On 04.04.2014 17:27, water lilies wrote: > Data folder inside com.fsck.K9 folder inside Android folder contains a > folder which contains a complete copy of email attachments I > downloaded and opened. > > Another folder inside the data folder contains SVG images. Inkscape > could not open them up. What are the SVG images of? > > Inside the Data folder contains two SQLite3 database files with .db > extension. Kate text editor opened them. They contained the entire > content of the emails that were pulled from fastmail.fm server. > > This privacy violation is not disclosed in K-9 wiki. Nor is there an > option to disable logging.
This is a (very obvious) implementation detail. For several reasons K-9 Mail is not designed to work without storing messages locally. Some of them are: * not having to download the message list each time you open a folder saves bandwidth and is much faster * K-9 Mail can display messages when you're offline * it's really hard to be able to open arbitrary attachments using third-party apps without storing the attachment on disk > Is my K-9 email client hacked? > > Or do I need to switch email clients to have privacy? K-9 is in > f-droid.org. I expect privacy from an open source application! Good luck finding another open source email client on Android. Well, there is AOSP Email which in this respect works exactly like K-9 Mail. But I bet there's no closed source client that doesn't cache messages locally either. Regarding the common 'only encrypted data is safe' belief; a simple rule is: If you don't have to provide a secret each time you access some data/start an app, your data isn't encrypted safely. Yes, it might be encrypted, but if the app can decrypt it automatically so can an attacker that gains access to the locally stored app/data. Please note that the reverse isn't always true, i.e. even if you have to provide a secret that doesn't mean the data is properly encrypted using that secret. In short: K-9 Mail doesn't attempt to defend against local attackers with full access to the device. In my opinion device security is not the the job of the app, it's that of the OS. So if you want to encrypt your locally stored data, use full device encryption. -- -- You received this message because you are subscribed to the K-9 Mail Users List. To post to this group, send email to [email protected] To unsubscribe, email [email protected] To report an issue with K-9 Mail, visit http://code.google.com/p/k9mail/issues/list For more options, visit this group at http://groups.google.com/group/k-9-mail --- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
