Yeah, on iOS if it has instant notifications, and it's not the built-in Mail app
or a first party app of your service, it has to have phoned home the
credentials. There isn't really any way around it, the only long living
connection they allow is their own notification system. For some reason they
also decided to allow it for Exchange ActiveSync, because enterprise I guess?
They also have some custom stuff that will make instant notifications work in
their standard email client, which also uses their notification system in the
background. It needs a certificate, and by the book you can only get one as a
large service provider with good contacts at apple, or if you have an old
version of OSX server (not sure if that works anymore). Cyrus has it for
example, but also notes Apple has only licensed Yahoo and Fastmail to use it:
https://www.cyrusimap.org/imap/concepts/features/event-notifications.html#imap-features-event-notifications-applepushservice
You can probably tell from my wording how I feel about this. I get the battery
efficiency part. Not the part where ActiveSync has an exception to it, and their
own battery efficient IDLE alternative is not accessible to most. Let alone the
fact that has caused basically all third party emails to just capture your
credentials. I don't blame the apps in this case, I blame Apple. In this case
it's just Microsoft reusing Outlook web, which was designed to only work with
their own backend and not with other IMAP implementations in mind. We can safely
blame the app in this case :)
Louis
Op vrijdag 10 november 2023 om 20:53, schreef Carsten Schiefner via mailop
<mailop@mailop.org>:
> Interesting, Louis - ...
>
> On 10.11.2023 20:30, Louis Laureys via mailop wrote:
> > The fact that it transfers all of your messages is new (to me), the > whole
> transferring of credentials has been the standard for almost all > mobile
> email clients as on ios you can't keep an imap connection open > for instant
> notifications. On android you can, but only after hunting > for all the
> battery saving settings and turning them off for the app. So > your
> credentials will be sent to the server, so it can use the > platforms'
> notification channel instead. I think I've ever seen an app > warn me that
> they will be storing my credentials in their cloud, but > they do.
>
> ... I have not been aware of the fact that *ALL* apps actually might be doing
> this.
>
> It was just recently that I looked for alternative iOS mail apps - and
> "phoning home" credentials got noted only for the Spark app.
>
> Thanks & best,
>
> -C.
>
> > Op vrijdag 10 november 2023 om 16:54, schreef Carsten Schiefner via > mailop
> <mailop@mailop.org [mailop@mailop.org]>:
> > > Folks,
> > > sort of triggered by Benoit's recent and absolutely spot-hitting
> > rant about Microsoft's inability resp. unwillingness to
> > appropriately deal with spam complaints, I thought I should share
> > this article:
> > > Microsoft lays hands on login data: Beware of the new Outlook
> >
> https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html
> [https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html]
> <https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html
> [https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html]>
> > > with you.
> > > Although it is not strictly related to email service providers'
> > operations, I wonder about the unintended resp. unwanted side
> > effects wrt. email operations it could have that you have to
> > involuntarily hand off your credentials to a third party.
> > > So, your account got hacked and you happen to use such an Outlook
> > version: where was the leak? On your end? Or on Microsoft's?
> > > Opinions?
> > > Best,
> > > -C.
> > _______________________________________________
> > mailop mailing list
> > mailop@mailop.org [mailop@mailop.org] <mailto:mailop@mailop.org
> [mailop@mailop.org]>
> > https://list.mailop.org/listinfo/mailop
> [https://list.mailop.org/listinfo/mailop]
> > <https://list.mailop.org/listinfo/mailop
> [https://list.mailop.org/listinfo/mailop]>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org [mailop@mailop.org]
> https://list.mailop.org/listinfo/mailop
> [https://list.mailop.org/listinfo/mailop]
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
