I noticed an issue with Tutanota on the Android app, the app does not prevent the Android app manager from making screenshots of the decrypted email and storing it in the recent apps animation while the user is reading it.
Android has a method for mitigating that issue by allowing developers to apply FLAG_SECURE to app windows with sensetive data to prevent the Android framework from making screenshots of them. This is often used by security related apps like password managers and you will see a blank screen for those protected apps in the recent apps dialogue.
I found it difficult to believe anyone working in Android development would not know about that, especially when they are working with security and encryption but I went to the Tutanota reddit sub anyway to report the issue and got a really shitty attitude from their moderators who ridiculed my post and went all out to downplay it as a non issue so even to this day the supposedly secure, tutanota email still gets screenshotted by Android every time it is in use and in a decrypted state.
So that was a couple of years ago. More recently I saw a new secure encrypted email provider called Ctemplar has their app on f-droid so I figured I would give it a try and what do you know? It has the exact same issue. The decrypted inbox gets screenshotted by Android while in use so I went to the Ctemplar subreddit to report the issue. They removed my post without so much as a response. So I reposted it, informing them that the first post was removed and then it was removed too. I said damn. What is really going on here?
So what to make of that? If you go to their websites they are both very much about presenting themselves as crusaders for privacy and security yet in practice there is clearly something else. I wonder did the development team in these projects get infiltrated by bad actors or was the intention always to be honeypots for three letter agencies?