What do you think about Spark (by Readdle) security?

The latest Spark is quite nice.

I went ahead and installed the new Spark on my iPad and was pleased to see that all the accounts and settings I had set up on my iPhone synced with my iPad, so there was nothing really to set up.

But in the Spark FAQ it says: To provide you with the sync option, we encrypt the information about your accounts and preferences and store it on our secure servers. If you want to learn more, see the Spark Privacy Policy.

Do you think this is safe?

Thanks,

doug

I’ve been using Spark for a couple of years now, and am one of Readdle’s beta testers for the iOS version. I like it a lot. I have no qualms about their approach to account information; it makes setting up a new machine much easier. But then, I’m a lot less neurotic (some might say more complacent) than most

Jeremy

I assume the encrypted files they store on their servers cannot be on encrypted by anybody. I hope that’s the case.

I really do like the current version of Spark. It’s the first third party iOS app for Mail that I really like.

I’m writing up a more detailed review of it now.

Doug

I’m curious—I keep trying Spark every so often, but I can’t abide tapping a message and waiting for it to load, which happens nearly all the time on my iOS devices. Similarly, even when a message loads, if there’s an inline graphic, I have to wait for that to load too. For me, that makes it unusable.

I’ve reported this to Readdle repeatedly and they’ve been very responsive in talking about it, but have never address the problem. So I just keep going back to the Gmail app, which displays all mail instantaneously.

Interesting you experience that. One of the things I like about the new version of Spark is that messages load quite quickly compared to ordinary iOS Mail. I get frustrated by the “loading loading” notices in Mail, while in Spark the complete conversation thread seems to be there immediately - even including my current reply to the thread.

Inline graphics have improved a lot too.

Not all my accounts are Gmail.

Maybe I’ll post my review here for you to look at. If you like it, you can use it for a new post! :slight_smile:
doug

Here’s one individual that thinks it’s not safe: https://www.reddit.com/r/privacy/comments/5grsan/do_not_use_the_spark_email_client_by_readdle/

It’s disturbing, considering I don’t really understand what they are saving.

I should ask them to comment. I have heard before that some credential sharing is required to let a third party app perform push notifications for you. In this case they are also saving encrypted credentials to allow syncing of accounts across devices so you don’t have to set them to manually.

I should show this thread to Spark and ask them to comment.

Doug

There’s also this which points out that all 3rd party mail apps must store credentials and other info in order to provide services. Outlook does it as well. The article says Spark does this in the safest recommenced way.

My basic question, though, is whether others can read my private emails, and what are the chances of passwords being stolen and unencrypted.

Here is Spark’s reply to my email:

Please be assured we take your privacy seriously, and Spark is fully GDPR (General Data Protection Regulation) compliant.

— In Spark, your emails can be figuratively divided into two categories and the information regarding them is handled in a different way:

  • Regular emails , which you receive and send: The content of such emails is stored on the server of your account, so we do not analyze or save them.
    However, to compose and send you notifications, we sync the subject and a part of your message, encrypt this information and store it on our secure servers. Kindly note that the encryption key is saved locally on your device, so only you have access to it. This encrypted information is deleted from our servers in 4 hours after the push message has been prepared and sent as there is no need to keep it longer.

  • Emails that use Spark Services: There are some functions that require server-side email processing to work. In Spark, you and your colleagues can create Teams. It allows you to have a secure space where you share information such as email conversations, shared drafts, have private discussions, or create links to specific emails. This information is stored on our secure servers in order to make Services available to you, so you can collaborate with your teammates around email. In case you have used ‘Send Later’ feature, the encrypted email which should be sent at the chosen time is stored on our servers only until this time comes. Once your message is sent — it is removed from our server.

— Regarding credentials . Spark needs to check and send emails from your email account for these functions to work. And to achieve this, we need to store your email account’s access token. For services with OAuth authentication, like Gmail, Outlook or Yahoo it’s a special application-specific token that you can revoke at any moment from your email account on the web. For services like AOL and Exchange accounts, this access token is your email login and password.

All connections to our servers are protected with TLS. The servers’ databases are encrypted, and to make things even more secure we additionally encrypt your password in the database. It makes it totally unreadable by a human being.

Here’s a follow up question I sent them:

Thank you for your reply. I can’t tell you how much I enjoy using Spark on my iPhone. It’s the first 3rd party Mail app I feel comfortable with. I’m writing up a review of my experience and hope to post it soon.

I wonder if you could clarify just a few points though, for people who are concerned with privacy.

  1. Does the search feature require keeping emails on your server?

  2. Even with all the security protections, is it physically possible for Readdle staff to read our personal emails?

  3. Is it possible for our passwords to get stolen and used - by someone else, or an errant Readdle staffer?

  4. How can you run services which require ongoing use of your servers (push, teams, etc.) without a regular subscription fee?

This is general, since I have no personal knowledge of Spark or Readdle.

Encryption is very hard to get right and even the NSA messes up. Small companies can potentially have a very hard time of it unless (and sometimes even though) their primary product is security, such as password managers. It’s not enough to use well regarded open source encryption modules, because the interactions between various modules is just as critical as each module. Encryption routines written from scratch by non-specialists tend to be disastrous. Unless a company has a third party audit done and releases the full results (good and bad) publicly, there’s no reason to expect that the company did it right, especially for something as critical as mail–take over your mail account and it’s suddenly much easier to take over your store and bank accounts; read your company’s email headers and they can much more easily phish your coworkers to deploy ransomware.

Many email services now allow or require separate passwords for each client on each device. These limited passwords definitely improve security, and if your email services provide it as an option you should do it–even though it will probably prevent credential syncing from being useful.

Tokens vs passwords–tokens may prevent complete account takeover (changing your password to lock you out) but they’ll still let a bad guy read enough of your mail to cause you plenty of harm.

It’s worth noting that if you have multiple accounts that include work accounts, it may be actively prohibited to use use anything that would transfer credentials or any part of email messages to a third party server. Don’t do this for any work account without checking with your IT security people–it could easily be a firing offense unless the employer has a special agreement in place with the mail service (in which case there will almost certainly be a special way to log in).

[If you have accounts (including Apple IDs) that let you create a recovery email address, you should do that. It’s good insurance in case someone tries to, or does, take over an account. The recovery email should go to the most secure email service you trust, and you shouldn’t use that account for ordinary mail. I have a ProtonMail account (in Switzerland) that I use only for recovery. It’s one of the most secure mail options available, partly because it’s all webmail, no clients need apply. You can also (and should) set up the second password. That way the primary password logs you in, and the second password, which never leaves your computer, decrypts the mail messages. They have a free tier that’s more than adequate for the purpose.]

1 Like

Why is web access any safer than a client?
What do you think of Mailplane, which is an app that is a cover for Gmail web access?
How about really major clients like Microsoft Outlook?

ProtonMail has a client for both iOS and Android, and there is an app for desktops called the bridge that allows you to access mail from a desktop client like Mail.app for MacOS.

Why do you think it is more secure than Spark?

Webmail clients are called browsers and there aren’t many other app less secure these days than your browser of choice and it’s rendering engine.

It seems the problem is universal: https://www.macrumors.com/2018/07/02/third-party-email-apps-reading-user-emails/

For those interested or concerned about the security of 3rd party iOS email apps, this article is a very good read: https://thesweetsetup.com/3-troubling-trends-we-see-in-ios-email-apps-2/

I ended up posting a review of Spark on my blog: https://lerner.net/spark-an-email-app-for-your-iphone-and-ipad/

You’re welcome to use it if you want to post a TidBits article about Spark at some point.

I have tried Spark in the past, but one of the reasons I’m wary of the app is that Readdle is a Ukrainian company and I’m not 100% sure that any data that they collect from me will not be used in a nefarious way, and then I’d have little recourse if that happens. Also, the Russian Federation has annexed Crimea and there are Russian troops/militias in eastern Ukraine. Are we 100% sure that data collected by an Odessan company will remain secure (assuming that it is already); will not fall into Russian control?

Boy, I’d love it if Apple added features like snoozing email, intelligently identifying SPAM, allowing push notifications for all mail servers, and categorizing email into important and unimportant buckets into the stock mail app. With Apple adding more AI maybe some of those things will be added.

Well, Adam, allow me this; but I understand if you delete my post. (1) Readdle is a great company known for its great top-quality iOS and macOS products. (2) I am European, and, to be fair, I should equally worried of NSA (targeting non-Americans, and apparently
this is OK for American people) and Russia and China. But then, I would have no software at all. So, I use Apple, Google and Readdle products equally.
cheers

–e.