What is email 7

The information portal for safe cell phone use

If you want to receive e-mails directly on your smartphone or tablet, you need an e-mail app. Such an app is preinstalled on almost all devices, for example Gmail from Google or an app from the manufacturer that is simply called "Mail".

However, many users choose a different email app - there is a large selection in the Google Play Store. These apps offer special functions or have a nicer design, for example.

Our test shows that most email apps are not reliable when it comes to security and privacy. Some are downright disastrous.

We can only recommend three of the 20 apps tested. Seven apps, which have been downloaded millions of times from the Google Play Store, gained full access to e-mail content and the addresses of senders and recipients in the test. Some also read out the password of the e-mail inbox. From a privacy perspective, this can only be described as a disaster.

In addition, many mail apps collected data from users for advertising and analysis purposes.

Email Services vs. Email Apps

An email app should not be confused with the service for which you created your email address. If you use GMX or mailbox.org, for example, this means that the company behind it (at GMX, for example, 1 & 1 Mail & Media GmbH) manages your data. Your e-mails and your password are stored on the GMX servers, which you can usually reset with the help of the service if you have forgotten them.

In order to do its job, the e-mail service needs to know the addresses of the sender and recipient. Theoretically, he can read the e-mails himself (unless you encrypt the e-mails with an additional end-to-end method, for example with PGP).

If you compare e-mail traffic with analog mail, the e-mail service would be the postal company that knows the address data and could theoretically also open the envelopes and read the contents. So an email service should be trustworthy. There are different providers on the market, some of which have a special focus on privacy.

Meanwhile, an email app should only do one thing: pick up your emails from the service, for example GMX, and display them on your smartphone. If you want, you can also include several addresses in a mail app, for example a private e-mail address and a business one.

The company that develops and operates the e-mail app for smartphones basically does not need access to the mail traffic that is processed via integrated addresses to do its work.

In the analog example, the e-mail app corresponds to a certain extent to the mailbox on your doorstep. The company that manufactured your mailbox will of course not know when and from whom you will receive mail. You also don't need your home address.

Test winner: K-9, FairEmail and pEp

Three apps performed perfectly in our test. Like an analog mailbox, they only deliver your mail (and of course also allow you to send e-mails). In the test, your providers received no information about the emails sent, no addresses and no passwords.

K-9 Mail and FairEmail are developed on a voluntary basis and supported by donations. They are kept simple and functional and do not have a special design. pEp Mail is operated by a foundation and has an end-to-end encryption function. You can find the test reports of the three apps here:

 

All three apps have been among our editors' recommendations for data-efficient apps for years.

Loser: Seven apps read along

Unlike an analog mailbox, email apps can easily violate privacy rules. They can be programmed to read out communication data.

Of the 20 tested e-mail apps, seven transmitted the following data to the provider company or a third-party provider: the content of the e-mails, the addresses of the sender and recipient, and the password for the e-mail inbox. The respective recipient company thus has full access to the mailbox that we had integrated into the app.

Note: In our test we used e-mail accounts that do not use the so-called "OAuth" method. If the OAuth procedure is used, no login data will be passed on.

At first glance, there are three different companies behind the encroaching digital mailboxes:

 

However, our research shows that the companies are intertwined. The mail app Mail.ru belongs to the Russian Mail.ru Group, an IT group that operates the Russian Facebook counterpart “VKontakte”, among other things. The myMail app is owned by the Dutch my.com B.V., a wholly-owned subsidiary of the Mail.ru-Group.

Five other mail apps are owned by Craigpark Ltd. based in the British Virgin Islands. We did not find any official information about a connection to the Mail.ru Group with this provider, but in our test we were able to observe that the apps access the server infrastructure of My.com B.V. To fall back on.

Ultimately, the Mail.ru-Group can theoretically access all email communication that users handle with the help of the seven apps. The company's headquarters make this even more explosive: in Russia, since 2016, the authorities have been able to request user information from communications companies, largely without a court order.

During the registration process, none of the seven apps informs that communication data is being read out and passed on. One looks for a data protection declaration in the five apps of Craigpark Ltd. in vain. The mail.ru group app provides one, but only in Russian. With a German-language page in the Google Play Store, it is clearly aimed at German users.

My.com B.V. provides a data protection declaration and also mentions the transmission of e-mails to the provider. The reasons given are "legitimate interest and performance of the service". Users cannot contradict the practice. It is doubtful whether this is compatible with the European General Data Protection Regulation.

Apart from this group, only one app received the worst rating. The Email - Lightning Fast & Secure Mail app (Edison Software, USA) read the unique router address of the connected WiFi network and sent it to a third party provider. With this so-called BSSID, the location of the device can be determined without querying the "Location" authorization.

 

Midfield: Telekom, Samsung

Nine apps did not read any e-mail content in the test, but integrated advertising and tracking and transferred user data to the provider and to third parties.

Some apps also sent their own email address to the provider. This is not necessary for the function and is also not entirely harmless - you can at least be contacted and often identified via the email address.

 

Fed up with Google's recommendations? Our AppChecker helps to find privacy-friendly apps.

Conclusion: no compromises with email apps

E-mails are an important and at the same time sensitive form of communication in everyday life. They are not only used for correspondence with authorities, insurance companies and business partners, but also serve as a duplicate key for many online accounts. For example, if you've forgotten your Amazon password, a recovery link will be sent to your email address. You can then log in again and make purchases.

Why the Mail.ru-Group is gaining access to e-mail content remains to be speculated. Placing advertising tailored to e-mail content is the most harmless hypothesis.

As with other analyzes of our “Apps checked” series, the question remains open as to why the test losers are to be found so high in the results of the Google Play Store and are sometimes even listed as recommendations.

Selection and test conditions

In the study, only apps were analyzed in which e-mail accounts from self-selected services could be integrated. The apps from GMX or web.de, for example, only work with an e-mail account from the in-house service.

In our test, we used two different test accounts for each app, one from GMX and one from our own mail server. With most apps, we were able to successfully set up both accounts. Some apps only allow one account in the free version or only accept better-known providers such as GMX, in which case only one account was tested.

Apps use special Internet protocols, such as IMAP or SMTP, to pick up e-mails from the service. Communication via these protocols is not visible in our test system. So if an app is only doing its job, our own analysis log remains empty.

On the other hand, data traffic that runs via the http / https protocol becomes visible there. This is used to transmit content from websites, for example. Actually, an email app shouldn't have to communicate using this protocol at all. Almost all of the apps we tested did anyway.

There can be legitimate reasons for this. For example, some apps send the entered e-mail address to the e-mail service in order to ask for suitable configuration data. However, many apps also integrate tracking and advertising companies that send information to your home server via the protocol. Most of the apps in the midfield and the test losers did so.

Do you already know our newsletter? Once a month we will send you the latest mobile-safe reading tips straight to your inbox. Register here.
#E-mail
Information has changed or do you have a hint for us on this subject?
Write to us: [email protected]