<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/xhtml; charset=utf-8">
</head>
<body>
<div><div class="plaintext"><p dir="auto">On 5 Sep 2020, at 8:38, Bryce Wray wrote:</p>
<blockquote><p dir="auto">On 5 Sep 2020, at 5:28, Charlie Garrison wrote:<br>
</p>
<blockquote><p dir="auto">Fair warning to all who are looking at new mail programs - read __very carefully__ the privacy policy for Spark. Unless they have changed, using their program means giving __their servers__ access to all your email. If you don't mind handing over all your email, the Spark UI isn't too bad. I use email mostly for business and giving Spark access to all of it was complete non-starter. (Which I discovered the hard way, and then had a fun couple of days working out how bad the damage was. 😞)<br>
<br>
I have complete trust in MailMate though, and it would be nice to have an iOS alternative that is as nice to use. I chose Edison Mail (Email) - it's no MailMate, but good enough to replace Apple Mail on my phone and tablet.<br>
<br>
-cng</p>
</blockquote><p dir="auto">Just so you know, the folks behind Edison Mail (which, admittedly, is a nice-to-use app) have had their shares of privacy issues, too:<br>
<br>
<a href="https://www.macrumors.com/2020/05/16/edison-mail-sync-bug/">https://www.macrumors.com/2020/05/16/edison-mail-sync-bug/</a><br>
<br>
<a href="https://www.vice.com/en_ca/article/pkekmb/free-email-apps-spying-on-you-edison-slice-cleanfox">https://www.vice.com/en_ca/article/pkekmb/free-email-apps-spying-on-you-edison-slice-cleanfox</a><br>
</p>
</blockquote><p dir="auto">If I understand this correctly, Spark's architecture requires them to<br>
have access to your email passwords. To me, that's a complete<br>
non-starter; your email password is the most important one you<br>
have, since it can be used to reset all of your other passwords.</p>
<p dir="auto">Edison, though, appears to have a badly broken credential-sync<br>
feature. In particular, although they (I hope!) use encryption for<br>
transport of your credentials, the passwords themselves are not<br>
encrypted only to you. That speaks poorly of their competence in<br>
security, since (even apart from that bug) if they were hacked<br>
everyone's plaintext passwords would be captured. Your passwords<br>
should be encrypted on your device—preferably with a random<br>
key—and they should see only ciphertext. Apple got this right, but<br>
it's actually a very hard problem to solve properly.</p>
<p dir="auto"> --Steve Bellovin, <a href="https://www.cs.columbia.edu/~smb">https://www.cs.columbia.edu/~smb</a></p>
</div>
</div>
</body>
</html>