Export to Dropbox etc I have no problem with. On the password issue I'm still against it:
Yes, you could check for fingerprints. Of course this area is barely standardised. Samsung for instance I believe have their own API. Or at least had. And it only exists on newer phones. So even before you start you're limiting yourself. The 20 accounts thing was a serious point. To me exporting settings is something a user does maybe once a year to upgrade phones. Entering a couple of passwords once a year is not particularly onerous. I asked you to clarify 'we' because I'm genuinely trying to work out why it's worth K-9 developers adding and then maintaining this feature. Cost of developing it is probably small in comparison to cost of maintenance. K-9 has lots of settings, and these settings can interact in odd ways. Often it is that interaction that causes issues. And while I'm not against a configurable app, I'm also opposed to adding more dialogues and UX to functionality. That K-9 is not suitable for the average user is a problem to me, not a selling point. So adding a dialog and security check and file encryption then maintaining that indefinitely so a user doesn't have to verify they know the password to their own email account at most once a year... Yeah I don't see it. - Philip On November 13, 2016 12:58:43 PM GMT+00:00, finbarr69 <[email protected]> wrote: >Thanks. What you say all makes sense. However, I would submit that one >cannot assume the average user does not have 20+ accounts in K9, unless >you >have some data to back up that assumption? The average user would be >using >the stock email app, not the excellent K9 :-) > >Regarding passwords , all the ones I have to deal with are randomly >generated, wildly different from each other, usually at least 16 >characters >and so not easy to remember. The phone is protected by fingerprint and >pin. Would it not be possible to request from the operating system a >security check before exporting the file? There is an API hook ><https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication> >to do this, and other apps can do it. Once authenticated, ask for a >password to encrypt the settings. If the user has no lock on the phone >and >no fingerprint sensor, then K9 could export without the passwords, and >give >a warning to this effect. > >Also, if the phone can import settings from cloud storage (eg Dropbox), >it >should have the ability to export there too. :-) > >Warmest regards, > >Brian > > >On 10 November 2016 at 12:25, Philip Whitehouse <[email protected]> >wrote: > >> On 2016-11-10 11:05, finbarr69 wrote: >> >>> In migrating from one phone to another, we want it to be as easy as >>> possible. I used the Helium app to backup all the apps (and their >>> data) and restore them, but sadly it didn't backup the K9 data, >>> presumably because it stores it in a non-standard way? >>> >> >> The data is stored in an SQL database, the account settings are >stored in >> device preferences. It's all pretty standard. >> >> Storing the settings in account preferences means it is is encrypted >(and >> fairly difficult to get to from another app). >> >> I would guess Helium doesn't back-up preferences. I would be >surprised if >> it had access on a non-rooted phone frankly. >> >> >>> So, plan B, export then import. Export has its problems because it >>> only exports to the local filesystem, not to Dropbox or SD (though, >>> Import has the ability to import from Dropbox or SD). Anyway, using >>> a file manager app, I managed to find and copy the exported file >over >>> to Dropbox and import it on the new phone. BUT... I then have to >>> re-input all my email passwords. This is very tedious when I've 20 >>> email accounts in K9 and the passwords are all very obscure and >>> different :-) >>> >>> So, here's my feature request. Please can the account passwords be >>> included in the export? Even if we have to encrypt the export with >a >>> master password, this would really help when migrating phones. >>> Please also can we have the option to send the exported file to >>> Dropbox (or wherever, same as the import options are?). >>> >>> >> The question here is what is the threat model. >> >> 1. The file itself could be intercepted. >> >> This makes the master password idea seem reasonable. Encrypting the >file >> prevents it being used. >> >> 2. The act of exporting the settings is the vulnerability. >> >> If you grab someone's phone, right now there is no way to retrieve >the >> account password. >> >> If we add this feature, there will be. Simply export the file with a >> master password, then decrypt the file using that password. There is >no way >> to prevent this. >> >> You could argue that device security is the responsibility of the >phone >> password. But equally file security is the responsibility of the >user. >> >> Who is 'we' here? I would suggest having 20 accounts on K-9 is a rare >> case. And having a password you can't remember is generally not >normal >> practice anyway. >> >> I feel like this is an edge case that doesn't justify the code or the >> insecurity. >> >> >> Oh, also an easier way to move the accounts up or down would be >>> appreciated. Drag and drop would be ideal. At present one has to >>> long hold on an account and press Move Up (or Move down) and then >>> repeat it until the desired position is achieved (then repeat for >all >>> the other accounts). >>> >> >> I don't have a problem with this - I would guess you'd enable a >re-order >> mode. I have no idea about how easy it is to implement. >> >> >>> I'd be happy to make a donation if it helps. >>> >> >> Personally not for me - maybe for some of the other developers or >someone >> else willing to do it contract-style. >> >> >>> Thanks! >>> >>> Brian >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "K-9 Mail" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout [1]. >>> >>> >>> Links: >>> ------ >>> [1] https://groups.google.com/d/optout >>> >> >> -- >> You received this message because you are subscribed to a topic in >the >> Google Groups "K-9 Mail" group. >> To unsubscribe from this topic, visit https://groups.google.com/d/to >> pic/k-9-mail/L8k4qdMZ-vk/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > >-- >You received this message because you are subscribed to the Google >Groups "K-9 Mail" group. >To unsubscribe from this group and stop receiving emails from it, send >an email to [email protected]. >For more options, visit https://groups.google.com/d/optout. Best regards, Philip Whitehouse -- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
