Tests conducted by the consumer protection portal mobilsicher.de revealed that numerous apps used for reading and writing e-mails read the data. Some of the apps tested even gain access to the addresses of recipients and senders.
Weak spots in security and privacy
In the test conducted by the consumer protection portal mobilsicher.de, 20 e-mail apps were put under the microscope. According to the portal’s evaluations, many of the apps have weak points in terms of security and user privacy.
Seven mail apps performed particularly poorly in the test. These include the email app mail.ru, MyMail from my.com and another five apps from the manufacturer Craigpark Ltd, which is based in the British Virgin Islands. The five apps have names such as Email for Outlook, Outlook Pro Email and others. All of these apps have been downloaded millions of times from the Google Play Store. In the test, the mentioned apps actively read the contents of the emails and also gained access to the addresses of recipients and senders. In some cases, the app developers also had the password of the email accounts sent to their server, so access to the email accounts of those affected is possible at any time. For example, emails could then be read and sent. Also, the e-mail account could be taken over completely with the password reset function, as this only needs to be triggered via a confirmation e-mail.
Nine apps from well-known manufacturers performed moderately in the test. In the test by mobilsicher.de, these did not read out users’ e-mails, but they did include advertising and tracking. In addition, user data was also transferred to the app providers and third parties. The apps include, for example, Spark Email, Aqua Mail, Telekom (Telekom Mail), Mailclient from Samsung (Samsung Mail), Blue Mail and others.
Only 3 apps perform exemplary
The email apps K-9 Mail, Pep Mail and Fairemail performed well in the test. All three apps have a simple and functional design and were developed by volunteers. The development of the apps was financed by donations. In the test of the consumer protection portal, the developers of these apps did not receive any information about passwords, senders, recipients or information about the emails sent. All apps are available in the Play Store and also in the free app store F-Droid. The email app Pep Mail was developed by a foundation and can be downloaded from the Play Store as well as the free Appstore. All apps have the end-to-end encryption function, for example with OpenPGP.