
The ProtonMail Android app is now open source - kobylisak
https://protonmail.com/blog/android-open-source/
======
_eigenfoo
ProtonMail seems to be on a roll this month. They both released Bridge for
Linux [1] and open sourced Bridge [2].

[1] [https://protonmail.com/blog/proton-bridge-linux-
launch/](https://protonmail.com/blog/proton-bridge-linux-launch/)

[2] [https://protonmail.com/blog/bridge-open-
source/](https://protonmail.com/blog/bridge-open-source/)

~~~
dyingkneepad
Oh, bad timing. Just a few months ago I was on the fence about Protonmail vs
Fastmail (vs all others) and ended jumping to Fastmail: the privacy pro didn't
seem to outweigh the cons. Now with open sourcing stuff the pros do get
somewhat better... But reevaluating and switching would be troublesome....
Maybe in a few years I'll revisit it :)

~~~
frodprefect
The pricing is very different. Fastmail allows unlimited domains where proton
is almost double the cost for two.

~~~
novok
Yeah protonmail charging for the marginally free stuff, like domains and
aliases is very disappointing. I make a new email for every account, in the
form of catchall_alias@username.domain.com do I have to pay proton mail
$24/month for that privilege?

Also not providing 20GB space as a default paid option in this day in age of
$5/month/TB is also very disappointing.

------
aloisdg
First issue on the repository: [Asking for F-Droid support][1]

[1]: [https://github.com/ProtonMail/proton-mail-
android/issues/1](https://github.com/ProtonMail/proton-mail-android/issues/1)

------
ipnon
Bitwarden is another example of a company that proves you can make good profit
as an open source SaaS.

------
complexworld
Previous discussions about PM

2018 - Ask HN: How secure is Protonmail really?
[https://news.ycombinator.com/item?id=18101090](https://news.ycombinator.com/item?id=18101090)

2019 - Ask HN: FastMail vs. ProtonMail?
[https://news.ycombinator.com/item?id=19372882](https://news.ycombinator.com/item?id=19372882)

How secure would it be to use PM if the following conditions were met?

\- you only used one of the open-source native PM apps

\- you only emailed other PM users

\- someone you trust audited the PM source code for the native apps

\- you installed from F-Droid

~~~
app4soft
\- your messages always processed by proprietary/closed source server

So, it just like Telegram (or any other proprietary cloud/VPN/proxy service) -
you really don't know what has happen on server side.

~~~
kelnos
True, but if you _do_ audit the client software, you can verify:

* Your e2e encryption key never gets sent to the server.

* Data is actually strongly encrypted using that key before leaving the client.

Then isn't that sufficient to prove that the server _can 't_ do anything
nefarious, even if it wanted to?

~~~
app4soft
> _Data is actually strongly encrypted using that key before leaving the
> client._

Except "strongly encrypted message" you should send some extra info for
server. And I'm not sure how those two types of info separated in Proton's
communication protocol, so binary diff between those "parts" could be a key to
select decrypt method.

~~~
zaarn
Their key encryption is fairly safe, if you use one-password mode, they could
intercept your password from the webinterface if they wanted, but the password
exchange is solid and doesn't reveal the password while still allowing to
decrypt the key.

Two password mode is technically more secure since even if the authentication
exchange is cracked, the decryption key doesn't touch anything the server can
see, it's locally decrypted.

There isn't any meaningful diff you could make.

------
aaronscott
I'm happy to see ProtonMail getting exposure. I moved over from gmail about a
year ago, and have been quite pleased with their service.

Only downside I've seen is that there isn't a clear way to increase available
data storage, independent of other billable line items (like number of users
etc).

Other items on my wish list would be more customizable email filtering, I'd
love to be able to create filters such as 'is this from [internet provider]
and does it contain the word bill? -> inbox, else spam'

~~~
deif
Both those things you mention as wanting exist already.

For data storage independent billing, go to Settings -> Dashboard. On
Professional tier and above the data storage is a dropdown where you can
increase the amount required.

For email filtering go to Settings -> Filters and create as many conditions as
you want on a filter.

~~~
aaronscott
Interesting, I pay for the professional tier, and do not see a separate
dropdown available for storage. The professional plan lists 5gb/user (at a
rate of about $5/month), and the only way to scale up storage on my dashboard
page is to provision more users (up to 100, so max of 500gb).

It’s a non-issue now, but yeah I’d prefer to interact with my plan the way
that you describe and be able to scale storage independently (and ideally at a
cheaper rate).

Regarding filters, that’s great! I didn’t see that before and will likely
utilize it heavily now that I know it exists.

~~~
deif
Ah I see, yeah the Plus plan lets you choose the storage. Professional works
differently for some reason. I bet if you contacted their support they'd
consider changing it though as it doesn't quite make sense as-is.

------
Foxboron
Cool. But neither the audit nor the repository explains if it's possible to
create the APK in a reproducible way. Google Play distributed APKs contain
their signatures, so in theory it wouldn't be possible to 1:1 reproduce the
distributed ones.

However for F-droid this would allow them to sign their own APKs and provide
some additional security guarantees in their supply chain.

Also a bit concerning that there is no tags yet in the repository.

~~~
gruez
>Google Play distributed APKs contain their signatures

[https://support.google.com/googleplay/android-
developer/answ...](https://support.google.com/googleplay/android-
developer/answer/7384423?hl=en)

>Note: Using app signing by Google Play is optional. You can still upload an
APK and manage your own keys instead of using an app bundle

~~~
Foxboron
That is not _really_ the point. The signatures are embedded in the APK.
Repacking it to remove, or add valid signatures, would be a problem.

------
AnonC
I hope the open sourcing helps accelerate the pace of development.

Tangentially, my needs are very minimal and I have a couple of ProtonMail
accounts on the free tier that don't get much mail (the size of the mailboxes
put together would be 5MB or so). I also aggressively delete unnecessary
emails quickly and empty the trash. I'm waiting for multiple account support
in the official mobile client for users on the free tier (this was promised
quite sometime ago).

------
h91wka
This was a showstopper for me back when I decided to go with posteo.net
instead. Well, better late than never, hopefully their service will become
useful for more people.

------
9wzYQbTYsAIc
Good to see that they are on a positive stream with their commitment to open
sourcing their apps.

Really looking forward to when Proton has near parity with the GSuite basics.

------
fbnlsr
I wonder if it's possible to migrate my Gmail-powered email address while
keeping my family's inboxes there. I'm interested in joining Protonmail but I
can't afford to pay for everyone, nor will they understand my wish to move
away from Google.

I guess it can't be done as it's at the domain level, am I right?

~~~
mackrevinack
does everyone in your family currently have the email name they want or did
they have to compromise by putting numbers at the end or use similar tricks?
...because theres probably a better chance of getting the name they want with
ProtonMail.

the shorter name@pm.me email address is a nice feature to have as well

~~~
fbnlsr
The problem resides in the fact that I'm currently using G-Suite, so yeah
everyone has the email they want and I'm using my own domain.

------
akullpp
I switched this month from Google services to alternatives and therefore to
PMs paid plan. I'm very happy so far with the Android and web app.

~~~
ver_ture
What is the android app? Is it an apk from outside the play store?

------
bflesch
ProtonMail/VPN are great products, but after the Crypto AG fiasco I suspect it
is another CIA front. We'll find out in 50 years.

~~~
pixxel
I missed this. What’s the fiasco?

~~~
bflesch
"Crypto AG was a Swiss company specialising in communications and information
security. It was secretly jointly owned by the American Central Intelligence
Agency (CIA) and West German Federal Intelligence Service (BND) from 1970
until about 1993, with the CIA continuing as sole owner until about 2018.[1]
With headquarters in Steinhausen, the company was a long-established
manufacturer of encryption machines and a wide variety of cipher devices."

see
[https://en.wikipedia.org/wiki/Crypto_AG](https://en.wikipedia.org/wiki/Crypto_AG)

Basically they were world's leading manufacturer of encrypted phones & fax
machines for military use and it was revealed that they were controlled by
German and US intelligence all along.

My suspicion for ProtonMail is only that it's too good to be true: A small
amount per month to solve all my privacy/confidentiality needs w/o really
inconveniencing me? I'm in!

~~~
kelnos
At least now that all PM's non-beta apps are open source, you (or someone) can
audit all their client-side apps to ensure that it doesn't matter if the sever
is trying to do something nefarious. As long as your encryption key and
plaintext mail never leaves the client, and the encryption being used is
sound, you should be safe.

Now, if it's run by the CIA/NSA/whatever, and they have found vulnerabilities
in state-of-the-art encryption algorithms that we don't know about, you're
hosed. But we're still hosed even if they aren't running the mail server (that
just makes it easier for them to get hold of the data), so I'm not sure that's
a threat model the average person could reasonably protect against anyway.

------
da_n
This is great to see, well done ProtonMail. I asked Fastmail if they would
open source their email app on Android but was told no.

> the probability of the app to be opensourced is very unlikely

------
markosaric
Nice! So when can I install this and the ProtonVPN app on F-Droid? :-)

~~~
ta1771
After they submit their code to the F-Droid.org team that audits and readies
it for their build server queue.

------
waynesonfire
been a user for a couple years. open source everything, maybe the community
can help fix their basic bugs like not being able to import their VCF exported
contacts into thunderbird.

------
hotgeart
Is there a way to centralize all my emails in protonmail?

Can't see an option to enter my pop3/smtp server. Or I'm blind?

~~~
kube-system
ProtonMail doesn't really try to be general-purpose email client. You can
either use the bridge with an email client of your choice, or you can forward
your mail.

~~~
Natales
Not really the email client of your choice. In Mac OS, you can do Apple Mail
and Thunderbird well, but if you try something like Airmail, it crashes the
app (or other unexpected behavior). Not exactly 100% IMAP compliant for what I
can tell.

------
aledthemathguy
ProtonMail will become an extremely important company in the next decade.
Their one risk is being bought.

------
noarchy
Great to see this! On another note: there was a six month gap (unless I'm
mistaken) between the iOS version being open sourced, and this Android
release. I am a bit surprised that iOS got open sourced first. Is this because
it did not receive the same security audit that presumably held up the release
of the Android source?

------
kevincox
> Their audit found that our app has no outstanding vulnerabilities.

Either I'm misunderstanding what they mean by "outstanding" or this is a very
bold claim. Shouldn't they be saying something like "Their audit found no
vulnerabilities in our app."

~~~
singlow
I think it means that they resolved any found vulnerabilities before the audit
was published. Therefore none of the found vulnerabilities were _outstanding_
when they published it. In this case _outstanding_ means that the auditors
have not yet verified a fix.

------
intsunny
It's a bummer protonmail doesn't support JMAP.

~~~
bad_user
Why would they? AFAIK they don't support IMAP/SMTP either, not without that
client-side "bridge" anyway.

~~~
kobylisak
JMAP support by the ProtonMail Bridge would be nice though.

~~~
t0astbread
If you just want a simple way to access your mail over HTTP (without the need
for standards) you could probably also run imap-api[1] pointed at the Bridge.
Although admittedly it does feel a bit hacky.

Or maybe also getmail or fetchmail which will download your mail over IMAP and
put it in the maildir format as files.

[1] [https://github.com/andris9/imapapi](https://github.com/andris9/imapapi)

------
riccardobrasca
This is very nice!

------
zenlot
Marketing move. They've been on a downfall due to relations to Tesonet. Now
started open sourcing their apps to restore reputation.

~~~
pixxel
I missed this. What’s the deal here?

~~~
uallo
Apparently an unfounded smear campaign against ProtonMail:

[https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn...](https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn_and_tesonet/)

~~~
pixxel
I see. Thanks for the reply. The official ProtonMail response seems legit
enough.

