Android mail apps send your passwords to the manufacturer

German security researcher Mike Kuketz has tested mail apps for Android. He found out that the apps Blue Mail and Type-App send the user's login data including the email passwords to the manufacturer's sites.

Although both apps are said to have different developers, Kuketz found that the POST requests in both apps are nearly identical. This suggests that the same people are behind both apps.

Bottom line: If you were or still are using one of those apps you should assume that your accounts are compromised. Consequently, you should alter your mail passwords as soon as possible!

Kuketz recommends trustworthy open-source mail apps like K-9.

 

It's always been like this or only from a certain version on?

 

I don't know. Kuketz is right now testing various mail apps for Android, and, at least, the current versions are affected.

According to a new blog post several other apps show the same behaviour!

 

According to privacy-handbuch.de the MS Outlook App for iOS and Android is also affected.

 

With all those apps it should be possible to pinpoint those responsible

 

This has always been a concern for me, when it comes to third party email apps for both PC and smartphones.

 

The dev for both apps is a russian guy in Brooklyn, NY. He's shady as ****, has been for years.

 

If you want good email apps for Android:

Maildroid, K9, Nine, Outlook, GMail. That's just about it. I've been using Edison. It's OK... still looking into the security, don't trust it yet.

 

I'm only familiar witk K-9 and agree that it's a good solution. Regarding Outlook - see post #4 above.

 

check out Aquamail. Really good, open source and very privacy friendly.

http://www.aqua-mail.com/?page_id=227

 

Agreed, I had used it, too. But I don't think it is open source ...

 

K9 is excellent.

 

It's too bad K9 dropped support for ActiveSync. You can use AOSP email app which was included in older devices for ActiveSync tho.

 

@Brummelchen @Sampei Nihira
well, i'd like to hear your opinion on this.

 

Today with Play Protect it is more difficult to disregard privacy/security than in the past.
I only have 2 permissions in Blue Mail,basically the ones that almost all my apps have.
Even Avast AV has never flagged anything.

 

I see no mention of Outlook after clicking that link?

 

well, i don't know about you, but in my book, once shady, always shady.

 

Click Datensammler (Apps)

 

thanks for the info, rp.

excerpt from the linked article (translated via google translate):

https://www.privacy-handbuch.de/handbuch_70f.htm

 

Presumably, ProtonMail is safe to use?

JPC

 

Yup. Tutanota and Fairemail is what I'm using. I fail to see why anyone would ever use anything but Fairemail for IMAP.

 

Does ProtonMail app support IMAP/other e-mail providers?

 

no, it doesn't, due to lack of etee.

 

So, technically, the ProtonMail app can only send Proton e-mail password to ProtonMail, right? I don't think that is the issue.
OP post is about sending password from e-mail provider X to e-mail client provider Y.

 

yes, "technically" speaking, that is correct.