I was curious to see if FairEmail could work with OAuth without Google Play (I have a school Google account that does not allow me to log in without OAuth):
"OAuth for Gmail is supported via the quick setup wizard. The Android account manager will be used to fetch and refresh OAuth tokens for selected on-device accounts. OAuth for non on-device accounts is not supported because Google requires a yearly security audit ($15,000 to $75,000) for this. You can read more about this here."
Yes, I switched to it from K-9 for the work O365 we now have to use, sigh. (There is a large XOAUTH patch for K-9, but it hasn't been incorporated as far as I know.)
Not having that n the F-Droid version is a pain, but it does phone home to alert you about updates, one hopes without trafficking in that traffic.
Using both this and k9 without Google play or any Google. They work great. But both of them, no longer allow storing your mail and/or attachments on 'external' or SD card. That is frustrating. This anti feature, just started in the last few months.
Could be a new API that needs to be supported. I just downloaded another app (NewPipe) that let me specifically choose some new API that made its external storage permissions work.
No thanks for me, my gmail account will always remain disconnected from anything else.
Better have alternative google accounts for logins, android apps etc which are not tied to primary especially on the phone.
I have been using this email app for months, with 4 different email providers. It works like a charm, it's snappy, and privacy-oriented (preview links before opening them, block pixel tracking, and lot of other clever features.)
Oh and the developer is very active (several versions a week), very kind and answers very quickly.
One of the best bargains. (I bought the full version)
I noticed this feature in the default macOS mail App too but I'm not quite sure I understand correctly. If you click on the little arrow next to a link, it opens the website in a little window -- from a privacy/security POV, is that really helpful? Wouldn't the sender know you read the E-Mail if my computer sends a request to their server using that URL, no matter if it's for a preview window or my actual browser (except the latter has cookies etc)
In FairEmail, the "preview" is to show you exactly what URL is about to be opened, and give you the chance to force it to HTTPS, or remove known tracking parameters from it.
It also warns you prominently if the link's text differs from the target address, and allows you to pick which you actually want to visit (good for newsletters that mangle links for click tracking, but which show the raw link in the text).
Tapping a link will pop this box up, without the site being alerted, giving you the chance to decide whether you want to actually visit it or not.
I was using the Google Play version of K9 so at the moment I am quite happy of the switch. There is only one thing that I did not manage to find in FairEmail which is the ability to read the header of emails. Like the whole information, from SPF, DKIM validation and so on. Does anyone know if it's possible to get this?
For the moment I am planning to stay with FairEmail and maybe one day try the F-Droid version of K9 as I heard it has evolved a lot in the recent times.
I've been on the Google Play version of K9 for years and I must say that it was perfectly fine. I changed to FairEmail as I thought having a very old version of an email client might not be ideal from a security perspective. At the moment the biggest change from my workflow is the UI, which looks better that the old K9. Now I am not switching to K9 F-Droid version just because I am lazy to configure everything again another time.
But please bear in mind that my way of using email on my phone is very minimal. I usually just need something to read and for most of my productivity task I use mutt.
We had a HN thread a few weeks back on the K-9 Donations blog, basically the K-9 Play version is still the old client UI (but the betas are not 100% feature complete); you can opt-in to the K-9 beta on Play or F-Droid and get the new UI experience if some features like IMAP IDLE are not that important to you. (side comment, the new K-9 betas allow export/import of settings but not sure about the older version you're currently using)
I assume they're referring to TLS client certificate authentication support. As you say, most email clients can handle TLS.
Few can handle authenticating to the server with a client certificate, but FairEmail seems to support it fine, although I've yet to configure it on my own server as it's likely to break other clients that don't support it.
If it (K9) does, I certainly did not find a way to do it. Yet, it does not mean just straight TLS connection at the start of the session. Rather, it means that when the client (FairEmail, in this case) performs the handshake, it also sends its own certificate that the server can verify prior to finishing the handshake, therefore adding an extra layer of security.
Just to emphasise, this is probably not something that most people would ever need, but is certainly an important feature to me and something that FairEmail supports and apart from a rare few, nobody else does.
Same here. I switched from k9 to bluemail to fairmail. Bluemail was good but proprietary solution. Fairmail is almost as good as bluemail. Though I still looking for 'share' email with an todo list app. Fairmail and Joplin works but Joplin is not my preferred to do app.
When viewing a message, you can tap on the '...' below the address information and near the buttom of the menu will be a show headers option as well as an option to show the raw message.
I'm using F-droid K-9 and am happy with it. What would be the point of switching? If the new thing is flat-out better then it might be worth considering, but I haven't seen any explanation of this.
IMAP IDLE push support for any server that supports it, good configurability in settings for a wide range of advanced power user features, and good private-by-default settings (avoiding and blocking tracking pixels/images in emails, and stripping known tracking parameters from links you click, etc.)
IDLE is especially difficult on recent Android versions without a hosted service piping through FCM. You may be able to get away with a foreground service that displays a permanent notification, but I believe Android 11 or 12 limits even those services so you cannot have a persistent process keeping a socket open.
Power usage would be an interesting problem as well, because I'm not sure if keeping a socket open would pin the radio active.
I haven't had any issues on Android 11 with FairEmail using a foreground service. I believe that the changes coming in 12 are able to be worked around though, and at minimum a version distributed outside of the Play Store won't be affected. There's some get-outs to Google's changes at least as they stand right now, but who knows if that will remain the case in subsequent versions.
I haven't seen any suggestion the radio is being pinned active - it seems to still sleep fine, and I believe an incoming messages triggers a downlink page to the phone, which will then wake the radio to deliver the packets.
Doesn't k9 already supports IDLE? I kinda remember researching about this years ago, unfortunately, IDLE on it's own is no equivalent to native push notifications that use google services. Either way, it was just a hobby research and I might be wrong.
Last time I looked into this, K9 didn't work in background continuously (since Android requires displaying a notification for that, and K9 never implemented it). And nothing seems to be happening in this regard.
However, I wasn't able to make FairMail to deliver without a considerable delay either—despite it displaying a notification and being excluded from ‘battery optimization’. But apparently it's just me.
Out of interest, do you use a phone with a custom OEM firmware that has battery-saving features. I've seen issue with FairEmail (and other well-behaved foreground-service using apps) on some OEMs' firmwares. Heck, sometimes even big-name OEMs like Samsung cause issues.
On "pure" Android (thinking Pixel, and the relatively pure Motorola devices, etc.) there's no delays at all - it's really impressive. I'll get the notification on my phone consistently before on my PC.
It's a Pixel. Starting with 9 or 10, Android limits apps' background activity unless they show a notification (and probably has limits for those too when the screen is off). Plenty of apps had to deal with this, I have four of these notifications.
These limits don't apply to notifications via Google's services (GCM or whatever they're currently called). So if you're using the Gmail app or another app for a specific mail service, sure you will receive push notifications quickly.
Interesting - I've not been able to reproduce this on a Pixel 3a or 4a 5G. FairEmail, with foreground notification, doesn't have any issues delivering notifications.
As you say, Google is making it a lot harder, but FE with a foreground notification seems to do this fine for me.
EDIT: See comment below this - it appears I might be talking out my bottom.
It's easy to change an app's background ability in Android. By default apps are forced into the background, but if you change that your k9 email will notify you all day long (it does support IDLE)
There's an issue on their tracker that discusses implementing the notification, and docs that say that without it K9 can only check mail every 15 minutes or so, even if excluded from battery optimization. So I don't know what support for IDLE and ‘background ability’ you're talking about. Before Android 9 or so, sure—it could just run in the background and connect to the servers whenever it wanted.
I love fairmail. Can't remember what the problem was with k9. But fair mail can't do everything. And it's slick and modern. Privacy first. Removes tracking images. And also identifiers in images you send out. It's really really good
P.s also f-droid here (ps you can donate with crypto if you want)
I don't understand the comparison? Outlook and Thunderbird were pretty similar iirc. K9 does give me notifications when new email arrives. It's possible that it's every 15 minutes rather than instant: it hasn't been an issue for me so far. I know that Linphone is able to receive phone calls which is presumably by listening on a socket or getting activated by some inetd-type thing in Android. Maybe K9 could do similar.
> FairEmail will send the Autocrypt header for use by other email clients, but only for signed and encrypted messages because too many email servers have problems with the often long Autocrypt header.
That might be out of date, now that Autocrypt version 1.1 has been published:
> the 1.0 version of the Level 1 spec mandated RSA 3072 keys for ecosystem reasons and only the more recent 1.1 version from February 2019 now mandates that the new default scheme for creating Autocrypt keys is Curve 25519 keys.
Yeah, I had to tweak a lot of settings to make it more readable. I still don't have everything perfectly the way I would like. But it is highly configurable.
Am I a weirdo for using POP mail on an Android? I don't trust any third party with storing my email. Is there a reason why I should move to IMAP?
I mean I know the technical reasons. But it says on the FairEmail page: "FairEmail might be for you if you value your privacy." and also says "works with virtually all email providers, including Gmail, Outlook and Yahoo!"
For me, privacy is more than what's on the client - the server matters too. POP has seemed to work for me for 25+ yrs.
If you don't trust Google to store your email, I have bad news for you.
You will never escape having some of your email stored on Gmail servers. Most people you email are using a gmail address, whether direct or via forwarding.
End-to-end encryption is your only true ally. In this regard, email is hopeless. I personally feel that all these privacy mechanisms on top of email are a) hopelessly pointless and b) give people false comfort. They do more harm than good. It would be better if people saw email as a plaintext, insecure protocol and treated it that way at all times. Just imagine whatever you write in an email is the same as a message you send out to the world on Twitter. Doing it this way ensures you never send a message you will regret and will guarantee your protection rather than the security theater of privacy mechanisms layered on top of a fundamentally broken protocol.
There is nothing particularly insecure about encrypted email these days. The network stuff is all TLS protected. Pretty much the same as encrypted XMPP. There is nothing broken about SMTP.
You're absolutely right but unfortunately, my biggest use-case for email is still sending my own personal data to businesses I (more or less) have to interact with that don't offer an alternative.
Also, I'm not sure most email users know what a "plaintext, insecure protocol" is and what it would imply.
IMAP is not an email provider, it's just another protocol for reading your mail. It is the successor of POP3, having several key improvements. Somewhat like HTTP2 is to HTTP.
If both your email provider and your client (aka mail reading software) support it, there really is no reason to use POP instead of IMAP.
Yes, I'm aware of IMAP as a protocol. My point has to do with the location and trust. I need to be able to trust the server as a point of mail storage.
While I agree that POP still uses the server as a go-between, at least the mail doesn't reside on POP servers forever. Whereas with IMAP, if I have 25+ years of email I'd like to be able to view and archive and search, all of that has to sit at the server rather than at the client.
I'm not at all educated on POP/IMAP but I always thought the deletion thing with POP was just by convention and there's nothing in IMAP preventing you from doing the same there.
getmail supports deletion as an IMAP client, for example.
The convenience of having the same view (via IMAP) of my email from multiple devices is worthwhile for me. It also makes supporting my parents from hundreds of miles away much easier when they are on IMAP vs when I had them on POP3 before. "Mom, your email is also on your phone, your laptop, your desktop, and on Dad's computer. It's all the same."
I already trust my provider to handle my email once; there doesn't seem to be a vastly larger trust requirement on my part for them to handle it multiple times. (And epsilon additional privacy concern.)
If you don't trust your provider then POP won't help you because you can't trust them not to keep copies. The only solution is to run your own SMTP server, at which point you might as well use IMAP.
I'm in control of my server (host) which is a shared-hosting account. While it is possible for them to store copies of the email, it is much more cumbersome for them to do that than if I just had my entire IMAP store residing on their server. For POP copies to work, they would have to purposefully copy and store all the email, whereas with IMAP they would just need to query the data store.
Ah, so you do trust them. You trust that they are too lazy to take the initiative to keep a copy, but merely untrustworthy enough that they might sneak a peek if they can do so without having to put forth even the minor effort of making backups of the spool directories.
Fair enough, but that strikes me as a very odd risk posture to take. Either your email privacy is valuable to you, in which case I would think you would want to protect it against non-lazy people as well, or it isn't, in which case what difference does it make?
There are tons of situations where not having everything on the server is beneficial.
A hack will barely get them anything, neither a warrant or a bored employee.
Of course any of those situations could result in an active tap that stores everything. But that is orders of magnitude more effort and still doesn't get any history.
I've been using FreeMail for a while now and I can only say that its a fantastic app.
The setup and settings are a bit unintuitive but despite that its great
Yes, this is probably the biggest feature of FairEmail.
If your server supports IDLE, it will work well. I've got it working with 3 different backend mail servers, and I'm told by friends that it actually receives mail faster than the official Gmail Android app (which had access to Google push servers).
FairEmail will ask you to disable doze for it, but don't be concerned - it's a very power efficient solution and it doesn't impact on battery. It even works out its own back-off timers for keepalives to minimise wakes.
Am I the only one who can't make FairMail deliver mail faster than 15-20 minutes? The notification is on, the battery optimization for the app is off, still nothing. K9 actually receives the message earlier, despite not having a persistent notification.
Have you opened an issue for that behavior? I haven't looked at the repo's issue reporting policy, but my experience says that telling HN isn't nearly as effective as telling the issue tracker. I would be especially interested in knowing if that happens in a DeGoogled setup, versus on "normal" Android
> isn't nearly as effective as telling the issue tracker
I don't agree with this conjecture, at all. After seeing plenty of projects with hundreds of open issues, I don't create them anymore unless I'm ready to submit a patch, or it's just a quick question. Whereas here in a thread that will be out of sight by tomorrow, it's a no-brainer—two people answered already.
FairEmail makes this decision even easier by 1) promoting its paid version, which I didn't buy and thus am not in a position to demand anything; and 2) not having an issue tracker in the first place.
This sounds like you are having an issue with the notifications. Does your server support IMAP IDLE? I'm wondering whether K9 is polling for email, and the server isn't supporting push messages via IDLE.
I was wondering it seems like when you get a mail app, Android ends up storing that mail address as an account in the account section of the parameters. Is there a way to avoid this ?
This is the user interface to the AccountManager API, which is one of the standard mechanisms to manage auth tokens and background sync. IIRC it's been around since Android 1.0 and it's probably not a useful vector for third-party tracking.
Being the standard way of doing it since beginning of time is just an argument for why it is a useful source to steal contact information and track users.
I think this is down to the way Google implemented labels. I looked into this when I moved all my email off Google's servers and noticed they just list them as folders on IMAP, so a client would have to implement a special google-specific way of dealing with them. There are other ways to implement labels in IMAP (I've forgotten the exact details but I did it successfully while interacting with the IMAP server using `openssl s_client`).
I may be wrong but my understanding is that this is just a limitation of Gmail's IMAP implementation. Every IMAP client I've tried so far displays tags as separate folders.
This is amazing, happy to support! I have a question: when developing an app with strong privacy guarantees, how do you handle analytics and crash reporting? E.g what if some group of users gets some weird error in a use case, or what if the app crashes? How do you figure and fix such issues? Many thanks for the app!
Sometimes, the FDroid client errors out. Some steps I generally found helpful to fix this issue were:
- Refresh the repos (pull down to refresh)
- Reduce the caching thresold (Settings => Other (Bottom of the screen) => Keep Cached Apps)
- Wait for a bit then try again
You can also always download this directly from the browser.
it looks like a cool project though what I'd love to see is some solution that makes PGP/Secure Email more accessible to the common person. I know hushmail, tutanota, and protonmail are all around, but still only works if everyone is on the same service.
it's interesting how secure email has been solved decades ago (how to do it) but making it accessible has been an ongoing struggle. :(
Anyone ran across a more tangible solution for the common man?
Why use PGP when there are such better alternatives these days? Signal springs to mind immediately. PGP is clunky in every way. I know I can readily communicate with almost every one of my workmates securely using Signal or WhatsApp. None of them would have anything other than a passing idea of what PGP was, or how to use it.
20 years ago when there was no better solution, PGP was great. But I think it's probably had its time in the spotlight and now the world has moved on, when it comes to using it to secure email.
I think the solution is that if you want to communicate in a secure manner, don't use email.
PGP has support for every language, client, and platform one may be using. It,s time tested and the most widely adopted standard. It supports plaintext. Signal has support for... Signal.
None of those points detract from the fact PGP is a complex nightmare to use. There's a reason millions of people have Signal/WhatsApp installed and not PGP.
Even Media organisations have ditched it in favour of things like Securedrop (and/or Signal).
I'd argue that Signal is much more widely adopted that PGP ever was.
PGP is the giant, the shoulders of which many modern crypto apps/protocols stand on. PGP was the implementation that brought proper, trustable crypto to the masses. It was a great solution, filling a void where there was no good solution before it.
It's time is done though, for communicating between people. There are many better solutions where you don't need to worry about having the public key of every person you wish to communicate with. You no longer need to unlock your key every time you send a message to "prove" you sent it. The world has moved on to better technical solutions to those problems.
PGP was brilliant for its time. It still is brilliant for a number of uses cases (like verifying your Debian .deb file is signed by a legit Debian person)
However, communicating with people is no longer one of them. People HAVE invented/reinvented how to communicate securely. And the world's better for them having done so.
Signal is an instant messenger. So kind of apples to oranges. Email is inherently more secure as it is asynchronous and can be done offline in a secure environment.
While I applaud any effort to make email more usable and secure, I can't escape the feeling that email is quickly becoming the new snail mail. It seems most people only use it for very "official" communication, or communication with more or less autonomous services, while using other channels for almost everything else.
For me at least, email is moving into the same space as a phone number: something you know you need to reliably have, but you'd throw out in a minute if you could get away with it.
https://github.com/M66B/FairEmail/blob/master/FAQ.md#user-co...
"OAuth for Gmail is supported via the quick setup wizard. The Android account manager will be used to fetch and refresh OAuth tokens for selected on-device accounts. OAuth for non on-device accounts is not supported because Google requires a yearly security audit ($15,000 to $75,000) for this. You can read more about this here."
You can see it here too: https://support.google.com/cloud/answer/9110914#zippy=%2Cexc...