Security desaster: Blue Mail app and other email apps transmit login credentials
This article was originally published 7.3.2018 and refers to Version 188.8.131.52 of the blue mail app unless indicated differently
Update (8.3.2018): Blue Mail Inc. has rolled out another Update, to version 184.108.40.206. In this version, we did not observe transmission of password and username with a connected gmx account.
It all started with a test of the android app “Blue Mail“ which we asked our author and ppp tester Mike Kuketz to conduct. It is the first in a batch of mail apps we plan to test.
The result was shocking: If you manually connect an email account in Blue Mail, for example of the provider GMX which is very popular in Germany, the app transmits the password and the username to Blue Mail’s servers. The data is TLS encrypted but not further hashed.
POST /autoconfig?ver=1.0 HTTP/1.1 build: 12301 app_version: 220.127.116.11 brand: BL and_id: b92ce315-6c20-4241-949c-c48466f66d5c android_id: 12ecede7d032bacb user_id: -1 device_id: undefined_device_id country_code: vendor_id: 12ecede7d032bacb device_type: android Content-Length: 89 Content-Type: application/x-www-form-urlencoded Host: mtu.bluemailapp.com Connection: close email=testmail%40gmx.de&password=testpass22%21%23&client_orig_account_type=other
This is not only unnecessary, as many trustworthy apps prove, but also widespread: As Kuketz continued testing email apps he found unnervingly many showing the same behavior: This is a preliminary list:
- TypeApp (presumably same owner than blue mail app)
- Email – Fast & Secure mail for Gmail, Outlook & more
- E-Mail für Outlook & andere (owner Craigpark also provides email apps for yahoo, hotmail, mail.ru)
As the full test is now available here (in German), further details emerge: Blue Mail also reads the email headers of mails already in your inbox, extracts the email addresses from the headers and transmits them to Blue Mail servers. This means, mail addresses from the sender of emails are beeing transmitted to Blue Mail.
The app also collects the Android-ID for no obvious reason.
Blue Mail Inc. has reacted to the allegations via Twitter
The information in your article is not true and misleading. We do not store emails or passwords as you imply. BlueMail is a safe email client that communicates directly with email providers. BlueMail uses SSL & OAuth where applicable
We intend to make an official announcement today regarding our high-secured solution
Blue Mail also rolled out an update to Version 1.9.4 on March 06, claiming:
Secured app: we do not send passwords to our servers, or to any 3rd parties. Emails are not stored on our servers.
Retesting of version 1.9.4 by Mike Kuketz showed, that the App still transmits password and username, however. (also tls-encrypted).
POST /autoconfig?ver=1.0 HTTP/1.1 build: 12361 app_version: 1.9.4 brand: BL and_id: 5e51947d-694b-49ea-8b74-eafc1d5c59d2 android_id: 12ccfde7d062cacd user_id: -1 device_id: undefined_device_id country_code: vendor_id: 12ccfde7d062cacd device_type: android Content-Length: 79 Content-Type: application/x-www-form-urlencoded Host: mtu.bluemailapp.com Connection: close email=testmail%40gmx.de&password=666test123&client_orig_account_type=other
This leaves us fairly speechless. Blue Mails reaction via dm on Twitter, on 07.03.2018 at 20:49 pm:
please test 18.104.22.168
So apparently, a second update was rolled out today. Blue Mail also published a statement, claiming – again – that passwords are not being transferred to blue mail servers. The statement refers to version 22.214.171.124.