Future Thunderbird for Android, K-9 Mail, passed security audit with flying colors
Some time ago, the team that is responsible for the Thunderbird email client announced that it has come to an agreement with the maker of K-9 Mail, a mail app for Android, to turn it into Thunderbird for Android.
Plans to expand platform support to the mobile operating systems Android and iOS existed for some time. The decision to use an existing product instead of creating a Thunderbird app for Android from scratch offers several advantages, including that a potential deal might include hiring a seasoned developer and that development would not take too long before the first version of Thunderbird for Android could be released.
The migration process to become Thunderbird for Android involves adding features, such as the recently added OAuth 2.0 support, to K-9 Mail, making design changes, but also auditing security of the client to ensure it has a solid foundation.
K-9 Mail has undergone an "extensive security audit" recently by 7ASecurity. Jason Evangelho of the Thunderbird team notes that six auditors of 7ASecurity have analyzed K-9 Mail to "dentify and address any potential security or stability issues". The security audit focused on threat modelling, fuzzing and the software supply chain.
The security researchers found no "zero high-risk vulnerabilities" in the email client for Android. A total of 10 low and medium ranked vulnerabilities were found during the audit; more than half identified potential Denial of Service attacks.
The auditors furthermore suggested security hardening in 10 areas as proactive protections against potential future exploits.
7ASecurity concluded that "K-9 Mail defended itself well against a broad range of attack vectors" and that the app "provided a number of positive impressions" during the assignment.
These positive impressions included the following ones:
- K-9 Mail is not sending sensitive information to third-parties.
- The email app prevents leaks via log messages and Android backups.
- No hardcoded credentials are used-
- K-9 Mail hardens WebViews.
- The application was "found to be resilient against Man-In-The-Middle (MitM) attacks against encrypted communications as well as deeplink attack vectors".
Users interested in the full report may access the PDF document on the Thunderbird website here. The majority of issues have been addressed already.
The audit marks an important step for the Thunderbird on Android project, as it can now focus on turning K-9 Mail into Thunderbird for Android.
Now You: do you use an email app on your mobile devices?