Want to Protect Your Emails? Don't Use these 11 Android and iPhone Email Apps

Want your email to be secure? Of course. But if you lose your smartphone or tablet, you might be out of luck, if it runs Google's (GOOG) Android or Apple (AAPL) iOS operating system. Some popular apps actually store emails, user names, or even passwords in plain text. Readily available free software and instructions can give access to the person who finds, steals, or buys the phone.

viaForensics, which runs the appWatchdog web page, checked whether an app encrypted passwords, user names, or actual email content before storing it on the phone. A full pass meant that all three were stored in encrypted form. An app received a warning if the user name was left in plain text but password and content were encrypted. If either the password or content was stored in plain text, the app failed.

App perp walk
Only one app -- ironically, the iPhone version of Google's Gmail app -- passed. Microsoft's (MSFT) Windows Live Messenger on the iPhone got a warning. Everything else failed. Android Mail was at the bottom of the list, as it stored everything in plain text. Here's the list of all the tested apps:

• Hushmail on Android and iPad
• Google Gmail on Android and iPhone
• Android Mail for Hotmail and Mirosoft (MSFT) Exchange
• Yahoo Mail on Android and iPhone
• iPhone Mail for Gmail and Microsoft Exchange
• Windows Live Messenter on iPhone for Hotmail
• HTC Mail on Android for Microsoft Exchange

Weaknesses in email apps for Exchange, a widely used email system in corporations, are a particular problem. As Hoog told me:

We contacted the number 2 security guy at a Fortune 500 and got his take on it. He said it was absolutely nuts. If an internal guy did this, they'd fire him immediately

Vendors respond
So far, I have received responses from Google and Hush Communications (Hushmail vendor). Here is Google's comment:

We dispute the claim that this data is insecurely stored on Android devices. The data is not accessible by default unless the phone has been rooted to gain full privileges, which Android actively protects against and would result in similar exposure for any platform.

Hushmail Mobile is a simple browser-based application that runs within the browser on any mobile device that can display basic HTML. As a result, it is subject to the security issues of the browser in which it runs; particularly that information displayed in the browser may remain in the phone's flash memory for an indeterminate period of time. Thus, it is important for our customers to recognize that if someone else gets access to their phone, it may be possible for them to recover information from private emails that they have viewed on the phone. In the future, we hope to provide device-specific applications that will not rely directly on the browser, and thus avoid retaining sensitive information in phone memory.

And here's a video of how to jailbreak iOS 4.2.1:

It is also conceivable that malware or Web exploits could jailbreak a phone and allow remote access to email data.

All this raises the question of whether smartphone and tablet email systems are generally secure enough to satisfy corporate needs. This is one area in which RIM's (RIMM) BlackBerry has excelled. However, consumers have become the new gatekeepers and increasingly choose the hardware, so the issue doesn't generally appear until it's too late. What large companies need are new versions of the apps that take the necessary fundamental precautions.

Related:

• Google, in Regulatory Crosshairs, Tells Enforcers to Talk to the Hand
• Apple's Winning Tablet Insight: Consumers Are Corporate Gatekeepers
• Gawker Hacking Stirs Password Panic at LinkedIn, Yahoo and Others
• What Business Needs to Learn From the Gawker and WikiLeak Attacks
• Apple and Google Mobile Security Pits Get Deeper
• FTC Teaches Twitter that Regulators Have Sharp Teeth