I've been using the Spark iOS E-mail app for almost as long as it exists. Better in every way than Apple's built-in Mail and nicely designed, it was a joy to use.
A couple of months ago Readdle announced Spark 2, "an e-mail experience built for teams". I am not a team, but I wished Readle all the luck with the new business model. However, all this talk of team functionality made me slightly suspicious, as it seemed such features would be hard to implement without Readdle reading my E-mail server-side.
But I'm not a team, and I didn't sign up for anything new, and the app didn't ask me whether I will allow Readdle servers to access and read my E-mail, right?
As it turns out, if you enter your E-mail login and password into Spark 2 on an iOS device, that login and password will be sent to Readdle's servers, stored there, and used to access your E-mail.
So, what's the problem?
E-mail credentials are the keys to the kingdom. If you want to seriously disrupt somebody's life, get access to their E-mail. Most sites do not implement 2-factor authentication and will happily allow an E-mail password reset, so E-mail access gives any attacker instant access to most online accounts.
A confirmation E-mail is used when signing up for new services. Receipts are stored in E-mail archives. Lots of personal information is in E-mail. Nearly all E-mail is unencrypted and unsigned, and many people will trust an E-mail that they receive without question.
What's more, if my mobile device has my E-mail password, there are certain limits on what it can do. It probably won't train a machine-learning model on all 20GB of my archives, or extract all image attachments to get geo-positioning data from them. But there are no such limits server-side. If Readdle's servers have my password, they are free to download, read and process as much of my E-mail as they want to, whenever and however they want to.
I trusted Spark on iOS with my E-mail password, expecting that the app will keep it to itself on the device. iOS devices are reasonably secure, and there are limits to what a mobile app can do, so it was a compromise I was willing to make.
I never agreed for my password to be sent to online servers, stored there and be used to access my E-mail. That's an entirely different implied contract, and I'm not happy with it.
It's worth noting that guarding my password suddenly becomes much more difficult when it's stored on servers, and I think the risk of a breach is too high.
Clarity in communication
Email address: As an email client, the core functionality of our Product is based on providing you with the ability to manage your email. For this reason, Spark services access your email account when you start using the App. […]
That sounds entirely reasonable. I don't know what "Spark services" are (they aren't defined in the policy), but I assume they must be parts of the E-mail app that run on iOS, right?
OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product won’t be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. […]
This also sounds reasonable and doesn't indicate that my credentials are being sent anywhere, right?
Except if you substitute "Spark services" with "online servers in the cloud". Oh, wait.
I do not know if it was Readdle's intention to hide the fact that "Spark services" are really "servers in the cloud". I do not suspect them of ill will, but I consider all this to be a serious lapse in judgment.
Here is what I would expect:
- Do not force non-team users to share their credentials server-side. There is no reason to.
- Ask clearly for permission to "SEND AND STORE YOUR PASSWORD ON OUR ONLINE SERVERS WHICH WILL ACCESS YOUR E-MAIL". It should be very clear to the user what is happening. The wording an presentation should make it difficult to accidentally agree. The users takes on additional risks by agreeing, so be clear about those risks.
As for me, I stopped using Spark immediately and deleted it from all my devices. I do not trust it anymore. I miss it (Readdle makes really good apps), but trust is important.