The overall privacy policy of MobiSystems can be found here.

Please note that it encompasses all of our products and is not specific to Aqua Mail.

Below you can find an explanation of some privacy aspects specific to Aqua Mail:

Not cloud based

Several currently popular mail apps are cloud based.

This means that they run their own servers, which connect to the actual mail servers hosting your account(s) (Yahoo, Gmail, Hotmail), collect your messages on those “their own” servers (for some duration of time), and then push messages from there to the device.

So your messages are stored somewhere else (for some duration of time), and in some cases, so are your account passwords, so that the app’s “own servers” can log into your account’s mail servers — as “you”.

The developers of those apps have certainly taken every possible precaution to do the above in the most secure way possible, that they’re competent, their systems are protected, audited, updated, patched for security… and that how those apps work is clearly communicated on their web sites, in service terms, and privacy policies. But still – it’s one more place that stores your messages and possibly your accounts’ passwords.

Aqua Mail is not cloud based, it works “the traditional way”, like Thunderbird or Outlook.

It only stores your accounts’ passwords on the actual phone / tablet (and may not even do that if you use Google’s new “more secure authentication” with Gmail or Google Apps accounts, called OAUTH2).

It only connects to the mail servers hosting your mail accounts, and only transmits the password to those servers (and may not even do that when using OAUTH2).

It does not collect any personal or user sensitive information or share it with any third parties.

It only stores your messages on the device.

Spammer tracking

Spam messages often contain various technical means letting the senders (the spammers) track whether you’ve opened a message, and maybe for other means. I’m not a spammer, so won’t know all the “use cases”, but I’m sure they have some.

It’s one of a mail app’s “jobs” to try to protect you, the user, from this type of tracking.

There is a web site, EmailPrivacyTester.com, which lets you send yourself a test message containing a number of such tracking techniques, and then check how well your mail app was able to handle it.

As of version 1.5.9, Aqua Mail gets a perfect score on this test, with the setting “show linked content only from known senders” being “on” which is the default (just in case, app settings -> message view).

Security

Privacy and security are related, so here is a quick run-down.

OAUTH2 for Gmail and Google Apps and now for Hotmail

As of version 1.5.1, Aqua Mail can use Gmail or Google Apps accounts with Google’s preferred authentication method, called OAUTH2.

When adding a new account, you’ll need to choose “Gmail or Google Apps”. To upgrade an existing Gmail account, make sure to sync it at least once (so the app knows it’s Gmail), then long press it (the account), choose Account setup and you should see a green prompt to upgrade to OAUTH2.

When using OAUTH2, Aqua Mail will not see, store, or transmit your account’s password. Instead, it will use a so called “access token” to log in.

This access token uses complex math (cryptography) and cannot be used to recover the account’s password, even if the token is intercepted by a malicious third party.

As of version 1.6.2, OAUTH2 authentication is also supported for Hotmail. You’ll see it when adding a new account into Aqua Mail.

To convert an existing account, long press it (the account) -> account setup and you should see a green panel offering the upgrade

Strong SSL encryption (aka SSL hardening)

As most any mail app, Aqua Mail can encrypt its network traffic when “talking to” your mail server(s). When adding a new account, the default settings have encryption enabled (SSL or STARTTLS).

Now, there are different “ciphers” and “protocols” – a lot depends on what a mail server supports – and the rest depends on what an app negotiates with the server.

Prior to Android 5.0, the default “ciphers” and “protocols” used by Android system were rather weak. To use the most secure ones, please enable Aqua Mail settings -> network -> SSL hardening. This will try to use the TLSv1.2, TLSv1.1, TLS1, SSLv3 protocols in that order, also black-listing some ciphers known to be non-secure. There is also a setting there to not use SSLv3, recently discovered to be non-secure too.

As of Android 5.0, the choices made by system code are better, but Aqua Mail re-enables the “less secure” ciphers when “SSL hardening” is disabled. This is done for better compatibility: some mail servers / services, especially corporate ones, still require those “less secure” ciphers and can’t work with the more modern ones.

Bottom line: if you’d like Aqua Mail to use the most secure network encryption available in your phone’s Android version, enable “SSL hardening” in Aqua Mail and disable SSLv3.

SSL certificate tracking

There is a type of security risk, not specific to Aqua Mail, but rather something that can affect any application that talks to a remote server, over the network, using encryption.

Called “man in the middle attack”, it’s when something is made to look like that remote server (mail server) even when it’s not – intercepting network traffic – and then it’s possible to decrypt that traffic and see what’s being transmitted (your password, for example).

Aqua Mail has a way to deal with this.

If you enable settings -> network -> SSL tracking, then Aqua Mail will examine each server’s “SSL certificate” (fingerprint) when it connects, save it, and then watch for changes on subsequent connects.

If a server’s certificate is found to be different from last time, it might mean that something’s pretending to be Gmail’s (or Yahoo’s or Hotmail’s…) mail server, when it’s really not.

In this case, Aqua Mail will stop right then, before transmitting your account’s password to a potentially malicious third party. There will then be an error message about it below the account (in the account list). Tap the error to examine the last known and the current certificates, and decide if you’re going to accept the change.

Now, some mail services (for example, Gmail, Office 365) change their encryption certificates quite often, and this will trigger the error, even though there is nothing bad going on.

It’s up to you (the user) to decide if a particular change in SSL certificates detected by Aqua Mail is valid, or possibly malicious, and if you want Aqua Mail to accept the new certificate and proceed.

DKIM and SPF validation

New since 1.6.1, shown as a small green or red lock icon when viewing a message.

The FAQ has more detailed info.