spark
- Lacks end-to-end encryption
- A friend sends you email.
- Mail.app periodically checks your email account to see if you have new mail, then fetches it.
- Mail.app gives you some sort of notification that you have a new message.
- A friend sends you email.
- The Gmail mail server sends a “push notification” to your phone, waking it up and alerting it that you have new email.
- The Gmail app on your phone fetches it.
- The Gmail app on your phone notifies you that you have a new message.
- The Spark app on your phone sends your email username and password to Readdle’s server where it’s stored until you ask Readdle to delete it.
- A friend sends you email.
- Readdle’s server continually checks your account for new email, and then fetches it.
- Depending on the contents of the email, Readdle’s server may do some extra processing on your behalf, and may send the Spark app on your phone a push notification to tell it you have new mail.
- The Spark app on your phone fetches your email from your mail server.
- The Spark app on your phone notifies you that you have a new messages.
- iCloud Keychain (includes all of your saved accounts and passwords)
I use Things without encryption
Update 2023-11-03: No, I don’t.
I tell people not to use Readdle’s Spark email app. Then I turn around and use the Things task manager, which lacks end-to-end encryption (E2EE). That concerns me. I have a PKM note called “Task managers”, and under “Things” my first bullet point is:
I realize I’m being hypocritical here, but perhaps only a little bit. There’s a difference in exposure between Things and, say, my PKM notes, archive of scanned documents, email, etc.:
I don’t put highly sensitive information in Things. No, I don’t want my actions in there to be public, but they’re generally no more detailed than “make an allergist appointment” or “ask boss about a raise”. I know some people use Things as a general note-taking app but I don’t. There are other apps more tailored to that and I use them instead.
I control what information goes into Things. If my doctor were to email me sensitive medical test results, the Spark team could hypothetically read them. Cultured Code can only view what I personally choose to put into Things. (That glosses over the “Mail to Things” feature, but I never give that address to anyone else and I don’t worry about it being misused.)
Things can’t impersonate me. Readdle could use my email credentials to contact my boss and pretend to be me. Now, I’m confident that they won’t. They’re a good, reputable company. But they could, and that’s enough to keep me away from Spark.
Finally, Cultured Code is a German company covered by the GDPR. They have strong governmental reasons not to do shady stuff with my data.
While I don’t like that Things lacks E2EE, and I wish that it had it, the lack isn’t important enough for how I want to use it to keep me away from it. There are more secure alternatives like OmniFocus and Reminders, but the benefits that I get from Things over those options makes it worthwhile for me to hold my nose and use it.
Everyone has to make that decision based on their own usage. If you have actions like “send government documents to reporter” or “call patient Amy Jones to tell her about her cancer”, then you shouldn’t use Things or anything else without E2EE. I’d be peeved if my Things actions were leaked, but it wouldn’t ruin my life or get me fired.
But I know I should still look for something more secure.
Do not use Readdle's Spark email app
I’ve written before about Readdle’s Spark email client, which is popular, highly rated, and a beautifully powerful app. It’s also too dangerous to use. I recommend dropping it immediately.
Readdle is a good, reputable company. I respect and appreciate them. However, Spark’s design is fatally flawed: to use its advanced features, your email username and password (or token — same thing) have to be stored on their servers so that they can access your email account on your behalf. That’s bad under normal circumstances, but astoundingly risky today. Readdle was founded in Ukraine and still has many Ukrainian employees. Russia is currently invading Ukraine, a sovereign country. If Russia manages to do this, they could likely have access to the login credentials of every one of Spark’s users. This would be catastrophic. Imagine Russia’s security agencies having full access to your work account, being able to use your personal email to reset your banking website’s password, or reading every email you’ve ever sent or received.
Spark isn’t the only email app designed this way. I believe it’s the most popular, though, and that means its dangerous-by-design architecture is used by a lot of people. This isn’t acceptable and it can’t be fixed. If you use Spark, I strongly recommend following their instructions to delete all your data off their servers immediately, and then changing the password of every account you’d used it with.
And when you’re done, see if their other apps look interesting to you. Risks with Spark aside, Readdle makes delightful software and could use our support right now.
The Risks of Third-Party Email Clients
There are a lot of neat third-party email applications available for Mac and iOS. From an end user perspective, many of them are amazing and useful. From an information security, privacy, or legal perspective, many are horrible.
For example, Readdle makes a popular email client, Spark. Now, to be clear, I think Readdle is a good, competent, well-meaning company and that Spark is a nice app. My problem with their product isn’t because I don’t trust them, but because I have to trust them, and unnecessarily.
Here’s why.
How first-party email apps work
When I refer to a first-party mail client, I mean Apple’s own Mail.app, or the app that an email service company made to support their own system (such as Google’s Gmail app). These are a direct link between your computer and your email service, and are widely regarded as trustworthy and safe to use. That is, if you don’t trust Mail.app with your email, you probably wouldn’t be using a Mac or iPhone in the first place. If you don’t trust the Gmail app, you shouldn’t trust the Gmail service either. A third-party app, then, is one made by someone other than the company who made your computer’s operating system or your email service.
With that out of the way, here’s how the process of receiving an email works on these clients:
Alternatively:
That’s straightforward.
How some third-party email apps work
Spark could have been written to work like Mail.app, but Readdle chose not to, for a good reason that I understand and appreciate. All that “do I have new email?” checking can eat up a phone’s battery, and if someone sends you an email right this moment, it may take several minutes before you get a notification. However, this is where a giant privacy and security issue pops up. Spark works like this:
See the problem? Readdle has your login information and uses it to check email on your behalf. From their privacy policy:
INFORMATION WE COLLECT AND HOW WE USE THIS INFORMATION
OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product won’t be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.
By its design, you have to trust Readdle to read all your email if you want to use the Spark app, and that’s not OK. Depending on what line of work you’re in, it may not even be legal for you to allow another company to access your email if you don’t have a signed data use agreement (DUA) or HIPAA Business Associate Agreement (BAA) in place with that company. Google will sign a BAA if you ask them. Apple’s Mail.app design doesn’t require that because Apple never has access to your email account (unless you use iCloud email, which you shouldn’t be doing anyway if you’re working with HIPAA data). In fact, Apple can’t access your email usernames and passwords. From their iCloud security overview:
These features and their data are transmitted and stored in iCloud using end-to-end encryption:
And all of this to support push notifications, which are nice but that Mail.app never had in the first place. Note: Readdle’s service isn’t “push” behind the curtain, as their server has to regularly poll your email service to see if you have new mail. The difference is that it’s their server doing the polling using their electricity, not your iPhone. That’s a handy feature, but is it worth it? In my opinion, it isn’t. Further, I disagree with Readdle’s statement that the “send later” and “sync between devices” features require this arrangement. They could have been built to use an end-to-end encrypted service like iCloud, but Readdle chose not to. Again, they probably did that for decent reasons because Readdle is a good company, but they didn’t have to.
Conclusion
I’m using Readdle’s Spark as an example, but mail clients are all over the place privacy-wise.
Airmail’s privacy policy says:
If “Real-Time Mailbox Monitoring” is enabled for Gmail or Outlook, Office365, IMAP, and Exchange accounts, we store credentials solely to send push notifications.
Superhuman also stores your login information:
Authentication Tokens. When you sign in to the Service, we collect and store encrypted Gmail authentication tokens.
Postbox doesn’t collect your credentials:
We only communicate with Google’s email servers through IMAP, POP, and SMTP protocols, and never receive or store any messages or data from your Google email accounts on our servers. You can revoke Postbox’s access to Google services at any time.
That’s one of the less creepy terms in their privacy policy, though:
We may use information about your publicly available social media information, or your contacts’ publicly available social media information, in connection with our Services.
MailMate has a clear policy:
Passwords are most often required for MailMate to access the emails in your IMAP accounts and to send emails using SMTP servers. Regular passwords are stored (if you allow it) in the Keychain of macOS. Depending on your settings, this might be an iCloud-based keychain synchronized to your other devices.
Some accounts support OAuth2 authentication. In this case, a browser is used for authenticating your accounts and MailMate only gains access to so-called OAuth2 tokens. The tokens are used to access your accounts and MailMate never sees and never stores your password. The tokens are stored in your Keychain as described above.
If an app doesn’t have a privacy policy, don’t use it. If it does, read the policy. And if you work in a regulated industry like finance or healthcare, get your company’s legal team’s opinion before using a third-party app!