Future Thunderbird for Android, K-9 Mail, passed security audit with flying colors

Martin Brinkmann
Jul 22, 2023

Some time ago, the team that is responsible for the Thunderbird email client announced that it has come to an agreement with the maker of K-9 Mail, a mail app for Android, to turn it into Thunderbird for Android.

Plans to expand platform support to the mobile operating systems Android and iOS existed for some time. The decision to use an existing product instead of creating a Thunderbird app for Android from scratch offers several advantages, including that a potential deal might include hiring a seasoned developer and that development would not take too long before the first version of Thunderbird for Android could be released.

The migration process to become Thunderbird for Android involves adding features, such as the recently added OAuth 2.0 support, to K-9 Mail, making design changes, but also auditing security of the client to ensure it has a solid foundation.

K-9 Mail has undergone an "extensive security audit" recently by 7ASecurity. Jason Evangelho of the Thunderbird team notes that six auditors of 7ASecurity have analyzed K-9 Mail to "dentify and address any potential security or stability issues". The security audit focused on threat modelling, fuzzing and the software supply chain.

The security researchers found no "zero high-risk vulnerabilities" in the email client for Android.  A total of 10 low and medium ranked vulnerabilities were found during the audit; more than half identified potential Denial of Service attacks.

The auditors furthermore suggested security hardening in 10 areas as proactive protections against potential future exploits.

7ASecurity concluded that "K-9 Mail defended itself well against a broad range of attack vectors" and that the app "provided a number of positive impressions" during the assignment.

These positive impressions included the following ones:

  • K-9 Mail is not sending sensitive information to third-parties.
  • The email app prevents leaks via log messages and Android backups.
  • No hardcoded credentials are used-
  • K-9 Mail hardens WebViews.
  • The application was "found to be resilient against Man-In-The-Middle (MitM) attacks against encrypted communications as well as deeplink attack vectors".

Users interested in the full report may access the PDF document on the Thunderbird website here. The majority of issues have been addressed already.

The audit marks an important step for the Thunderbird on Android project, as it can now focus on turning K-9 Mail into Thunderbird for Android.

Now You: do you use an email app on your mobile devices?

Article Name
Future Thunderbird for Android, K-9 Mail, passed security audit with flying colors
The future Thunderbird for Android application, K-9 Mail, has passed a security audit with flying colors.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. smaragdus said on July 25, 2023 at 3:13 pm

    Very bad news, I will either have to keep my current version of K-9 Mail or start usong another mail after the re-branding takes place. Undoubtedly Mozilla will poison this mail client with trackers the way it does with its mobile so called browser. I wish someone forks K-9 Mail client and continues the independent development. Keeping one’s devices clean of the vultures Mozilla and Google is the wise choice.

    1. owl said on July 26, 2023 at 4:53 am

      > Very bad news, I will either have to keep my current version of K-9 Mail or start usong another mail after the re-branding takes place.

      In short,
      it seems to be just “You want to do opposition for the sake of anti-Mozilla”.

      By the way,
      the “K-9 Mail” you are currently using is v4.803 (stable) earlier, isn’t it?
      From v4.803 (stable), it is actually a “Thunderbird” product (the developer transfer to Thunderbird a year ago).

      Just to be clear, it was “not a covert to merge, it was announced in advance, resulting in users congratulated” big news.

      If you are not dissatisfied with the current product…
      In any case,
      There’s no cure for a fool who are ignorant of the circumstances and the truth, and who are filled with pessimistic fears rather than creativity.

      Well, We are appalled at the stupidity of the stubborn and bigoted conservatives.

  2. Anonymous said on July 24, 2023 at 10:20 am

    I wish they could make an iOS version too.

    1. owl said on July 25, 2023 at 2:58 am

      > I wish they could make an iOS version too.

      Quote from official blog (blog.thunderbird.net) :
      Yes, we have officially added an iOS version of Thunderbird to our future development roadmap. Expect more concrete news about this toward the end of 2023.

      Thunderbird Planning | Topicbox

      Thunderbird development support accepts bug reports through “Bugzilla” and feature requests through “Mozilla Connect”.
      Mozilla Connect: Thunderbird Tags
      The feature request prioritizes “kudos”. Please support the development with Kudos, Comment, and Submit an idea.
      Thunderbird for iPhone and iPad

  3. NeonRobot said on July 24, 2023 at 9:30 am

    5.9.16 is the last sane version w/o mozilla involvement.

    Actually application will start to send sensitive information to third-parties.
    Just wait a bit.

    1. owl said on July 24, 2023 at 10:10 pm


      Enough of your nonsense! Stop your silly talk!
      From K-9 Mail v4.803 (stable) onwards, it belongs to Thunderbird.

      It will just only be “rebranding” soon.
      It has passed a reliable “third-party audit”, and if it is not reliable, it is “your lack of intelligence”.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.