Thursday, December 1, 2016

Spark Mail Stores Credentials in Cloud


Spark is much more than a mailbox. It’s a smart, unified inbox which collects all of your emails and automatically categorizes them for easy processing.

Ole Begemann:

While everyone’s raving about @sparkmailapp, remember that they store the credentials to your email(!) on their servers.

Readdle’s privacy policy:

In the event you delete your data from Spark, or revoke access to your data, or delete your Spark account, all your data, as well as your authentication/password information, is completely and permanently deleted from our servers, and we, therefore, do not have access to any of your data anymore.


Credentials are stored in encrypted form on Amazon server. There’s no way to access them in the original form

Presumably, whatever they’re storing is enough to access your mail. Otherwise, what would be the point? This is a concern, not only because of privacy, but also because access to your e-mail account can (through password resets, in the absence of two-factor authentication) unlock all of your other accounts.

My guess is that the main reason Readdle wants their server (rather than just the app running on your phone) to be able to access your mail account is for push notifications. My understanding is that Apple’s Mail app gets special privileges to run in the background and use push to detect when the IMAP or Exchange server has new messages. It also does background polling.

Third-party iOS apps are not allowed to do either of these things, just as they cannot register for the mailto: protocol. However, if Readdle’s server can monitor the mail account for new messages, it can send an Apple Push Notification to wake up the iOS app. Alternatively, you can turn off this feature. However, then you would not get background notifications of new mail, and it would probably use more battery power in the foreground.

Previously: FastMail Enables IMAP Push for iOS.

Update (2018-01-03): See also: Reddit (via Dennis).

2 Comments RSS · Twitter

Hey! You are absolutely right. We use servers for push notifications only. If it's alarming for you - just disable them ;)

[…] apps also get to use private APIs and daemons, have greater access to public APIs, act as default apps, and have privileged access to the lock […]

Leave a Comment