Any Known PW Security Issues with K-9 Mail?

[uglyyeti]

I've had my Fascinate for about a month running the Verizon stock 2.1 and switched from the native mail app to K-9 a few weeks ago. Functionality is fine, but someone has grabbed my Earthlink Webmail address book and is spamming all of my contacts (but not my droid contact list). They're getting messages with viagra links sent in alpha groups of three, via Yahoo's servers in CA, originating in Eastern Europe, with my em as the reply address.

I'm suspicious of K-9 (or another Droid app) because I change my passwords frequently and only access this account via phone or webmail via my corporate laptop which has pretty decent internet security. I've had this email account for 11 years with no previous issues.

The other possible scenario is a direct breach to Earthlink's servers - they are (or claim to be) looking into this now.

The damage is done at this point - the emails aren't being sent from my pc or phone, but they've been sent several rounds a day for 3 days now.

Any knowledge out there on this one?

 

[sushiguy732]

I have had zero security issues with K9 Mail and I have been using it for about 2 months now.

 

[Xopher]

Does Earthlink have SSL access to your email account? Are you using SSL within K-9 Mail?

 

[uglyyeti]

Nope - no SSL with this account.

 

[Dsat1908]

I have a rooted 2.2 fasicnate and I started using K-9 mail about a month ago. K-9 has the functionality I wanted. I access my G-mail from this phone and several home computers and so far (fingers crossed) I haven't had any such issues. Good luck!

 

[Sta11i0n]

Used K-9 from day 2 of getting my Fascinate in October after seeing how the stock email app was lacking so much. No issues of any kind to report on.

 

[MrSmith317]

OP, that sounds like standard malware, have you checked your PC? It only takes a split second for malware to grab an address book, send it "home" and start spamming. K-9 is pretty secure as far as I know...HOWEVER if your mail server doesn't use TLS or an SSL connection then you ARE sending your username and passwords in cleartext and anyone smart enough to, could potentially just be pulling that information off the wire.

 

[uglyyeti]

The laptop is squeaky clean - not showing any viruses or malware. I've had good success with K-9 for email so far, but the past few days I've had to pull the battery in the mornings to get my overnight emails.

I've been using the same email in the same manner with a laptop and blackberries for years without incident - that's why I'm a little suspicious of my new little droid friend - not necessarily K-9, but any bastard apps that might be grabbing my login data from it. Not much I can do about the SSL thing with Earthlink (they also don't allow symbols in passwords).

 

[Xopher]

You might want to load up Lookout and see if it finds and malware on your Droid.

 

[uglyyeti]

Loaded Lookout yesterday - it says everything is OK. Also deleted several non-essential apps today. Haven't loaded anything blatantly sketchy.

 

[cketti]

Hello, I'm one of the K-9 Mail developers. I can assure you that K-9 Mail only sends your password to the mail server you configured. But you don't have to take my word for it. We're an open-source project, so feel free to have a look at the source code (https://github.com/k9mail/k-9).

After doing some quick research it looks like Earthlink doesn't support any transport encryption (SSL/TLS, STARTTLS) for POP3 connections. This means that every time you check your mail the password is send in cleartext. This is especially bad if you use public WiFi networks as anyone can grab your password (very easily).
I strongly advise to use an email provider that supports proper security. And while we're at it: look for one that supports IMAP (more modern protocol, better for mobile clients, better supported in K-9 Mail).

 

[Sheepdog Elite]

If it's not using SSL, then an unencrypted wifi network would be my major point of concern. Pretty easy to scalp any transmissions off wifi if there's no security in place. Used coffee shop wifi lately? Is home wifi secured?

 

[uglyyeti]

Home wifi is secure. Never used the droid's wifi, but I've been in a few hotels recently with the laptop - that's certainly a potential source.

 

[uglyyeti]

cketti,

Is there any effective battery life difference in POP3 vs IMAP with K-9?

 

[MrSmith317]

cketti,

Is there any effective battery life difference in POP3 vs IMAP with K-9?

You're not going to see any noticeable difference. You can set the poll interval with POP3 and IMAP. I prefer IMAP because my phone is not the last stop for email and POP has always been wonky on my android phones.

 

[uglyyeti]

I just set up a new email account that uses IMAP w/SSL which will also mail collect from my old mindspring account until I'm able to migrate away from it completely. Hopefully that helps on the security front.