Are the encrypted email providers honeypots?

I noticed an issue with Tutanota on the Android app, the app does not prevent the Android app manager from making screenshots of the decrypted email and storing it in the recent apps animation while the user is reading it.

Android has a method for mitigating that issue by allowing developers to apply FLAG_SECURE to app windows with sensetive data to prevent the Android framework from making screenshots of them. This is often used by security related apps like password managers and you will see a blank screen for those protected apps in the recent apps dialogue.

I found it difficult to believe anyone working in Android development would not know about that, especially when they are working with security and encryption but I went to the Tutanota reddit sub anyway to report the issue and got a really shitty attitude from their moderators who ridiculed my post and went all out to downplay it as a non issue so even to this day the supposedly secure, tutanota email still gets screenshotted by Android every time it is in use and in a decrypted state.

So that was a couple of years ago. More recently I saw a new secure encrypted email provider called Ctemplar has their app on f-droid so I figured I would give it a try and what do you know? It has the exact same issue. The decrypted inbox gets screenshotted by Android while in use so I went to the Ctemplar subreddit to report the issue. They removed my post without so much as a response. So I reposted it, informing them that the first post was removed and then it was removed too. I said damn. What is really going on here?

So what to make of that? If you go to their websites they are both very much about presenting themselves as crusaders for privacy and security yet in practice there is clearly something else. I wonder did the development team in these projects get infiltrated by bad actors or was the intention always to be honeypots for three letter agencies?

1 Like

Is there no such option to hide app from recents/overview in their respective settings?
A third party app like FairEmail has a toggle for that.

I would suggest using the issue trackers for the clients rather than reddit. From what I can see no one has brought that up. Maybe open up a feature request.

2 Likes

What’s the threat model exactly?

You install apps that you don’t trust that will screenshot your email? Well… don’t do that…

Also, you know that system apps (eg. OEM ones, Google’s, Xiaomi’s etc) can bypass that FLAG, right?

Email providers are run by people who need money to climb Maslow’s pyramid too. They have to get the money somehow.

Have you looked at Posteo? They are worst (or best) because they charge Euros and do not even provide an app! Maybe they conspire with Contacts, Calendar, Davx, K9mail and others to steal these screenshots, and customers pay for it. Plus, the gall they have, to charge customers extra for “100% green energy”.

removed my post without so much as a response

Sadly, this happens many places, and it may be a sign of an organization who would rather ignore issues than explain them. Or, Time is money, you know. It takes time to explain. On the other hand, deleting posts takes very little time, and nobody likes dealing with posters who accuse them or use language like “shitty” or “damn”, or have demanding tones.

1 Like

Which app screenshots your apps continously? disable that bad app, uninstall it, adb uninstall-it, etc

Have any proof of such actions?

Just because THEY CAN doesn’t mean that they actually do… they need to have a special OVERLAY permission and whatnot.

I would have ignored such a post too without proof…

1 Like

Your Android shouldn’t be used for highly sensitive information that you are that worried about. With a rooted phone I can create or remove the flag_secure on any app using Xposed modules. Not exactly a security/privacy fix as any system app or rooted app has privileges high enough to override flag_secure.

Their focus is on the actual encrypted e-mail service, not exactly the same amount on an android app that only has so much security/privacy especially considering stock android comes with Google backdoors.

If you seriously do not understand the threat model then you are not qualified to be discussing it. The threat model is something a 5yr old would understand. The threat model is that someone would intercept the contents of the encrypted email while it is decrypted. The threat model is the same that the Android developers were addressing when they implemented FLAG_SECURE. The threat model is the same that every developer who works with password managers and other security oriented apps was aware of when they assigned FLAG_SECURE to sensetive windows in their apps.

Dont be so ridiculous. That is like saying just because people can rob banks doesnt mean they will if you leave all the vaults unlocked. If no one would do such things then explain why do you believe we have passwords? Why do you believe we have https? Why do you believe we have TLS? Why is there encryption? Why do you lock your car when you get out of it?

1 Like

Could your next post include actual proofs/appIDs like I asked? You keep posting rants without any meaningful info…

/LE: https://github.com/ProtonMail/proton-mail-android/blob/067bcc3deb3481de4926e2d3184581632cf6dffc/app/src/main/java/ch/protonmail/android/activities/BaseActivity.java#L232

Correct me if I’m wrong but this is “always on” right?
I’m not sure if they will merge it without making it optional for the user.

Edit: Well, I just saw that someone else has commented on it.

Indeed, that’d never be merged as is.
And the app is a webapp wrapped, so I have no clue on adding a setting like you normally would.
But they only accept feature requests via their subreddit, so a PR was the closest I could get.