[MlMt] OT: iOS mail client

Steven M. Bellovin smb at cs.columbia.edu
Sat Sep 5 10:13:36 EDT 2020

Previous message (by thread): [MlMt] OT: iOS mail client
Next message (by thread): [MlMt] OT: iOS mail client
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5 Sep 2020, at 8:38, Bryce Wray wrote:

> On 5 Sep 2020, at 5:28, Charlie Garrison wrote:
>
>> Fair warning to all who are looking at new mail programs - read 
>> __very carefully__ the privacy policy for Spark. Unless they have 
>> changed, using their program means giving __their servers__ access to 
>> all your email. If you don't mind handing over all your email, the 
>> Spark UI isn't too bad. I use email mostly for business and giving 
>> Spark access to all of it was complete non-starter. (Which I 
>> discovered the hard way, and then had a fun couple of days working 
>> out how bad the damage was. 😞)
>>
>> I have complete trust in MailMate though, and it would be nice to 
>> have an iOS alternative that is as nice to use. I chose Edison Mail 
>> (Email) - it's no MailMate, but good enough to replace Apple Mail on 
>> my phone and tablet.
>>
>> -cng
>
> Just so you know, the folks behind Edison Mail (which, admittedly, is 
> a nice-to-use app) have had their shares of privacy issues, too:
>
> https://www.macrumors.com/2020/05/16/edison-mail-sync-bug/
>
> https://www.vice.com/en_ca/article/pkekmb/free-email-apps-spying-on-you-edison-slice-cleanfox
>
If I understand this correctly, Spark's architecture requires them to
have access to your email passwords. To me, that's a complete
non-starter; your email password is the most important one you
have, since it can be used to reset all of your other passwords.

Edison, though, appears to have a badly broken credential-sync
feature. In particular, although they (I hope!) use encryption for
transport of your credentials, the passwords themselves are not
encrypted only to you. That speaks poorly of their competence in
security, since (even apart from that bug) if they were hacked
everyone's plaintext passwords would be captured. Your passwords
should be encrypted on your device—preferably with a random
key—and they should see only ciphertext. Apple got this right, but
it's actually a very hard problem to solve properly.

         --Steve Bellovin, https://www.cs.columbia.edu/~smb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20200905/926104be/attachment.htm>

Previous message (by thread): [MlMt] OT: iOS mail client
Next message (by thread): [MlMt] OT: iOS mail client
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the mailmate mailing list