Soley Relying on android's permission based security model is a mistake and I'll explain why.
1) Anyone serious about security has no choice but to root their device. A few reasons for this; Android does not come with a firewall so every app can freely access and be accessed by the network. In order to rectify this you need a good whitelist based, packet inspecting (stateful) firewall. This requires root. Also, to reel in the out of control permission model of android (user has no power over what each app has access to, for instance if you install an email app, it can access your camera, mic, clipboard, etc if it wants to) one is forced to intall xposed framework along with xprivacy. This also requires root. I could go on and on why you need root to enhance security. With the device rooted, each app essentially has root access so it thus has access to the k9 mail password storage file in which your passwords are stored in plain text, unencrypted. Ofcourse after rooting you would install supersu to preserve the permission based security model to the highest degree possible. 2) A good defense is a layered one. With storing your email passwords unencrypted and in plain text on your device, you are removing a crucial layer. For instance, say you were naive enough to think you can have good security without rooting your phone and placed all your trust in android's Almighty permission based security model, once that single layer is penetrated, your passwords are comprimised. You are incorrect in assuming android's encryption scheme will help protect your email passwords in k9 mail. If you walk around with your phone shut off all day long then yes it will. The moment your phone is turned on and you enter the decryption password, from that point forward, any app that requests any file from your device will automatically be served it decrypted. This along includes doing a quick data dump via adb through a USB cable (which bypasses android permissions by the way). Opensource (as has been proven in this multi year long conversation regarding k9's horrible weakness in storing users' passwords unencrypted, in plain text) is not always a guarantee that the right path is taken. R2mail2's developer is very approachable and has answered my questions promptly regarding encryption and has been very forthcoming. When i comes to security, one has to examine the big picture. I agree opensource is the preferred way for most things, but if that means storing my passwords unencrypted in plain text I'm smart enough to uninstall. Not every product we use in life is opensource. My vehicle's safety restraint system is closed source, but i trust it to hopefully save my life some day if called upon. -- -- You received this message because you are subscribed to the K-9 Mail Users List. To post to this group, send email to [email protected] To unsubscribe, email [email protected] To report an issue with K-9 Mail, visit http://code.google.com/p/k9mail/issues/list For more options, visit this group at http://groups.google.com/group/k-9-mail --- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
