Securing your Mobile Email

Posted by MelissaLoudon on Oct 14, 2011
Author: 
SaferMobile
Abstract: 

Email wasn’t designed with security in mind. Unless you take steps to protect your communication, emails are sent in plain text - and so are your email account username and password.

At the same time, if you and your recipient are taking the appropriate security precautions, mobile email can be a secure and reliable alternative to other forms of mobile communication. If you have data service for your mobile, encrypted email can replace text messaging, and if you aren’t able to access a website securely to upload content - photos or videos for example - getting it to a trusted contact as an email attachment can be a safer alternative.

Email wasn’t designed with security in mind. Unless you take steps to protect your communication, emails are sent in plain text - and so are your email account username and password.

At the same time, if you and your recipient are taking the appropriate security precautions, mobile email can be a secure and reliable alternative to other forms of mobile communication. If you have data service for your mobile, encrypted email can replace text messaging, and if you aren’t able to access a website securely to upload content - photos or videos for example - getting it to a trusted contact as an email attachment can be a safer alternative.

This article suggests the following tactics for improving the security of your mobile email:

Email security basics

Even if you’re not using encrypted email, you can take some basic precautions to improve your email security. For example

  • Choose a strong, unique password for your email account, and change it often.
  • Make sure any device on which you have an email client (phones, computers, tablets..) has a strong, unique password.
  • Remember that even a deleted message may be stored in your Trash, and that even a message deleted from Trash may be stored on your mail server.
  • Spam, Phishing and Viruses are all email-based threats. Don’t open emails from people you don’t know if you suspect they may be malicious. Even if you do know the sender, the slightest suspicion should be enough to prompt you to get hold of them through other channels and verify that they sent the message.

Routine Email Security: TLS (SSL)

Most email clients (both PC software like Thunderbird, Microsoft Outlook and Apple Mail, and email apps on phones) and many email servers support encrypting your email between your email client and the server. To do this, they use Transport Layer Security (TLS) - also known as SSL. If you are able to use TLS/SSL to send and receive mail, you always should. As an example, this is how you set up Gmail to use TLS/SSL in the Android mail app and the equivalent guide for the iPhone and for Blackberry email. For email providers other than gmail, you should be able to set things up the same way - just use the incoming and outgoing mail server settings given to you by your provider.

  • If you can’t find a ‘use SSL’ (or similar) email account setting in your email program or app, try searching the web for the app or program name + TLS or SSL.
  • If you don’t know whether your email provider supports TLS/SSL, ask them. If not, it’s a good idea to create another account with a different provider for your secure communications.

Be aware that even if you are using TLS/SSL, it does not mean your messages are reliably encrypted. Your recipient may not be using TLS/SSL, and may receive the message in plain text. Furthermore, mail servers that the message must pass through will see the message in clear text.

Encrypted email

Even with TLS/SSL protecting your username and password, your email messages - both the headers (from, to, subject etc) and the message contents - are sent in plain text.

  • Emails can be read by someone eavesdropping on the sender or receiver’s network traffic.
  • Because email traffic usually passes through intermediate servers as well, third parties that control these servers may be able to read, filter or keep records of email messages.
  • It is relatively easy to make an email look as if it from a particular sender, even when it is not. This is known as email spoofing.

The solution to eavesdropping and message filtering is to encrypt the content of your emails. To prevent email spoofing, you also need a way to verify the identity of the sender. There are two methods for sending encrypted email - OpenPGP, and S/MIME. Both provide encryption and verification of identity, and require the use of a compatible email client (PC software or mobile app) by both sender and recipient.

An alternative approach for situations when it is not possible to use an email client is to use a webmail provider that supports encryption, and access your webmail over a secure connection.

Encrypted Email Standards

Both OpenPGP and S/MIME are standards standard for encrypted mobile email. Using public key cryptography, they provide the following:

  • authentication - the message is sent from the email address it claims it is sent from.
  • message integrity - the message has not been tampered with after sending.
  • digital signatures - the identity of the email address owner can be verified with a certificate authority (for S/MIME) or by choosing to trust a certificate previously obtained from the sender (for PGP).
  • encryption - the contents of the message cannot be read or tampered with in transit.

Unfortunately, OpenPGP and S/MIME are incompatible - you and your contacts will have to communicate using one or the other. Which standard you choose will depend partly on what is supported by the email clients (and email apps) you and your contacts use. S/MIME is more widely supported generally, but OpenPGP is more widespread in the open source community. For a more thorough discussion of the differences between the two standards, see this link.

A secondary consideration is that S/MIME and OpenPGP use different models of trust - that is, they differ in how they expect users to decide whether to trust that a certificate belongs to the stated sender.

  • In the S/MIME model, a certificate authority endorses (‘signs’) a certificate and your service checks for the endorsement of this certificate authority when it is testing the authenticity of the certificate.
  • In the OpenPGP model, called the ‘web of trust’, your trusted contacts endorse the validity of one another’s certificates. You can choose, for example, to trust a certificate from a stranger because someone you know knows them and has endorsed their certificate.

The first model is centralised and vulnerable to attacks on certificate authorities, while the second is decentralised and depends on users deciding whether a certificate they receive is trustworthy. For a further discussion, see this Wikipedia article on Public Key Infrastructures.

There are applications and services using both models. There is some debate about which will prevail as the most secure, but larger considerations for you may be about whether your colleagues use one or the other and whether you can run applications on your mobile.

When you first start out with encrypted email, it’s normal to find the process confusing! Generating your keys, getting them signed (S/MIME) or uploaded to a public key server (OpenPGP), and exchanging them with contacts is a non-trivial process, and one that needs to be done carefully to remain secure. Before trying out a mobile app for encrypted email, we suggest getting the process working on a PC. It’s also much easier to get started if you have people to talk to! Ask a friend or contact who already uses encrypted email to help you, or just get a few people together to follow a setup guide together.

S/MIME

To use S/MIME encrypted email, both the sender and receiver will need:

  • A mail client that supports sending and receiving S/MIME messages. Most popular email clients support S/MIME, including Mozilla Thunderbird, Microsoft Outlook and Outlook Express, and Mac OS X Mail; or
  • A mobile app that supports S/MIME email.
  • An S/MIME certificate, usually from a Certificate Authority (CA). Mozilla has a list of CAs that provide free certificates for personal use. Some apps will generate a self-signed certificate you can use for testing, but because your identity hasn’t been verified by a third party, self-signed certificates are considerably less secure.


OpenPGP

To use OpenPGP encrypted email, both the sender and receiver will need:

  • A mail client that supports sending and receiving OpenPGP messages. Many open source email clients support OpenPGP, including Mozilla Thunderbird, Evolution, Kmail and Mac OS X Mail; or
  • A mobile app that supports OpenPGP email.
  • An OpenPGP key pair (your private key, and the public key you share with other people and senders use to encrypt mail for which you are the recipient). Some mail apps will let you generate your key pair in the app, while others will require that you use PC software to generate a PGP key pair and then transfer the keys to the app.
  • Optionally, you can choose to upload your public key to a public keyserver, which is a directory of email addresses and associated public keys. People wanting to send you encrypted email (or decrypt email you’ve sent them) can check the keyserver for your public key. You should always take the additional step of contacting the person your sending to or receiving from through another channel to verify the public key you’ve downloaded. This is done by comparing the last 8 digits of the key signature.

While OpenPGP is the official name of the standard, you will also hear and read references to PGP and GPG or GnuPG. The Ubuntu community wiki explains the difference between the three:

  • OpenPGP is technically a proposed standard, although it is widely used. OpenPGP is not a program, and shouldn't be referred to as such.
    • PGP and GnuPG are computer programs that implement the OpenPGP standard.
  • PGP is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication. For more information, see this Wikipedia article.
  • GnuPG is an acronym for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication. For further information on GnuPG, see this Wikipedia article.

Encrypted Webmail: Hushmail, RiseUp.net, and other services

When you use OpenPGP or S/MIME from an email client or email app, you are responsible for storing your private key and keeping it safe. This usually means the private key is stored on your device. Remember that your private key needs to be kept secret, because anyone who has it can decrypt messages meant for you, or impersonate you.

When you use an encrypted webmail service such as Hushmail or RiseUp.net’s encrypted webmail service, your email can also be encrypted using S/MIME or Open PGP. The difference, though, is that for these services to perform encryption and decryption of your messages and display them to you on a webpage, they need to have access to your private key. This means that the provider - or anyone who legally compels or informally convinces them to provide access to your messages - can access the decrypted versions of your encrypted emails.

At the same time, an imperfect solution may, at times, be better than not encrypting at all. Both Hushmail and RiseUp.net have explicit policies about when they will reveal your data to third parties, and depending on the nature of your activities, this may not be a particularly high risk for you. If you do choose to use web-based email, remember that your communications with the email providers’ website are not encrypted unless you are browsing securely using HTTPS. If you don’t want anyone to know that you are accessing these providers at all, or if they are blocked in your country, you should also follow MobileActive’s guide on how to browse anonymously and circumvent censorship.

Android

  • Android mail supports TLS/SSL - make sure you enable it, and use a mail provider that supports it!
  • Djigzo offers digitally signed, encrypted email for Android using the S/MIME standard. Djigzo doesn’t send email for you - rather, it allows you to send S/MIME email through your existing mail app. It’s open source and free for personal use, although it requires registration (an email address) after 30 days. There is extensive documentation available on the download page.
  • Android Privacy Guard and K-9 Mail have released a first version of a PGP mail client. Both apps are free and open source, but note that this is an early-stage release. The Guardian Project has a step-by-step guide here.

Blackberry

  • The Blackberry mail client can use S/MIME if you install the free S/MIME support package. For Blackberrys that are part of a corporate network, private keys may be stored on the enterprise server. In this case, be aware that your communications can be decrypted by the corporate network.
  • Djigzo offers digitally signed, encrypted email for Android and Blackberry using the S/MIME standard. Djigzo doesn’t send email for you - rather, it allows you to send S/MIME email through your existing mail app. It’s open source and free for personal use, although it requires registration (an email address) after 30 days. There is extensive documentation available on the download page.
  • RIM also sells a package that provides PGP email for Blackberry devices. Unfortunately, it only in works in conjunction with the blackberry with RIM’s universal email server, which is a corporate tool that handles key management among other things.

iPhone

  • The iPhone mail all supports TLS/SSL - see this guide for information about how to enable it.
  • S/MIME is also supported by the iPhone mail app. Setup guide here.
  • SecuMail is a commercial OpenPGP app for iPhones. It retails for US $49.99. SecuMail supports sending/receiving encrypted email but not generation of keys, which must be done with a desktop app.
  • OPenGP is a cheaper iPhone app for sending and receiving OpenPGP email. It has limited functionality for key management, including not generating keys, and initial reports suggest that it’s still an early and somewhat buggy version. On the other hand, it’s only US $7.99.

Nokia

Nokia’s email system for S40 and S60 phones, Ovi mail, supports TLS/SSL. Ovi mail is provided by Yahoo!, so note that as with all web-based email providers, your emails may still be stored in plain text on Yahoo’s servers.

At the time of writing there did not appear to be any encrypted email apps available for Nokia phones.

 

Securing your Mobile Email data sheet 2117 Views
Author: 
SaferMobile
Abstract: 

Email wasn’t designed with security in mind. Unless you take steps to protect your communication, emails are sent in plain text - and so are your email account username and password.

At the same time, if you and your recipient are taking the appropriate security precautions, mobile email can be a secure and reliable alternative to other forms of mobile communication. If you have data service for your mobile, encrypted email can replace text messaging, and if you aren’t able to access a website securely to upload content - photos or videos for example - getting it to a trusted contact as an email attachment can be a safer alternative.

Email wasn’t designed with security in mind. Unless you take steps to protect your communication, emails are sent in plain text - and so are your email account username and password.

At the same time, if you and your recipient are taking the appropriate security precautions, mobile email can be a secure and reliable alternative to other forms of mobile communication. If you have data service for your mobile, encrypted email can replace text messaging, and if you aren’t able to access a website securely to upload content - photos or videos for example - getting it to a trusted contact as an email attachment can be a safer alternative.

This article suggests the following tactics for improving the security of your mobile email:

Email security basics

Even if you’re not using encrypted email, you can take some basic precautions to improve your email security. For example

  • Choose a strong, unique password for your email account, and change it often.
  • Make sure any device on which you have an email client (phones, computers, tablets..) has a strong, unique password.
  • Remember that even a deleted message may be stored in your Trash, and that even a message deleted from Trash may be stored on your mail server.
  • Spam, Phishing and Viruses are all email-based threats. Don’t open emails from people you don’t know if you suspect they may be malicious. Even if you do know the sender, the slightest suspicion should be enough to prompt you to get hold of them through other channels and verify that they sent the message.

Routine Email Security: TLS (SSL)

Most email clients (both PC software like Thunderbird, Microsoft Outlook and Apple Mail, and email apps on phones) and many email servers support encrypting your email between your email client and the server. To do this, they use Transport Layer Security (TLS) - also known as SSL. If you are able to use TLS/SSL to send and receive mail, you always should. As an example, this is how you set up Gmail to use TLS/SSL in the Android mail app and the equivalent guide for the iPhone and for Blackberry email. For email providers other than gmail, you should be able to set things up the same way - just use the incoming and outgoing mail server settings given to you by your provider.

  • If you can’t find a ‘use SSL’ (or similar) email account setting in your email program or app, try searching the web for the app or program name + TLS or SSL.
  • If you don’t know whether your email provider supports TLS/SSL, ask them. If not, it’s a good idea to create another account with a different provider for your secure communications.

Be aware that even if you are using TLS/SSL, it does not mean your messages are reliably encrypted. Your recipient may not be using TLS/SSL, and may receive the message in plain text. Furthermore, mail servers that the message must pass through will see the message in clear text.

Encrypted email

Even with TLS/SSL protecting your username and password, your email messages - both the headers (from, to, subject etc) and the message contents - are sent in plain text.

  • Emails can be read by someone eavesdropping on the sender or receiver’s network traffic.
  • Because email traffic usually passes through intermediate servers as well, third parties that control these servers may be able to read, filter or keep records of email messages.
  • It is relatively easy to make an email look as if it from a particular sender, even when it is not. This is known as email spoofing.

The solution to eavesdropping and message filtering is to encrypt the content of your emails. To prevent email spoofing, you also need a way to verify the identity of the sender. There are two methods for sending encrypted email - OpenPGP, and S/MIME. Both provide encryption and verification of identity, and require the use of a compatible email client (PC software or mobile app) by both sender and recipient.

An alternative approach for situations when it is not possible to use an email client is to use a webmail provider that supports encryption, and access your webmail over a secure connection.

Encrypted Email Standards

Both OpenPGP and S/MIME are standards standard for encrypted mobile email. Using public key cryptography, they provide the following:

  • authentication - the message is sent from the email address it claims it is sent from.
  • message integrity - the message has not been tampered with after sending.
  • digital signatures - the identity of the email address owner can be verified with a certificate authority (for S/MIME) or by choosing to trust a certificate previously obtained from the sender (for PGP).
  • encryption - the contents of the message cannot be read or tampered with in transit.

Unfortunately, OpenPGP and S/MIME are incompatible - you and your contacts will have to communicate using one or the other. Which standard you choose will depend partly on what is supported by the email clients (and email apps) you and your contacts use. S/MIME is more widely supported generally, but OpenPGP is more widespread in the open source community. For a more thorough discussion of the differences between the two standards, see this link.

A secondary consideration is that S/MIME and OpenPGP use different models of trust - that is, they differ in how they expect users to decide whether to trust that a certificate belongs to the stated sender.

  • In the S/MIME model, a certificate authority endorses (‘signs’) a certificate and your service checks for the endorsement of this certificate authority when it is testing the authenticity of the certificate.
  • In the OpenPGP model, called the ‘web of trust’, your trusted contacts endorse the validity of one another’s certificates. You can choose, for example, to trust a certificate from a stranger because someone you know knows them and has endorsed their certificate.

The first model is centralised and vulnerable to attacks on certificate authorities, while the second is decentralised and depends on users deciding whether a certificate they receive is trustworthy. For a further discussion, see this Wikipedia article on Public Key Infrastructures.

There are applications and services using both models. There is some debate about which will prevail as the most secure, but larger considerations for you may be about whether your colleagues use one or the other and whether you can run applications on your mobile.

When you first start out with encrypted email, it’s normal to find the process confusing! Generating your keys, getting them signed (S/MIME) or uploaded to a public key server (OpenPGP), and exchanging them with contacts is a non-trivial process, and one that needs to be done carefully to remain secure. Before trying out a mobile app for encrypted email, we suggest getting the process working on a PC. It’s also much easier to get started if you have people to talk to! Ask a friend or contact who already uses encrypted email to help you, or just get a few people together to follow a setup guide together.

S/MIME

To use S/MIME encrypted email, both the sender and receiver will need:

  • A mail client that supports sending and receiving S/MIME messages. Most popular email clients support S/MIME, including Mozilla Thunderbird, Microsoft Outlook and Outlook Express, and Mac OS X Mail; or
  • A mobile app that supports S/MIME email.
  • An S/MIME certificate, usually from a Certificate Authority (CA). Mozilla has a list of CAs that provide free certificates for personal use. Some apps will generate a self-signed certificate you can use for testing, but because your identity hasn’t been verified by a third party, self-signed certificates are considerably less secure.


OpenPGP

To use OpenPGP encrypted email, both the sender and receiver will need:

  • A mail client that supports sending and receiving OpenPGP messages. Many open source email clients support OpenPGP, including Mozilla Thunderbird, Evolution, Kmail and Mac OS X Mail; or
  • A mobile app that supports OpenPGP email.
  • An OpenPGP key pair (your private key, and the public key you share with other people and senders use to encrypt mail for which you are the recipient). Some mail apps will let you generate your key pair in the app, while others will require that you use PC software to generate a PGP key pair and then transfer the keys to the app.
  • Optionally, you can choose to upload your public key to a public keyserver, which is a directory of email addresses and associated public keys. People wanting to send you encrypted email (or decrypt email you’ve sent them) can check the keyserver for your public key. You should always take the additional step of contacting the person your sending to or receiving from through another channel to verify the public key you’ve downloaded. This is done by comparing the last 8 digits of the key signature.

While OpenPGP is the official name of the standard, you will also hear and read references to PGP and GPG or GnuPG. The Ubuntu community wiki explains the difference between the three:

  • OpenPGP is technically a proposed standard, although it is widely used. OpenPGP is not a program, and shouldn't be referred to as such.
    • PGP and GnuPG are computer programs that implement the OpenPGP standard.
  • PGP is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication. For more information, see this Wikipedia article.
  • GnuPG is an acronym for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication. For further information on GnuPG, see this Wikipedia article.

Encrypted Webmail: Hushmail, RiseUp.net, and other services

When you use OpenPGP or S/MIME from an email client or email app, you are responsible for storing your private key and keeping it safe. This usually means the private key is stored on your device. Remember that your private key needs to be kept secret, because anyone who has it can decrypt messages meant for you, or impersonate you.

When you use an encrypted webmail service such as Hushmail or RiseUp.net’s encrypted webmail service, your email can also be encrypted using S/MIME or Open PGP. The difference, though, is that for these services to perform encryption and decryption of your messages and display them to you on a webpage, they need to have access to your private key. This means that the provider - or anyone who legally compels or informally convinces them to provide access to your messages - can access the decrypted versions of your encrypted emails.

At the same time, an imperfect solution may, at times, be better than not encrypting at all. Both Hushmail and RiseUp.net have explicit policies about when they will reveal your data to third parties, and depending on the nature of your activities, this may not be a particularly high risk for you. If you do choose to use web-based email, remember that your communications with the email providers’ website are not encrypted unless you are browsing securely using HTTPS. If you don’t want anyone to know that you are accessing these providers at all, or if they are blocked in your country, you should also follow MobileActive’s guide on how to browse anonymously and circumvent censorship.

Android

  • Android mail supports TLS/SSL - make sure you enable it, and use a mail provider that supports it!
  • Djigzo offers digitally signed, encrypted email for Android using the S/MIME standard. Djigzo doesn’t send email for you - rather, it allows you to send S/MIME email through your existing mail app. It’s open source and free for personal use, although it requires registration (an email address) after 30 days. There is extensive documentation available on the download page.
  • Android Privacy Guard and K-9 Mail have released a first version of a PGP mail client. Both apps are free and open source, but note that this is an early-stage release. The Guardian Project has a step-by-step guide here.

Blackberry

  • The Blackberry mail client can use S/MIME if you install the free S/MIME support package. For Blackberrys that are part of a corporate network, private keys may be stored on the enterprise server. In this case, be aware that your communications can be decrypted by the corporate network.
  • Djigzo offers digitally signed, encrypted email for Android and Blackberry using the S/MIME standard. Djigzo doesn’t send email for you - rather, it allows you to send S/MIME email through your existing mail app. It’s open source and free for personal use, although it requires registration (an email address) after 30 days. There is extensive documentation available on the download page.
  • RIM also sells a package that provides PGP email for Blackberry devices. Unfortunately, it only in works in conjunction with the blackberry with RIM’s universal email server, which is a corporate tool that handles key management among other things.

iPhone

  • The iPhone mail all supports TLS/SSL - see this guide for information about how to enable it.
  • S/MIME is also supported by the iPhone mail app. Setup guide here.
  • SecuMail is a commercial OpenPGP app for iPhones. It retails for US $49.99. SecuMail supports sending/receiving encrypted email but not generation of keys, which must be done with a desktop app.
  • OPenGP is a cheaper iPhone app for sending and receiving OpenPGP email. It has limited functionality for key management, including not generating keys, and initial reports suggest that it’s still an early and somewhat buggy version. On the other hand, it’s only US $7.99.

Nokia

Nokia’s email system for S40 and S60 phones, Ovi mail, supports TLS/SSL. Ovi mail is provided by Yahoo!, so note that as with all web-based email providers, your emails may still be stored in plain text on Yahoo’s servers.

At the time of writing there did not appear to be any encrypted email apps available for Nokia phones.

 


Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd><p><br> <b><i><blockquote>
  • Lines and paragraphs break automatically.

More information about formatting options