Skip to main content

Email credentials at stake when using mail apps

Microsoft offers Outlook for Android and iOS phones and tablets. This mobile app offers support for IMAP mailboxes and management for contacts and calenders.

In contrast to other mail clients for smartphones like K9-Mail, the MS Outlook app doesn’t connect to our mail servers directly if you use it with a mailbox.org account. It will send your login credentials to Microsoft cloud servers without your explicit permission. The MS cloud service will fetch all your e-mails form your mailbox.org account as well as contacts and calenders too and will provide it to your Outlook app. Attachments are stored in a MS cloud drive.

Privacy Policy Outlook for iOS & Android (extract from 2015):

Email Credentials. We collect and process your email address and credentials to provide you the Service.

Email Data. We collect and process your email messages and associated content to provide you the Service. … Your email data may contain messages, address book, contact information, message attachments and calendar information.

The recent Privacy Policy is more generic and does not refer to specific apps anymore (from 2020):

The data we collect depends on the context of your interactions with Microsoft and the choices you make (including your privacy settings), the products and features you use, your location, and applicable law.

The data we collect can include the following:

[ ... ]**
Credentials**. Passwords, password hints, and similar security information used for authentication and account access.

Because of this privacy issues the Swiss Federal Institute of Technology Lausanne, F-Secure, the Universities Delft and Wisconsin, the EU parliament and others prohibit the usage of MS Outlook app for Android and iOS phones and block the access to MS related cloud services. The EU Parliament’s IT department (DG ITEC) has warned all members of EU parliament by mail:

Please do not install this application, and in case you have already done so for your EP corporate mail, please uninstall it immediately and change your password….

The apps will send password information to Microsoft without permission and will store emails in a third-party cloud service over which the Parliament has no control.

Spark Email

Also the Spark Email App needs to store your credentials on their servers. Please find more details in their privacy statement from 2020:

2. Information we collect and how we use this information

We collect certain information about you when you provide it directly to us or use our App and Service. We only obtain information necessary to provide you with our services.

[ ... ]

OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product won’t be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.

Blue Mail

The German security blogger Mike Kuketz does not recommend the usage of Blue Mail, as back in 2018 e-mail passwords and other sensitive device information had been sent to the company.
Please refer to this article for more information (in German): https://www.kuketz-blog.de/blue-mail-eine-unendliche-geschichte/