Of course you could say: “If you’re going to use Russian software, that’s what you’d have to expect!”. But yeah. I’ve actually used tools written by Russian developers before, and they used to be very slim and fast, so I thought, why not give it a shot. Background is that I’ve finally ditched my ancient Nokia E72 “smart phone” based on Symbian 9.2 / S60 3rd, which has become almost unusable because of its lack of modern SSL ciphers (most websites won’t let you connect anymore) and because of its Skype and ICQ clients being banned from their respective servers.
So I finally went ahead and got myself an Android 7.1.1 device, the Blackberry KEYone, my second attempt at using the OS (first was a Motorola Milestone 2 with Android 2.1, a failure because of many reasons).
Anyway, I had to find an eMail app that would let me do two things:
- Display and send everything as plain text (I hate HTML mails and find them pretty insulting to be honest)
- Allow me to connect to mail servers which support only older SSL/TLS protocols and ciphers (I’ve got no choice here)
2.) The Mail.ru email client on Android
2a.) The app itself
So, I tested a lot of clients, one of which was [Mail.ru], a pretty high-ranked email app (4.6/5) with more than 10 million installs out there. Superficially, it looks just like pretty much any other email client, because there are likely readily available Android libraries for implementing email clients:
So they advertise it with slogans like “ideal application for any mail” and “add all your email boxes in one application”. Actually, it’s ideal for just one thing: To hand over all your email accounts and emails to a Russian company and with it the Russian government – because in Russia, companies have to yield to the government and grant it full access to user accounts and data by default.
I guess free Russian developers and actual Russian software companies have to be treated very differently!
What I did was to enter my own email account credentials in the Mail.ru app to be able to fetch my emails via IMAP. I found that the client does not meet my personal requirements (no way to force plain text email), so after my quick test, I just uninstalled the app.
2b.) What the app does without you noticing
However, by that time, the Mail.ru app had already leaked my account credentials to certain mail.ru and my.com servers (my.com is a part of the bigger Mail.ru group), which had now started to log into my account from Russia – periodically checking all my email boxes and downloading every single message stored on my own server. Let’s have a look at the logs!
Here is their first connection attempt, coming from
22.214.171.124 (sapif30.m.smailru.net) as well as the second one from
Tue 2017-07-25 14:59:27: Session 5554; child 3; thread 1232 Tue 2017-07-25 14:59:26: Accepting IMAP connection from [126.96.36.199:42273] Tue 2017-07-25 14:59:27: SSL negotiation successful (♡) Tue 2017-07-25 14:59:27: --> * OK ♡ IMAP4rev1 ♡ ready Tue 2017-07-25 14:59:27: 1 OK LOGIN completed Tue 2017-07-25 14:59:27: 1 OK LIST completed Tue 2017-07-25 14:59:27: * BYE IMAP engine signing off (no errors) Tue 2017-07-25 14:59:27: --> . OK LOGOUT completed Tue 2017-07-25 14:59:27: IMAP session complete, (2654 bytes) Tue 2017-07-25 14:59:27: ---------- Tue 2017-07-25 15:00:04: ---------- Partial transcript, remainder will follow. Tue 2017-07-25 15:00:04: Session 5556; child 4; thread 3588 Tue 2017-07-25 14:59:28: Accepting IMAP connection from [188.8.131.52:53424] Tue 2017-07-25 14:59:28: SSL negotiation successful (♡) Tue 2017-07-25 14:59:28: --> * OK ♡ IMAP4rev1 ♡ ready Tue 2017-07-25 14:59:28: 1 OK LOGIN completed Tue 2017-07-25 14:59:28: * CAPABILITY ♡ Tue 2017-07-25 14:59:28: --> 2 OK CAPABILITY completed
You might have guessed it, the ♡ marks things I cut from the logs for privacy reasons. Guess I got a bit too creative. Anyway, this was only the beginning. Later, some mail collector servers from the IP range
185.30.17*.** (collector*.my.com) started to log in and download all my emails from all my folders! Here’s just a small excerpt from the commands issued with one of my archive folders serving as an example – most of the stuff has been cut out to make it more concise:
Tue 2017-07-25 14:59:29:
All of those are just the remote commands issued to my server. Note that in IMAP4,
UID FETCH <UID> BODY.PEEK at the bottom is an actual message download. Needless to say, there were thousands of those going unchecked, because it took me 3 days to discover the leak. And I only discovered it coincidentally too. So by that time they had long downloaded all my emails from my own server to Russia. If you’re not running your own mail server, you wouldn’t even notice this.
So if you just happened to enter your AOL, Yahoo, gmail or Hotmail accounts, you’d never see those Russian servers accessing those accounts remotely!
3.) This can’t be ok, can it?
If your app handles personal or sensitive user data (including personally identifiable information, financial and payment information, authentication information, phonebook or contact data, microphone and camera sensor data, and sensitive device data) then your app must:
- Handle the user data securely, including transmitting it using modern cryptography (for example, over HTTPS).
Prominent Disclosure Requirement
If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.
First of all, the mail collectors drop down to cryptographic ciphers even I wouldn’t use anymore when asked to do so. I mean, it sounds hypocritical coming from me (because I’m actually using very old ciphers too, as I’m out of options on my ancient server), but they do fall back to what’s by no means “modern cryptography”. Also, the leaking of account credentials and data to Russian servers and the continuous use of said data even after the user has stopped using Mail.ru services is not mentioned anywhere while installing or using the app, not that I could see at least.
I most definitely didn’t give my consent to having the app use my data like this – I wasn’t presented with an EULA during the installation or use of the software. Also, the (Russian…) email they had sent me after accounts were set up in the app didn’t show an EULA or privacy statement either. It’s even worse considering [Mail.ru’s history] in terms of handling that information.
None of this is new either, see e.g. [this Reddit] (MyMail is from my.com – as said, a part of the Mail.ru Group).
Well, I started to look around and found a Mail.ru [user agreement] online. The interesting part is point 4.1.3:
4.1.3 In addition to the registration procedure on the Internet Service specified in clause 4.1. the user may be granted the right to register through using its data (login and password) of the e-mail box registered at the third person’s resource.
Irrespective of using any method of registration on the Internet Service the User’s password used to visit the Internet Service shall be beyond the reach of Mail.Ru.
Now that part is a bit problematic. The “third person’s resource” is clearly your own mail account on some other server. So like my email account on my own server. The question is, what exactly does it mean when they say that the users’ password shall be “beyond the reach of Mail.Ru”? Guess they’d mean my actual plain text password, right?
Well, no matter if they use hashes with
<-- 2 authenticate CRAM-MD5, or instead just plain text
<-- 1 LOGIN ♡@♡.♡ ♡♡♡♡♡♡, they do have my password stored away on their servers as clear text (probably on some encrypted file system? But still.). I wouldn’t call that “beyond the reach of Mail.ru” anymore.
I guess I could have misread the user agreement (that I wasn’t even presented with!) somewhere, but it doesn’t seem to me as if they’d be following their own rules regarding privacy?!
If you’re using the Mail.ru app I can only advise you uninstall it if you haven’t done so already and to change all account passwords ever entered in the application to stop the Russian collector servers from logging into your accounts and “stealing” your email even after app deinstallation.
On a side note: Since K-9 Mail isn’t exactly right for me either, I settled with [R2Mail2], which is being developed in Austria by the company [RundQuadrat]. I’ve been talking with its developer over the last few days, and he seems a like a nice family guy. I do like the client, as it has an impressive feature list, let’s just name a few:
- Manually configurable SSL/TLS cipher list, you can pick which ciphers you want or don’t want to use, including the option to support a few deprecated ciphers.
- Data oriented encryption with either S/MIME, or even PGP and PGP/MIME for emails and also arbitrary files (a small tool for file encryption is embedded in the client).
- Support for Microsoft Exchange servers
- Option to stop syncing in the background, so a full shutdown of the app is possible with ease.
- Full plain text support, so you can force all messages to be displayed and sent in plain text only.
- The client itself can be password protected and can be instructed to store all local data in encrypted form.
- Extremely configurable: Reply/Forward Prefixes, host name use in EHLO command, notification LED color ( ), IPv4/IPv6 preference, Certificate store access & configuration, peak day/time option to boost synchronization, sync grouping with other apps to save battery, local email pruning and many, many other things.
It does come at a price though, as it costs 4.80€. But if you want a seriously powerful and I’d say more trustworthy email application for Android, you might give this a shot. Otherwise, maybe just go with the free K-9 mail app if you want plain text and don’t need to rely on mail servers with antiquated SSL/TLS implementations.
But no matter what, stay away from Mail.ru and MyMail!
Thanks to a notification from [Bier.jpg] I have now learned, that the testing password used to probe the Mail.ru and MyMail services (in context of writing this article) has been leaked to the Internet!
The corresponding data has been presented to the public on the Chaos Communication Congress (34C3) of the corresponding Chaos Computer Club (CCC), in the context of its [Can I Haz Passw0rds?] project. The leak website will be offline soon enough, but you can continue to access the password database on the [Tor network] after the Congress has ended (Open that link in the [Tor Browser]). Since my original, former true password has not been leaked, this must have happened some time after 2017-07-25.
Additionally to the two leaks that I attribute to Mail.ru and MyMail, there was also a third one with the same, temporary password. I’ve used it to continue my tests of all kinds of Android eMail applications, but unfortunately, I can’t be sure who the third culprit might have been. The only two Apps I’m sure couldn’t have been responsible are [K-9 Mail] and the Austrian program [R2Mail2], as those have only been fed real passwords, and they’re not supposed to leak them off-device anyway.
So much for that!
PS.: I cannot exactly prove, that two of the three leaks are from Mail.ru and MyMail, but given their handling of passwords and their history of repeated, massive password database leaks, I’m pretty sure that they were involved in this as well.