FairEmail: Open-source, privacy friendly email app for Android(email.faircode.eu) |
FairEmail: Open-source, privacy friendly email app for Android(email.faircode.eu) |
https://github.com/M66B/FairEmail/blob/master/FAQ.md#user-co...
"OAuth for Gmail is supported via the quick setup wizard. The Android account manager will be used to fetch and refresh OAuth tokens for selected on-device accounts. OAuth for non on-device accounts is not supported because Google requires a yearly security audit ($15,000 to $75,000) for this. You can read more about this here."
You can see it here too: https://support.google.com/cloud/answer/9110914#zippy=%2Cexc...
I'm not sure how you're using it?
Oh and the developer is very active (several versions a week), very kind and answers very quickly.
One of the best bargains. (I bought the full version)
I noticed this feature in the default macOS mail App too but I'm not quite sure I understand correctly. If you click on the little arrow next to a link, it opens the website in a little window -- from a privacy/security POV, is that really helpful? Wouldn't the sender know you read the E-Mail if my computer sends a request to their server using that URL, no matter if it's for a preview window or my actual browser (except the latter has cookies etc)
It also warns you prominently if the link's text differs from the target address, and allows you to pick which you actually want to visit (good for newsletters that mangle links for click tracking, but which show the raw link in the text).
Tapping a link will pop this box up, without the site being alerted, giving you the chance to decide whether you want to actually visit it or not.
I was using the Google Play version of K9 so at the moment I am quite happy of the switch. There is only one thing that I did not manage to find in FairEmail which is the ability to read the header of emails. Like the whole information, from SPF, DKIM validation and so on. Does anyone know if it's possible to get this?
For the moment I am planning to stay with FairEmail and maybe one day try the F-Droid version of K9 as I heard it has evolved a lot in the recent times.
But please bear in mind that my way of using email on my phone is very minimal. I usually just need something to read and for most of my productivity task I use mutt.
it spoofs and restricts Android API calls made by apps.
Those would be my top 3 personally.
Power usage would be an interesting problem as well, because I'm not sure if keeping a socket open would pin the radio active.
P.s also f-droid here (ps you can donate with crypto if you want)
Am now a happy user of Fastmail with BYOD(omain). =D
> FairEmail will send the Autocrypt header for use by other email clients, but only for signed and encrypted messages because too many email servers have problems with the often long Autocrypt header.
That might be out of date, now that Autocrypt version 1.1 has been published:
> the 1.0 version of the Level 1 spec mandated RSA 3072 keys for ecosystem reasons and only the more recent 1.1 version from February 2019 now mandates that the new default scheme for creating Autocrypt keys is Curve 25519 keys.
https://autocrypt.org/faq.html#why-also-rsa3072-and-not-only...
I mean I know the technical reasons. But it says on the FairEmail page: "FairEmail might be for you if you value your privacy." and also says "works with virtually all email providers, including Gmail, Outlook and Yahoo!"
For me, privacy is more than what's on the client - the server matters too. POP has seemed to work for me for 25+ yrs.
If your server supports IDLE, it will work well. I've got it working with 3 different backend mail servers, and I'm told by friends that it actually receives mail faster than the official Gmail Android app (which had access to Google push servers).
FairEmail will ask you to disable doze for it, but don't be concerned - it's a very power efficient solution and it doesn't impact on battery. It even works out its own back-off timers for keepalives to minimise wakes.
I don't agree with this conjecture, at all. After seeing plenty of projects with hundreds of open issues, I don't create them anymore unless I'm ready to submit a patch, or it's just a quick question. Whereas here in a thread that will be out of sight by tomorrow, it's a no-brainer—two people answered already.
FairEmail makes this decision even easier by 1) promoting its paid version, which I didn't buy and thus am not in a position to demand anything; and 2) not having an issue tracker in the first place.
It also drank my battery juice like an electroholic.
Being the standard way of doing it since beginning of time is just an argument for why it is a useful source to steal contact information and track users.
Download failed!
The requested file was not found.
https://f-droid.org/repo/eu.faircode.email_1518.apk
How can I download this app? I use K-9 Mail at the moment, but I'd like to try this to see if it's any better.You can also always download this directly from the browser.
> Foxy Droid (Yet another F-Droid client) - https://f-droid.org/packages/nya.kitsunyan.foxydroid
I believe there are a few other clients too but I just like Foxy so far
But I also use K-9 Mail (beta, from F-Droid). It is easier for me to handle multiple (secondary) accounts with K9, than FE
it's interesting how secure email has been solved decades ago (how to do it) but making it accessible has been an ongoing struggle. :(
Anyone ran across a more tangible solution for the common man?
20 years ago when there was no better solution, PGP was great. But I think it's probably had its time in the spotlight and now the world has moved on, when it comes to using it to secure email.
I think the solution is that if you want to communicate in a secure manner, don't use email.
For me at least, email is moving into the same space as a phone number: something you know you need to reliably have, but you'd throw out in a minute if you could get away with it.
It kinda looks like it is based on FairEmail...? Even parts of the readme have the same language.
edit: it seems it is a fork. This is addressed in the SimpleEmail FAQ: https://framagit.org/dystopia-project/simple-email/blob/mast...
You will never escape having some of your email stored on Gmail servers. Most people you email are using a gmail address, whether direct or via forwarding.
End-to-end encryption is your only true ally. In this regard, email is hopeless. I personally feel that all these privacy mechanisms on top of email are a) hopelessly pointless and b) give people false comfort. They do more harm than good. It would be better if people saw email as a plaintext, insecure protocol and treated it that way at all times. Just imagine whatever you write in an email is the same as a message you send out to the world on Twitter. Doing it this way ensures you never send a message you will regret and will guarantee your protection rather than the security theater of privacy mechanisms layered on top of a fundamentally broken protocol.
Also, I'm not sure most email users know what a "plaintext, insecure protocol" is and what it would imply.
If both your email provider and your client (aka mail reading software) support it, there really is no reason to use POP instead of IMAP.
While I agree that POP still uses the server as a go-between, at least the mail doesn't reside on POP servers forever. Whereas with IMAP, if I have 25+ years of email I'd like to be able to view and archive and search, all of that has to sit at the server rather than at the client.
I already trust my provider to handle my email once; there doesn't seem to be a vastly larger trust requirement on my part for them to handle it multiple times. (And epsilon additional privacy concern.)
I haven't seen any suggestion the radio is being pinned active - it seems to still sleep fine, and I believe an incoming messages triggers a downlink page to the phone, which will then wake the radio to deliver the packets.
That's very dependent on the POP server. The protocol only tells the server that it is allowed to delete the message, not that it must.
I'm pretty sure if you use POP on gmail it just does an "archive" on the backend and the mail is still there, for example.
getmail supports deletion as an IMAP client, for example.
Do you mean just straight TLS connection at the start of session?
Few can handle authenticating to the server with a client certificate, but FairEmail seems to support it fine, although I've yet to configure it on my own server as it's likely to break other clients that don't support it.
Just to emphasise, this is probably not something that most people would ever need, but is certainly an important feature to me and something that FairEmail supports and apart from a rare few, nobody else does.
Even Media organisations have ditched it in favour of things like Securedrop (and/or Signal).
I'd argue that Signal is much more widely adopted that PGP ever was.
But the protocol has all the capabilities needed.
Nor is full support of every feature needed by every client.
I think from a crypto strength perspective, it,s silly to reinvent the same thing over again.
(The thing being basic PKI of just public/private keys and signed/encrypted messages.)
It's time is done though, for communicating between people. There are many better solutions where you don't need to worry about having the public key of every person you wish to communicate with. You no longer need to unlock your key every time you send a message to "prove" you sent it. The world has moved on to better technical solutions to those problems.
PGP was brilliant for its time. It still is brilliant for a number of uses cases (like verifying your Debian .deb file is signed by a legit Debian person)
However, communicating with people is no longer one of them. People HAVE invented/reinvented how to communicate securely. And the world's better for them having done so.
Fair enough, but that strikes me as a very odd risk posture to take. Either your email privacy is valuable to you, in which case I would think you would want to protect it against non-lazy people as well, or it isn't, in which case what difference does it make?
But it's obviously your call.
A hack will barely get them anything, neither a warrant or a bored employee.
Of course any of those situations could result in an active tap that stores everything. But that is orders of magnitude more effort and still doesn't get any history.
Just minimizing the attack surface.
However, I wasn't able to make FairMail to deliver without a considerable delay either—despite it displaying a notification and being excluded from ‘battery optimization’. But apparently it's just me.
On "pure" Android (thinking Pixel, and the relatively pure Motorola devices, etc.) there's no delays at all - it's really impressive. I'll get the notification on my phone consistently before on my PC.
These limits don't apply to notifications via Google's services (GCM or whatever they're currently called). So if you're using the Gmail app or another app for a specific mail service, sure you will receive push notifications quickly.
It's easy to change an app's background ability in Android. By default apps are forced into the background, but if you change that your k9 email will notify you all day long (it does support IDLE)
As you say, Google is making it a lot harder, but FE with a foreground notification seems to do this fine for me.
The issue is even older than I thought, though I was pretty sure the requirement for a notification specifically appeared around Android 8 or 9.
Also, seeing as K9 doesn't look to be anywhere near frequently updated, I'm not expecting this to change soon.