity of the criteria for secure/insecure. It's the 3 points above the list itself.

Also, I had a complaint about the rating for CloudMagic, saying it should be moved to Secure because their privacy statement clearly says that information is not shared and everything is encrypted.

I re-read the privacy statement for CloudMagic and decided I had kept things too simple. Plus, CloudMagic is kind of a special case. It required adding another definition. Check the new 5 star rating definition.

IMHO an email client that downloads your email, creates an account, collects "certain data" and "store your data: emails" and "surfaces contextual Cards that help you get your work done. CloudMagic pulls the data from respective tools." (what 'tools'?) simply cannot be considered to be a secure email client, regardless of their use of encryption, etc.

Therefore, CloudMagic remains on the insecure list.