OK, well, I got a temporary phone because mine was going away for a screen repair. So I had to migrate everything and that included backing up K9 etc onto a temporary phone, then when I restored it and put in all the passwords, I found that K9 didn't tell me some of the passwords were wrong (maybe I mistyped), but simply there were no emails in the those accounts. It was a while before I noticed a message in my notifications that there was a certificate error for those accounts whose passwords I had got wrong. Clearly it wasn't a certificate error and when I entered the correct passwords, those notifications cleared and email started flowing again.
Then 6 days later when my repaired phone came back I had to repeat the process. I do IT support for a living, so imagine my pain when customers bring me their mobiles to be transferred and I've got to go through all this palaver with K9 every time. That's where I'm coming from. Having the passwords in the exported backup just makes sense to me. The phone owner takes care of the security of the phone. Job done. Warmest regards, Brian On 13 November 2016 at 13:24, Philip Whitehouse <[email protected]> wrote: > Export to Dropbox etc I have no problem with. > > On the password issue I'm still against it: > > Yes, you could check for fingerprints. Of course this area is barely > standardised. Samsung for instance I believe have their own API. Or at > least had. And it only exists on newer phones. So even before you start > you're limiting yourself. > > The 20 accounts thing was a serious point. To me exporting settings is > something a user does maybe once a year to upgrade phones. Entering a > couple of passwords once a year is not particularly onerous. > > I asked you to clarify 'we' because I'm genuinely trying to work out why > it's worth K-9 developers adding and then maintaining this feature. > > Cost of developing it is probably small in comparison to cost of > maintenance. K-9 has lots of settings, and these settings can interact in > odd ways. Often it is that interaction that causes issues. > > And while I'm not against a configurable app, I'm also opposed to adding > more dialogues and UX to functionality. That K-9 is not suitable for the > average user is a problem to me, not a selling point. > > So adding a dialog and security check and file encryption then maintaining > that indefinitely so a user doesn't have to verify they know the password > to their own email account at most once a year... Yeah I don't see it. > > - Philip > > > On November 13, 2016 12:58:43 PM GMT+00:00, finbarr69 <[email protected]> > wrote: >> >> Thanks. What you say all makes sense. However, I would submit that one >> cannot assume the average user does not have 20+ accounts in K9, unless you >> have some data to back up that assumption? The average user would be using >> the stock email app, not the excellent K9 :-) >> >> Regarding passwords , all the ones I have to deal with are randomly >> generated, wildly different from each other, usually at least 16 characters >> and so not easy to remember. The phone is protected by fingerprint and >> pin. Would it not be possible to request from the operating system a >> security check before exporting the file? There is an API hook >> <https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication> >> to do this, and other apps can do it. Once authenticated, ask for a >> password to encrypt the settings. If the user has no lock on the phone and >> no fingerprint sensor, then K9 could export without the passwords, and give >> a warning to this effect. >> >> Also, if the phone can import settings from cloud storage (eg Dropbox), >> it should have the ability to export there too. :-) >> >> Warmest regards, >> >> Brian >> >> >> On 10 November 2016 at 12:25, Philip Whitehouse <[email protected]> wrote: >> >>> On 2016-11-10 11:05, finbarr69 wrote: >>> >>>> In migrating from one phone to another, we want it to be as easy as >>>> possible. I used the Helium app to backup all the apps (and their >>>> data) and restore them, but sadly it didn't backup the K9 data, >>>> presumably because it stores it in a non-standard way? >>>> >>> >>> The data is stored in an SQL database, the account settings are stored >>> in device preferences. It's all pretty standard. >>> >>> Storing the settings in account preferences means it is is encrypted >>> (and fairly difficult to get to from another app). >>> >>> I would guess Helium doesn't back-up preferences. I would be surprised >>> if it had access on a non-rooted phone frankly. >>> >>> >>>> So, plan B, export then import. Export has its problems because it >>>> only exports to the local filesystem, not to Dropbox or SD (though, >>>> Import has the ability to import from Dropbox or SD). Anyway, using >>>> a file manager app, I managed to find and copy the exported file over >>>> to Dropbox and import it on the new phone. BUT... I then have to >>>> re-input all my email passwords. This is very tedious when I've 20 >>>> email accounts in K9 and the passwords are all very obscure and >>>> different :-) >>>> >>>> So, here's my feature request. Please can the account passwords be >>>> included in the export? Even if we have to encrypt the export with a >>>> master password, this would really help when migrating phones. >>>> Please also can we have the option to send the exported file to >>>> Dropbox (or wherever, same as the import options are?). >>>> >>>> >>> The question here is what is the threat model. >>> >>> 1. The file itself could be intercepted. >>> >>> This makes the master password idea seem reasonable. Encrypting the file >>> prevents it being used. >>> >>> 2. The act of exporting the settings is the vulnerability. >>> >>> If you grab someone's phone, right now there is no way to retrieve the >>> account password. >>> >>> If we add this feature, there will be. Simply export the file with a >>> master password, then decrypt the file using that password. There is no way >>> to prevent this. >>> >>> You could argue that device security is the responsibility of the phone >>> password. But equally file security is the responsibility of the user. >>> >>> Who is 'we' here? I would suggest having 20 accounts on K-9 is a rare >>> case. And having a password you can't remember is generally not normal >>> practice anyway. >>> >>> I feel like this is an edge case that doesn't justify the code or the >>> insecurity. >>> >>> >>> Oh, also an easier way to move the accounts up or down would be >>>> appreciated. Drag and drop would be ideal. At present one has to >>>> long hold on an account and press Move Up (or Move down) and then >>>> repeat it until the desired position is achieved (then repeat for all >>>> the other accounts). >>>> >>> >>> I don't have a problem with this - I would guess you'd enable a re-order >>> mode. I have no idea about how easy it is to implement. >>> >>> >>>> I'd be happy to make a donation if it helps. >>>> >>> >>> Personally not for me - maybe for some of the other developers or >>> someone else willing to do it contract-style. >>> >>> >>>> Thanks! >>>> >>>> Brian >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "K-9 Mail" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout [1]. >>>> >>>> >>>> Links: >>>> ------ >>>> [1] https://groups.google.com/d/optout >>>> >>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "K-9 Mail" group. >>> To unsubscribe from this topic, visit https://groups.google.com/d/to >>> pic/k-9-mail/L8k4qdMZ-vk/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > Best regards, > > Philip Whitehouse > > -- > You received this message because you are subscribed to a topic in the > Google Groups "K-9 Mail" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/k-9-mail/L8k4qdMZ-vk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
