01 Apr 2014

#Email security and privacy for Apple users

It’s good news that there are a lot of privacy related chat applications out there that offer end to end encryption - from open source XMPP applications such as ChatSecure to proprietary platforms such as Wickr. In regards to email privacy, email hasn’t caught up with all the other secure means of communicating. It still requires a lot of effort to secure email.

The most secure solution so far for email is Pretty Good Privacy (PGP), or it’s open source equivalent, GPG. This is the most secure, but the main drawback here is that the other person receiving email needs to also have GPG set up as well. It works by exchanging public/private keys between you and the sender; essentially establishing end-to-end encryption. So when you send an email, it is kept encrypted right until the user on the receiving end decrypts it (as opposed to encrypted email offered by email services where the email along it’s way is decrypted and stored on a company server). GPG is great but only works with someone willing to set this up. In other words, it seems only when people really need to communicate privately (with journalists, exchanging corporate secrets, etc) does anyone bother setting this up. For instructions on setting up this kind of system, there is a great video here.

There are solutions that automate all of the encryption steps for you., for example, is simple to use but it has it’s own drawbacks. The email address looks less professional and emails can be decrypted on their end, as in this example with a court order. is a good choice when it comes to a secure and private email account.

If you want to securely send something by email without any additional changes to your email setup, you can always wrap an attachment in an encrypted archive and then disclose the password to the other party by some other means, such as an encrypted chat conversation.

For example, if you are both using OS X, you can create an encrypted disk image. From there you can add your email, txt file, word doc or any files you want and then just send the encrypted disk image to the other person. If they don’t use the same platform as you, TrueCrypt is still the default multi-platform encryption program in use despite controversy over it’s previous discontinuation. Here is the updated TrueCrypt project. I know people that use this all the time for securely sending materials over services such as WeTransfer or YouSendIt. Encfs file encryption also looks promising.

These tools are all good if you are on a desktop computer but on a mobile device these tools are less available. As far as securing an iPhone device for secure communication, it’s a double-edged sword. iPhones are more secure than Android devices because each app on the App Store has to be reviewed by Apple which reduces the chance of it containing malware. Each app is then code-signed to be allowed to run and only in it’s own sandboxed environment. But at the same time, Apple has direct access to anyone’s iDevice as described here. As for anonymizing your location while online, a desktop computer has a very secure solution for all of this; a bootable live OS that wipes it’s memory afterwards and uses the Tor network, called Tails. Mobile phones have yet to get to this level of privacy, however you can alternatively look into a paid enterprise solution such as Blackphone or if you have the time you can install an experimental custom open sourced privacy OS for Android devices, Replicant. If you are worried about your ip being tracked by 3rd parties while using an iPhone you can always set your network traffic to go through a VPN, or a proxy such as one found on Instructions on setting up a proxy can be found here. This is not a complete solution. Security is being placed at the mercy of the proxy being used. Some proxies keep detailed logs and could even be a honeypot. Additionally, iOS apps that use lower level socket communications instead of the more standard communication frameworks end up bypassing the proxy settings altogether, so not all of your traffic will be routed through the proxy. Some example apps that bypass the settings include Clash of Clans, KIK Messenger, Opera Mini, Pinger, Spotify Premium, and Tango. It may be better to route all your traffic through an encrypted VPN such as VPNBook. Instructions for setting this up on an apple device can be found here.

For desktop software, I always lean towards using products that are open sourced because in theory one can review the entire code to make sure it does not contain any spyware, adware, or other malicious code. Thunderbird is a good open sourced email client, so it’s a good choice. In fact, if your using TorBrowser to hide your true location on a desktop when browsing online, there is a similar plugin for ThunderBird called TorBirdy. This makes sure your emails are routed within the Tor network so that the receiver will not know your location. If you are concerned about location privacy, then using TorBirdy with Thunderbird is a good solution.

Network sniffers on compromised networks can grab email addresses and messages, so it’s good to make sure you are always using TLS/SSL encryption for sending and receiving email. For iDevices, instructions to enable email encryption can be found here. Thunderbird should also be using SSL ports (ports587 and 995, not 25 or 110). For web based email, make sure all addresses are https:// not http://. In fact, there is a good Firefox plugin for this called HTTPSEverywhere that tries to make sure all the pages you browse are using the https encrypted versions of the site. Speaking of plugins, uBlock and Ghostery are good Firefox plugins that generally help prevent spam and being tracked. Adblock plus used to be a very popular and good plugin, but has since decided to allow companies to pay to get around their block list as described in this article, so this one is no longer recommended.

Last but not least, email content can be captured if your computer has spyware or malware installed. There is a good and free antivirus program available for Mac - Sophos Antivirus.