Discussion:
S/MIME (and PGP) for android e-mails (R2Mail2 etc.)
Bernd Jantzen
2012-10-22 07:27:31 UTC
Permalink
Hi CAcert community,

when I started using an android smartphone, I looked for an alternative e-mail
app capable of dealing with s/mime (and/or pgp) signed/encrypted e-mails. I
found "R2Mail2", an app produced by the Austrian company rundQuadrat (see
http://r2mail2.com/ and
https://play.google.com/store/apps/details?id=at.rundquadrat.android.r2mail2).

I am writing to you because I am interested in your opinion about this app and
about s/mime @ android in general.

R2Mail2 is a fully functional client for reading and writing e-mails in
connection with IMAP or POP3 servers. In particular, it allows to create and
verify s/mime messages (signed and/or encrypted e-mails) and, to some more
limited extent, also PGP-signed/encrypted messages. There are still some
deficiencies and smaller bugs, but it has improved a lot since I first saw it,
and I am already quite satisfied with it. There are features which I prefer over
the standard android e-mail app, in particular the folder view on an IMAP
server. It also allows to protect the app data by a master password. It can
(optionally) integrate android's system root store and allows for the acceptance
of non-system root certificates. So, in particular, I was able to tell R2Mail2
that I trust the CAcert roots.

Unfortunately, the app developers have decided to make R2Mail2 an app to pay
for. The free part of the app only allows to test its features, limiting the
number of displayed messages per folder to five. For normal, unlimited usage one
has to buy the corresponding license app for 4.80€.

Does anyone of you have experience with R2Mail2?
Any opinions on its reliability and functionality for s/mime e-mails?
Are there other / better android apps for dealing with signed/encrypted e-mails?

Best regards,
Bernd
Stephan Heidinger
2012-10-22 08:06:52 UTC
Permalink
I myself use K9-Mail, very customisable client. Using AGP you can store
your keys on your Android phone and use them via K9-Mail. I've not yet
been able to test this, but supposedly it works.
Post by Bernd Jantzen
Hi CAcert community,
when I started using an android smartphone, I looked for an alternative e-mail
app capable of dealing with s/mime (and/or pgp) signed/encrypted e-mails. I
found "R2Mail2", an app produced by the Austrian company rundQuadrat (see
http://r2mail2.com/ and
https://play.google.com/store/apps/details?id=at.rundquadrat.android.r2mail2).
I am writing to you because I am interested in your opinion about this app and
R2Mail2 is a fully functional client for reading and writing e-mails in
connection with IMAP or POP3 servers. In particular, it allows to create and
verify s/mime messages (signed and/or encrypted e-mails) and, to some more
limited extent, also PGP-signed/encrypted messages. There are still some
deficiencies and smaller bugs, but it has improved a lot since I first saw it,
and I am already quite satisfied with it. There are features which I prefer over
the standard android e-mail app, in particular the folder view on an IMAP
server. It also allows to protect the app data by a master password. It can
(optionally) integrate android's system root store and allows for the acceptance
of non-system root certificates. So, in particular, I was able to tell R2Mail2
that I trust the CAcert roots.
Unfortunately, the app developers have decided to make R2Mail2 an app to pay
for. The free part of the app only allows to test its features, limiting the
number of displayed messages per folder to five. For normal, unlimited usage one
has to buy the corresponding license app for 4.80€.
Does anyone of you have experience with R2Mail2?
Any opinions on its reliability and functionality for s/mime e-mails?
Are there other / better android apps for dealing with signed/encrypted e-mails?
Best regards,
Bernd
--
Stephan Heidinger
PGP-Key: 25B76FAC
http://jedipedia.net
Bernd Jantzen
2012-10-22 08:54:34 UTC
Permalink
Hi Stephan!

Thanks for your reply.
Post by Stephan Heidinger
I myself use K9-Mail, very customisable client. Using AGP you can store
your keys on your Android phone and use them via K9-Mail. I've not yet
been able to test this, but supposedly it works.
I have installed APG (that's what you mean by AGP, isn't it?), but not K9-Mail.

I suppose this combination of apps only allows for PGP signing/encryption, not
S/MIME. Or does it?

Best regards,
Bernd
Arno Welzel
2012-10-22 09:42:38 UTC
Permalink
Post by Stephan Heidinger
I myself use K9-Mail, very customisable client. Using AGP you can
store your keys on your Android phone and use them via K9-Mail.
I've not yet been able to test this, but supposedly it works.
K9-Mail with APG allows to use PGP - which works fine, but only
"plain" PGP not PGP/MIME or S/MIME.

Since i also look for a client supporting PGP/MIME or S/MIME i may
give R2Mail2 a try - then i don't have to ask others NOT to use
PGP/MIME any longer ;-)
Bernd Jantzen
2012-10-22 10:12:25 UTC
Permalink
Hi Arno!
Post by Arno Welzel
Since i also look for a client supporting PGP/MIME or S/MIME i may
give R2Mail2 a try - then i don't have to ask others NOT to use
PGP/MIME any longer ;-)
S/MIME is well supported by R2Mail2; this was the first goal of this app.
However, the PGP implementation is still limited and will hopefully be improved
in the (near?) future. (I know the author is working on updates.)

At the moment, R2Mail2 verifies "plain" PGP messages, but is also unable to
verify PGP/MIME messages.
On the other hand, R2Mail2 is able to decrypt both "plain" PGP- and
PGP/MIME-encrypted messages.

Best regards,
Bernd
dirk astrath
2012-10-22 08:50:19 UTC
Permalink
Hi,

I've installed both tools on my phone ...

Both do their work very well ... APG together with k9 ... R2mail2 for x509-purposes ...

If I find the time this evening I can post more details ... Feel free to ask

Best regards
Post by Stephan Heidinger
I myself use K9-Mail, very customisable client. Using AGP you can store
your keys on your Android phone and use them via K9-Mail. I've not yet
been able to test this, but supposedly it works.
Post by Bernd Jantzen
Hi CAcert community,
when I started using an android smartphone, I looked for an
alternative e-mail
Post by Bernd Jantzen
app capable of dealing with s/mime (and/or pgp) signed/encrypted
e-mails. I
Post by Bernd Jantzen
found "R2Mail2", an app produced by the Austrian company rundQuadrat
(see
Post by Bernd Jantzen
http://r2mail2.com/ and
https://play.google.com/store/apps/details?id=at.rundquadrat.android.r2mail2).
Post by Bernd Jantzen
I am writing to you because I am interested in your opinion about
this app and
Post by Bernd Jantzen
R2Mail2 is a fully functional client for reading and writing e-mails
in
Post by Bernd Jantzen
connection with IMAP or POP3 servers. In particular, it allows to
create and
Post by Bernd Jantzen
verify s/mime messages (signed and/or encrypted e-mails) and, to some
more
Post by Bernd Jantzen
limited extent, also PGP-signed/encrypted messages. There are still
some
Post by Bernd Jantzen
deficiencies and smaller bugs, but it has improved a lot since I
first saw it,
Post by Bernd Jantzen
and I am already quite satisfied with it. There are features which I
prefer over
Post by Bernd Jantzen
the standard android e-mail app, in particular the folder view on an
IMAP
Post by Bernd Jantzen
server. It also allows to protect the app data by a master password.
It can
Post by Bernd Jantzen
(optionally) integrate android's system root store and allows for the
acceptance
Post by Bernd Jantzen
of non-system root certificates. So, in particular, I was able to
tell R2Mail2
Post by Bernd Jantzen
that I trust the CAcert roots.
Unfortunately, the app developers have decided to make R2Mail2 an app
to pay
Post by Bernd Jantzen
for. The free part of the app only allows to test its features,
limiting the
Post by Bernd Jantzen
number of displayed messages per folder to five. For normal,
unlimited usage one
Post by Bernd Jantzen
has to buy the corresponding license app for 4.80€.
Does anyone of you have experience with R2Mail2?
Any opinions on its reliability and functionality for s/mime e-mails?
Are there other / better android apps for dealing with
signed/encrypted e-mails?
Post by Bernd Jantzen
Best regards,
Bernd
Benedikt Heintel
2012-12-16 20:14:53 UTC
Permalink
Hi folks,

I recently found DJIGZO for Android [1]. It's an Open Source E-Mail
Encryption Solution available for free on the Google Play store [2].
From their Website I copied:

"DJIGZO for Android is an Android application which can be used with
your existing Android mail application to send and receive S/MIME
digitally signed and encrypted email with an Android smartphone.
DJIGZO for Android is free for personal use under the following
license terms <http://www.djigzo.com/android-license.html>.


Features

* S/MIME 3.1 (X.509, RFC 3280).
* Can be used with the Android Gmail application.
* Compatible with existing S/MIME clients (like Outlook, Lotus
Notes, Thunderbird etc.)
* Message body and attachments are encrypted.
* HTML email support.
* Certificates are automatically extracted from incoming email.
* Certificate revocation lists (CRLs) are automatically downloaded
(LDAP and HTTP).
* Certificate trust lists (CTLs) can be used to black or
white-list certificates.
* External LDAP servers can be queried for new certificates.
* Can generate self-signed certificates for a 'private-PKI'.


Note: DJIGZO for Android does not provide functionality to retrieve
email. An existing Android email application with attachment
support, for example Gmail or K9, should be used to retrieve the
encrypted attached smime.p7m message."

I did not had the time to give it a try. Would appreciate your comments
on it.

Cheers
Benedikt

[1] http://www.djigzo.com/android.html
[2]
https://play.google.com/store/apps/details?id=com.djigzo.android.application
Bernd Jantzen
2012-12-17 09:26:55 UTC
Permalink
Hi Benedikt,

thanks for this information on DJIGZO. I installed and tried this Android app.

On the one hand, digital signatures and encryption based on S/MIME seem to work
quite well with DJIGZO. But on the other hand, it is not really integrated into
an e-mail client. At least, not as well as e.g. APG for OpenPGP. When I use K-9
mail, e.g., I can choose APG as my OpenPGP provider. Then, choosing in K-9 mail
that I want to sign and/or encrypt, K-9 mail passes the e-mail on-the-fly to APG
before sending it. Simlarly, K-9 calls APG on-the-fly when decryption and/or
signature validation is need for a received e-mail.

With DJIGZO this is not so easy. Unless I have missed some possibilities, K-9
mail does not seem to recognize DJIGZO as a provider for cryptography. Sending a
signed or encrypted e-mail is possible by using the internal e-mail composer of
DJIGZO or by sending an e-mail to DJIGZO from another app. In any case, DJIGZO
uses its own SMTP and from-address configuration to send the e-mail itself. This
has drawbacks: Replying to a previously received message is not directly
possible (though K-9 allows to forward an e-mail through an external app). And
apparently the sent e-mail is not saved or uploaded to some sent folder.

Receiving an S/MIME-encrypted e-mail works like this: The whole encrypted
messages is in what K-9 mail displays as an attachment "smime.p7m". When opening
this "attachment", K-9 mail offers to do this with DJIGZO (or alternatively,
with R2Mail2). However, for some strange reason (probably due to K-9 mail), this
did not work on my device. Instead, I had to save the file smime.p7m to the
download folder and open it from DJIGZO. Then DJIGZO decrypted the message and
validated the signature correctly.

It seems to me, however, that there is no such possibility for e-mails which are
only S/MIME-signed in the clear-text way without encryption. DJIGZO only opens
smime.p7m files with encrypted content, not smime.p7s files with mere
signatures. And also DJIGZO does not seem to have access to the clear-text
content of a digitally signed e-mail in some IMAP folder. (Apparently DJIGZO may
open a complete digitally signed message in MIME format as a *.eml file. But I
could not find out how to save a message to such a file from an Android mail
client.)

Maybe the integration with Gmail is better? I haven't tried, but I doubt it.

So my preliminary conclusion: DJIGZO cannot replace R2Mail2 for receiving
S/MIME-signed messages. And also the parts of it which work lack comfort unless
they are better integrated in mail clients.

Best regards,
Bernd
Post by Benedikt Heintel
Hi folks,
I recently found DJIGZO for Android [1]. It's an Open Source E-Mail Encryption
Solution available for free on the Google Play store [2]. From their Website I
"DJIGZO for Android is an Android application which can be used with your
existing Android mail application to send and receive S/MIME digitally
signed and encrypted email with an Android smartphone. DJIGZO for Android
is free for personal use under the following license terms
<http://www.djigzo.com/android-license.html>.
Features
* S/MIME 3.1 (X.509, RFC 3280).
* Can be used with the Android Gmail application.
* Compatible with existing S/MIME clients (like Outlook, Lotus Notes,
Thunderbird etc.)
* Message body and attachments are encrypted.
* HTML email support.
* Certificates are automatically extracted from incoming email.
* Certificate revocation lists (CRLs) are automatically downloaded (LDAP
and HTTP).
* Certificate trust lists (CTLs) can be used to black or white-list
certificates.
* External LDAP servers can be queried for new certificates.
* Can generate self-signed certificates for a 'private-PKI'.
Note: DJIGZO for Android does not provide functionality to retrieve email.
An existing Android email application with attachment support, for example
Gmail or K9, should be used to retrieve the encrypted attached smime.p7m
message."
I did not had the time to give it a try. Would appreciate your comments on it.
Cheers
Benedikt
[1] http://www.djigzo.com/android.html
[2] https://play.google.com/store/apps/details?id=com.djigzo.android.application
E. Westbrook
2012-12-17 20:09:46 UTC
Permalink
Glad to see this come up, and glad to discuss it.

Just my opinion, but "hard to use" is *far* preferable when compared to
"does not do the entire job".

In my limited experience, DJIGZO is the only Android tool so far that I
have found which works with my S/MIME PKI infrastructure. Yes, it's a bit
challenging to use, especially when compared to the "click and go"
experience that so many users demand. But it works. (And then again,
whether crypto *should* ever be fully "click and go" is an entirely
separate debate, isn't it.)

It'll do, though, until I find something better. And now, I'm off to see
if that something might be R2Mail2 -- and my thanks for the suggestion.

Again, very glad to see the topic come up here. Now if I had something
similar for my stubborn iPhone/iPad users...

$0.02,
EW
Post by Bernd Jantzen
Hi Benedikt,
thanks for this information on DJIGZO. I installed and tried this Android app.
On the one hand, digital signatures and encryption based on S/MIME seem to work
quite well with DJIGZO. But on the other hand, it is not really integrated into
an e-mail client. At least, not as well as e.g. APG for OpenPGP. When I use K-9
mail, e.g., I can choose APG as my OpenPGP provider. Then, choosing in K-9 mail
that I want to sign and/or encrypt, K-9 mail passes the e-mail on-the-fly to APG
before sending it. Simlarly, K-9 calls APG on-the-fly when decryption and/or
signature validation is need for a received e-mail.
With DJIGZO this is not so easy. Unless I have missed some possibilities, K-9
mail does not seem to recognize DJIGZO as a provider for cryptography. Sending a
signed or encrypted e-mail is possible by using the internal e-mail composer of
DJIGZO or by sending an e-mail to DJIGZO from another app. In any case, DJIGZO
uses its own SMTP and from-address configuration to send the e-mail itself. This
has drawbacks: Replying to a previously received message is not directly
possible (though K-9 allows to forward an e-mail through an external app). And
apparently the sent e-mail is not saved or uploaded to some sent folder.
Receiving an S/MIME-encrypted e-mail works like this: The whole encrypted
messages is in what K-9 mail displays as an attachment "smime.p7m". When opening
this "attachment", K-9 mail offers to do this with DJIGZO (or
alternatively,
with R2Mail2). However, for some strange reason (probably due to K-9 mail), this
did not work on my device. Instead, I had to save the file smime.p7m to the
download folder and open it from DJIGZO. Then DJIGZO decrypted the message and
validated the signature correctly.
It seems to me, however, that there is no such possibility for e-mails which are
only S/MIME-signed in the clear-text way without encryption. DJIGZO only opens
smime.p7m files with encrypted content, not smime.p7s files with mere
signatures. And also DJIGZO does not seem to have access to the clear-text
content of a digitally signed e-mail in some IMAP folder. (Apparently DJIGZO may
open a complete digitally signed message in MIME format as a *.eml file. But I
could not find out how to save a message to such a file from an Android mail
client.)
Maybe the integration with Gmail is better? I haven't tried, but I doubt it.
So my preliminary conclusion: DJIGZO cannot replace R2Mail2 for receiving
S/MIME-signed messages. And also the parts of it which work lack comfort unless
they are better integrated in mail clients.
Best regards,
Bernd
Post by Benedikt Heintel
Hi folks,
I recently found DJIGZO for Android [1]. It's an Open Source E-Mail
Encryption
Post by Benedikt Heintel
Solution available for free on the Google Play store [2]. From their
Website I
Post by Benedikt Heintel
"DJIGZO for Android is an Android application which can be used with
your
Post by Benedikt Heintel
existing Android mail application to send and receive S/MIME
digitally
Post by Benedikt Heintel
signed and encrypted email with an Android smartphone. DJIGZO for
Android
Post by Benedikt Heintel
is free for personal use under the following license terms
<http://www.djigzo.com/android-license.html>.
Features
* S/MIME 3.1 (X.509, RFC 3280).
* Can be used with the Android Gmail application.
* Compatible with existing S/MIME clients (like Outlook, Lotus
Notes,
Post by Benedikt Heintel
Thunderbird etc.)
* Message body and attachments are encrypted.
* HTML email support.
* Certificates are automatically extracted from incoming email.
* Certificate revocation lists (CRLs) are automatically downloaded
(LDAP
Post by Benedikt Heintel
and HTTP).
* Certificate trust lists (CTLs) can be used to black or white-list
certificates.
* External LDAP servers can be queried for new certificates.
* Can generate self-signed certificates for a 'private-PKI'.
Note: DJIGZO for Android does not provide functionality to retrieve
email.
Post by Benedikt Heintel
An existing Android email application with attachment support, for
example
Post by Benedikt Heintel
Gmail or K9, should be used to retrieve the encrypted attached
smime.p7m
Post by Benedikt Heintel
message."
I did not had the time to give it a try. Would appreciate your comments
on it.
Post by Benedikt Heintel
Cheers
Benedikt
[1] http://www.djigzo.com/android.html
[2]
https://play.google.com/store/apps/details?id=com.djigzo.android.application
Benedikt Heintel
2012-12-17 22:08:56 UTC
Permalink
Thanks for your analysis, Bernd.

I was about to give DJIGZO a try today, but I have trouble to add the
CA certificate into the software. The certificate is easily not found;
no issue with my Client cert. Try to investigate or ask the support.

It is unfortunate, that there is no Android e-mail client handling
encryption. In a linux environment I was somehow expecting something
like this by default. I suggest to share our experience with the
developers, to improve the software.

Cheers
Benedikt
Post by Bernd Jantzen
Hi Benedikt,
thanks for this information on DJIGZO. I installed and tried this Android app.
On the one hand, digital signatures and encryption based on S/MIME seem to work
quite well with DJIGZO. But on the other hand, it is not really integrated into
an e-mail client. At least, not as well as e.g. APG for OpenPGP. When I use K-9
mail, e.g., I can choose APG as my OpenPGP provider. Then, choosing in K-9 mail
that I want to sign and/or encrypt, K-9 mail passes the e-mail
on-the-fly to APG
before sending it. Simlarly, K-9 calls APG on-the-fly when decryption and/or
signature validation is need for a received e-mail.
With DJIGZO this is not so easy. Unless I have missed some
possibilities, K-9
mail does not seem to recognize DJIGZO as a provider for
cryptography. Sending a
signed or encrypted e-mail is possible by using the internal e-mail composer of
DJIGZO or by sending an e-mail to DJIGZO from another app. In any case, DJIGZO
uses its own SMTP and from-address configuration to send the e-mail itself. This
has drawbacks: Replying to a previously received message is not directly
possible (though K-9 allows to forward an e-mail through an external app). And
apparently the sent e-mail is not saved or uploaded to some sent folder.
Receiving an S/MIME-encrypted e-mail works like this: The whole encrypted
messages is in what K-9 mail displays as an attachment "smime.p7m". When opening
this "attachment", K-9 mail offers to do this with DJIGZO (or
alternatively,
with R2Mail2). However, for some strange reason (probably due to K-9 mail), this
did not work on my device. Instead, I had to save the file smime.p7m to the
download folder and open it from DJIGZO. Then DJIGZO decrypted the message and
validated the signature correctly.
It seems to me, however, that there is no such possibility for
e-mails which are
only S/MIME-signed in the clear-text way without encryption. DJIGZO only opens
smime.p7m files with encrypted content, not smime.p7s files with mere
signatures. And also DJIGZO does not seem to have access to the clear-text
content of a digitally signed e-mail in some IMAP folder. (Apparently DJIGZO may
open a complete digitally signed message in MIME format as a *.eml file. But I
could not find out how to save a message to such a file from an Android mail
client.)
Maybe the integration with Gmail is better? I haven't tried, but I doubt it.
So my preliminary conclusion: DJIGZO cannot replace R2Mail2 for receiving
S/MIME-signed messages. And also the parts of it which work lack comfort unless
they are better integrated in mail clients.
Best regards,
Bernd
Post by Benedikt Heintel
Hi folks,
I recently found DJIGZO for Android [1]. It's an Open Source E-Mail Encryption
Solution available for free on the Google Play store [2]. From their Website I
"DJIGZO for Android is an Android application which can be used with your
existing Android mail application to send and receive S/MIME digitally
signed and encrypted email with an Android smartphone. DJIGZO for Android
is free for personal use under the following license terms
<http://www.djigzo.com/android-license.html>.
Features
* S/MIME 3.1 (X.509, RFC 3280).
* Can be used with the Android Gmail application.
* Compatible with existing S/MIME clients (like Outlook, Lotus Notes,
Thunderbird etc.)
* Message body and attachments are encrypted.
* HTML email support.
* Certificates are automatically extracted from incoming email.
* Certificate revocation lists (CRLs) are automatically
downloaded (LDAP
and HTTP).
* Certificate trust lists (CTLs) can be used to black or white-list
certificates.
* External LDAP servers can be queried for new certificates.
* Can generate self-signed certificates for a 'private-PKI'.
Note: DJIGZO for Android does not provide functionality to retrieve email.
An existing Android email application with attachment support, for example
Gmail or K9, should be used to retrieve the encrypted attached smime.p7m
message."
I did not had the time to give it a try. Would appreciate your comments on it.
Cheers
Benedikt
[1] http://www.djigzo.com/android.html
[2]
https://play.google.com/store/apps/details?id=com.djigzo.android.application
Bernd Jantzen
2012-12-17 22:24:32 UTC
Permalink
Post by Benedikt Heintel
Thanks for your analysis, Bernd.
I was about to give DJIGZO a try today, but I have trouble to add the CA
certificate into the software. The certificate is easily not found; no issue
with my Client cert. Try to investigate or ask the support.
DJIGZO has two separate key stores: "Certificates & Keys" for your personal keys
(and intermediary certificates). But CA root certificates go into "Root
certificates". So when your CA certificate is a (self-signed) root certificate,
you have to add it to "Root certificates", choosing "Store to import to: root".
This is in contrast to your (intermediary or end-user) certificates which are
signed by a CA; they go into "Certificates & Keys" by choosing "Store to import
to: certificates".
Maybe something went wrong with this choice of certificate stores?
Post by Benedikt Heintel
It is unfortunate, that there is no Android e-mail client handling encryption.
Well, for S/MIME encryption and/or signing, there is the Android app R2Mail2,
which is a fully functional e-mail client. Unfortunately, it costs 4,80 Euros
(for the license; otherwise you only see 5 messages per folder for demo).
R2Mail2 is still being developed and further improved. I already find it much
better than the default Android mail client. It does not have as many features
as K-9 mail, but it fully supports S/MIME (and to some more limited degree also
PGP).

Best regards,
Bernd
Ian G
2012-12-18 06:51:05 UTC
Permalink
Guys,

this is important info! And well written -- we'd really like the info
to be collated into a wiki page somehow. I'm not sure what page, but
grab something appropriate and ask for help in moving it to a nice home?

iang
Post by Benedikt Heintel
Thanks for your analysis, Bernd.
Loading...