The unfortunate state of mobile mail clients

Recently, I started to search for a mail client for my iPad. The requirements were simple, it needed to be able to receive and sent e-mail, without much of a hassle. And it needed to do so in a manner that respects my freedom and privacy.

What ultimately started as a search for a mail client that met my needs and wishes, ended in an unfortunate surprise: I discovered that a lot of clients share either the credentials or messages – or a combination of those two, with a third party – in most cases the developer of the client.

Why is this important?

Because you should be able to trust your mail client. Harvesting your private information on the sole basis of implient consent (eg, with a clausule hidden in a privacy disclaimer) is not only unethical, it poses both a threat and a risk to multiple aspects like confidentiality, privacy, security, trust and more.

It might be arguable that the credentials are required for some functionality, like delayed sending – where the message gets send to the recipient with a delay you set and without the requirement to leave your machine running.

However this should be done on a strict opt-in basis and with clear information on the impact of this functionality. Blindly storing the credentials “because a user might just use that functionality” is bullshit.

While clients are able to perform anti-SPAM measures locally, it could be argued that routing messages through different servers might allow for more efficiency – this too should be done strictly on an opt-in basis. And again, with a clear warning, rather than implied consent.

Last but not least: do you trust the developer of your mail client to store your login on their servers? Do you trust them not to take a peek at your messages, whether automated or manually? Do you trust them blindly to handle your private data while they can drastically grow their revenue streams by harvesting that exact same data?

The impact

What perhaps shook me the most, is on which scale this happens. To illustrate this, I dove into the privacy policies of the most popular mail clients for mobile devices.


SpikeBoasts itself on encryption but collects “your email address and password, your emails and other conversations and your contact list” – privacy policy

Spark – Collects “email address, oauth login or mail server credentials, email content while using […], ip address” and much more – privacy policy

Polymail – Collects “device information, log information, location information, information regarding contacts, calendars, sent mail, local storage; cache, oauth credentials  which gives us access to your data without letting us know your password” – privacy policy

Edison Mail – Collects “contacts, location information, email information, files & attachmens” including for marketing purposes on an opt-out basis – privacy policy

Newton Mail – Collects “name, username, password, mailadress, emails, calendar, contacts, location, log information” – privacy policy

TypeApp – Collects “email header, phone number, contact information, oauth token/encrypted credentials, calendar items, email to be sent later” and more – privacy policy

Closing thoughts

The aforementioned applications are in no way an exhaustive list, there are a lot more clients that are just as bad and perhaps worse. If anything, this shows an unwanted business practice and users should demand that the apps they use respect their personal rights, freedom and security.

I might update this post soon-ish to include more clients and popular desktop clients for a more complete overview of this ongoing breach.

Feel free to respond through the comments section down below.

Leave a Reply

Your email address will not be published. Required fields are marked *