
Email encryption on Android and iOS becomes easy with the open source app Tutanota - bruce487
https://tutanota.de/blog/posts/get-the-tutanota-app-for-ios-android
======
klaustopher
So, one can only send encrypted mails to other users of the platform?

[http://tutanota.uservoice.com/knowledgebase/articles/470724-...](http://tutanota.uservoice.com/knowledgebase/articles/470724-why-
does-tutanota-not-use-pgp)

~~~
johnd03
No, it works with anybody:
[http://tutanota.uservoice.com/knowledgebase/articles/470795-...](http://tutanota.uservoice.com/knowledgebase/articles/470795-how-
do-i-send-an-encrypted-email-to-an-external-re)

~~~
hobarrera
Yeah, it emails a link to the third party to use their website to read the
email.

And you have to pre-share a password.

It basically takes a dump on every standard we already have.

------
alfiedotwtf
The NSA Planned to Hijack Google App Store to Hack Smartphones [1]

Given that software updates are automatic (unless you manually turn them off
etc), how can you trust an app if you can't trust the platform?

1\. [https://firstlook.org/theintercept/2015/05/21/nsa-five-
eyes-...](https://firstlook.org/theintercept/2015/05/21/nsa-five-eyes-google-
samsung-app-stores-spyware/)

~~~
mike_hearn
Two things.

Firstly, Android checks app signatures and as far as I know the market app
doesn't have any ability to override that. It can do a few privileged things
like skip showing the permissions screen, but I think the OS still wants to
see correct signatures. So even if the app store was hacked the phone itself
might reject a bogus upgrade.

Secondly, that slide is more like some junior GCHQ guy noodling around, I
think. It is old and dates from a time before Google used SSL for everything.
I doubt it's possible to do via purely technical attacks now.

Thirdly, it'd almost certainly be easier to attack the developer
laptop/workstation to steal the signing keys directly than attack Android head
on. I plan to do some research this summer into splitting the RSA signing keys
used by Android apps to allow for threshold signed online updates for Android
and maybe iOS.

~~~
zyx321
The only way to change the signing key for an app (on an unrooted phone at
least) is by completely uninstalling it (which deletes the main data
directory) and then installing a new version. In fact, Google lost the key for
their OTP authenticator app at one point, requiring all users to install the
new app manually before they would receive updates again.

~~~
alfiedotwtf
Have you got a link? I can't find any info on that happening

~~~
zyx321
Couldn't find the blog post I read way back when it happened. The closest
thing I could find was an Android news site describing the problem. [1]

I'm 90% sure that a Google engineer admitted it on their official blog, but
that was 2 years ago so I might be misremembering it.

[1] [http://www.androidpolice.com/2012/03/22/psa-googles-
authenti...](http://www.androidpolice.com/2012/03/22/psa-googles-
authenticator-updated-to-v2-except-its-a-brand-new-app-and-you-need-to-
install-it-to-get-future-updates-old-one-is-dead/)

------
JustSomeNobody
I thought it was already easy on Android with K-9 and APG.

~~~
mike-cardwell
APG is discontinued. You should use OpenKeychain now instead -
[http://www.openkeychain.org](http://www.openkeychain.org) \- OpenKeychain
does everything APG did, more, and has a _much_ nicer interface. It even lets
you use a Yubikey as a PGP smartcard over NFC so you don't have to store your
PGP keys on your phone -
[https://grepular.com/An_NFC_PGP_SmartCard_For_Android](https://grepular.com/An_NFC_PGP_SmartCard_For_Android)

The one thing that K-9 misses, which is pretty major IMO, is PGP/MIME support.
It only works with inline PGP.

~~~
JustSomeNobody
Thanks for the information, I'll look into those.

Yeah, I don't like that PGP/MIME isn't supported, but I manage.

------
coffeecheque
Slightly OT, but what's the likelihood of Apple/Google integrating PGP
natively into the OS? I know iPhone has S/MINE - but is PGP too much to ask?

~~~
higherpurpose
For PGP you can try:

[https://whiteout.io/](https://whiteout.io/)

[https://lavaboom.com/](https://lavaboom.com/)

------
eloy
This will never work. I'm more enthusiastic about DIME.[1]

I think SMTP will not (and cannot) ever be replaced. But if there will be DIME
support in Postfix and Thunderbird, I can give it a chance.

[1] [https://darkmail.info/](https://darkmail.info/)

~~~
alfiedotwtf
For submission, there's RFC 4468.

------
hiamnew
I have to be honest, I have given up on pgp. From what I know there is no way
to have encrypted communications between more than two people. So why even
bother pursuing the dream of everyone using it if there is such a roadblock in
the way of common communication habits.

~~~
agd
I believe PGP does support multiple recipients. The symmetric key is encrypted
and included for every recipient.

~~~
hiamnew
Ouch, I did not expect that. Nice!

------
snksnk
A good alternative is Countermail
[[https://countermail.com/](https://countermail.com/)] (probably more secure
than Tutanova, to the extent possible for these services) and an app such as
K-9 Mail.

------
owly
Don't forget [https://protonmail.ch](https://protonmail.ch) They are working
on iOS and Android apps, and from what I've seen they have the most promise of
making encryption simple for ALL.

------
dkyc
_" Swiss Data Security

Our email service safeguards user data with strict privacy protections and our
secure datacenter facility hidden inside a Swiss granite mountain."_

Now that is comforting.

------
dzlobin
I might be missing something but the source of the actual iOS app doesn't
appear to be on their Github.

