Android and secure mail

08.05.2010 21:31

Here's another gripe about my new Android-running Galaxy Spica. It appears that there's a lot of hacking involved if I want to have a secure way of reading my email.

First, the bundled mail app doesn't support CRAM-MD5 authentication for SMTP (bug 5901). This means that the password for the mail server account gets sent in clear, which is obviously a bad thing.

However, the app does support SMTP over SSL and TLS, which means the connection can be encrypted and the clear-text password that passes through it made safe from eavesdropping.

But you can't install third party root CA certificates (bug 6207). This means that the phone is basically stuck with trusting only those particular certificate authorities that Google wants you to trust. If I want to connect to a SSL service (like secure IMAP and SMTP, and also secure web pages) that has a certificate signed by a different authority I'm left with the "accept any certificate" option, which makes the connection vulnerable to man-in-the-middle attacks, thus eliminating most of the benefits of encryption (just remember how scary-looking the warning about an untrusted certificate looks in Firefox if you don't believe me).

I did find a couple of guides (1, 2) on how to add a custom CA certificate to the phone, but they look a bit outdated (one is for the Android Cupcake version) and the procedure appears to be pretty delicate.

My 5 year old "dumb" Sony Ericsson phone had support for both CRAM-MD5 and custom certificates out of the box! I would happily trade all the bundled Facebook, MySpace applications and whatnot for basic things like this.

Posted by Tomaž | Categories: Life


My suggestion would be to use gmail app. It is _much_much_ better than the mail app [I don't know if it uses SSL or not behind the scenes].


I'm sure it is better. But that would mean forwarding all my mail through GMail. That's not something I want to do. Handing over control of my phonebook and calendar to Google is enough I think.

Posted by Tomaž

Have you tried using Eduroam wireless internet? I hear it isn't possible due to certificate issues.

Posted by shears

No, I haven't tried Eduroam. But I also saw a lot of people asking how to make it work.

Posted by Tomaž

Add a new comment

(No HTML tags allowed. Separate paragraphs with a blank line.)