Spark Mail by Readdle is a re-imagined email client. One of its signature features is syncing settings, including credentials, with iCloud. But this is not exactly as it sounds.
Accounts are added to Spark through OAuth where possible. Where OAuth is not supported we keep your account username and password on our secure servers. We then use the authorization provided to download your emails to our virtual servers and push to your device. We use Amazon Web Services (AWS) infrastructure to store your data. Apart from the AWS’ security policies we take a number of measures to ensure that your data is never read by anyone else. We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your account credentials are stored on secure cloud-based servers using asymmetric encryption.
The safety and security of your information also depends on you. You should not share your email user name and password with anyone. If you find out that anyone has improperly obtained your login credentials and accesses your email account through Spark, you should immediately change your password. We are not responsible for such unauthorized access unless the access is our fault.
Primary function of Spark servers is to send push notifications and badge numbers to your device. To do that, Spark servers download email headers and text parts from your email service provider and use them to compose push notifications. We delete email headers and text as soon as push message has been prepared and sent. We store messages and emails in encrypted form on secure cloud-based servers.
When you delete your email account from Spark, we permanently delete your data and credentials from our servers after we get notification from the Spark app or from Apple Push Notifications Service. If you turn off Push Notifications for your email account on all devices we will delete it from our servers as well.
To provide you with synchronization of your email accounts and settings between different devices, we encrypt authorization information and user settings with unique encryption key stored in your iCloud account, out of our own reach, and sync it with other devices through our servers (we currently use Firebase for this purpose). We keep this information even after you deleted Spark from all your devices to allow you restore your accounts and settings quickly in case of application reinstall. However, since we don’t have access to the encryption key, your data are completely secured.