Mail Encryption for Android?

So, now that the saga with having a decent GPG mail client for Mac has been finally resolved (huge kudos to the guys at gpgtools!), it’s time to get some encryption love on an Android device.

I don’t know if you ever ended up searching for any decent GPG/PGP/SMIME (not that anyone uses SMIME) mail client for your Android, but the selection in the past couple of years has been pretty slim. Aside from the old K-9 (and paid for Kaiten), there isn’t really much out there. And these clients aren’t up to speed. Lacking PGP-Mime support means you can’t read most emails sent from a desktop machine (gpgtools uses OpenPGP mime format), add the fact that there isn’t much of an Exchange server support (no ActiveSync) and you are left wanting more (it was actually easier to download the encrypted message .asc, save it locally, fire up APG, decrypt it, save the plaintext locally, open it in a text editor, and delete all the clutter you just left on your sdcard. ugh.).

So, when I found _another_ mail app that claims to be able to do GPG, and Exchange, and isn’t a UI disaster, I had to give it a go.

Enter R2Mail2 (yeah, I know… marketing isn’t their strong suite). So far I have to say that installation has been a breeze (don’t forget to go through the weird process of managing the certificate store in the app, then adding your GPG keypair). And it works as advertised (!). OpenPGP mime support, encryption, decryption, signing, and yes – even Exchange (!!).

For what it’s worth – I’m giving it a try (meaning – the pay for version). Just giving my extra 2c to help you get on the PRISM “gotta-see-what-he’s-emailing-about” list 🙂



9 responses to “Mail Encryption for Android?”

  1. Well, the UI is a disaster actually.

    But you are right that it supports both PGP and S/MIME well.

  2. Unfortunately R2Mail2 is closed-source, so anyone serious about security would be advised to steer clear.

    1. As I would advise to stay clear from open-source products when it comes to security reviews. (remember that OpenSSL thingy? nothing major there, right? 😉 )

      1. A rather weak answer. Actually, cryptographic algorithms have to be verified by an open community to manifest any degree of trustworthiness.
        The “OpenSSL thingy” was the quickest-to-be-fixed large scale security disaster I heard of. Has there been an actual serious theft or loss of data reported due to this one?

  3. anonymous Avatar

    The bar for even being able to find and fix bugs as a person interested in security but not employed by R2Mail2 is much higher because its closed source. This means that its harder for benevolent people to find bugs in software and help make it more secure. In OpenSSL, because the code is open, the bugs can be found if enough people look. With closed source, you need to hire more people to look at the code to get the same level of security.

    Closed source being more ‘secure’ is an example of security through obscurity, which is only a placebo.

    1. I completely agree, but remember that working with an open source product does not guarantee you security, just as working with a closed-source one does not deny it.
      Use common sense, and follow your instincts.

      1. I disagree, at least to some extent: Open source may not guarantee any measure of security, but closed source, effectively, denies security. All you’re left with is unconditional trust in yet another entity. The security of closed source – though it may exist – cannot be proven.

  4. No aktivesync is supported. Only the EWA (Exchange Web Acces (aka webdav)). So not usable for other servers with activesync support (like Zarafa).

  5. Thanks for your share, PGP and exchange AWS is the both feature I need, I’ve test only free version from today and seems good for me when I try to sign.
    The disadvantage is to import all my contact public keys to my phone :p

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.