Spark Mail App Data and Encryption

Spark Mail by Readdle is a re-imagined email client. One of its signature features is syncing settings, including credentials, with iCloud. But this is not exactly as it sounds.

From their Privacy Policy, as of 1 December 2016 (emphasis mine):

Accounts are added to Spark through OAuth where possible. Where OAuth is not supported we keep your account username and password on our secure servers. We then use the authorization provided to download your emails to our virtual servers and push to your device. We use Amazon Web Services (AWS) infrastructure to store your data. Apart from the AWS’ security policies we take a number of measures to ensure that your data is never read by anyone else. We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your account credentials are stored on secure cloud-based servers using asymmetric encryption.

The safety and security of your information also depends on you. You should not share your email user name and password with anyone. If you find out that anyone has improperly obtained your login credentials and accesses your email account through Spark, you should immediately change your password. We are not responsible for such unauthorized access unless the access is our fault.

Primary function of Spark servers is to send push notifications and badge numbers to your device. To do that, Spark servers download email headers and text parts from your email service provider and use them to compose push notifications. We delete email headers and text as soon as push message has been prepared and sent. We store messages and emails in encrypted form on secure cloud-based servers.

When you delete your email account from Spark, we permanently delete your data and credentials from our servers after we get notification from the Spark app or from Apple Push Notifications Service. If you turn off Push Notifications for your email account on all devices we will delete it from our servers as well.

To provide you with synchronization of your email accounts and settings between different devices, we encrypt authorization information and user settings with unique encryption key stored in your iCloud account, out of our own reach, and sync it with other devices through our servers (we currently use Firebase for this purpose). We keep this information even after you deleted Spark from all your devices to allow you restore your accounts and settings quickly in case of application reinstall. However, since we don’t have access to the encryption key, your data are completely secured.

I know that’s a lot to take in, but at least it’s not legalese. Based on this privacy policy, it sounds like Readdle encrypts data both in transit and at rest. Messages are only downloaded to their servers to build push notifications, then are deleted. If you do not use push notifications, your credentials are not stored on their servers, nor are your messages downloaded to them.

But questions remain. If you’re not using push notifications, and if they don’t store your data because of this, then how are user settings synced? If you are using push notifications (as many people do), is it really necessary, or unavoidable, for them to store your credentials on their servers? The privacy policy says that iCloud is only used to store an encryption key—but they still sync this key over their own infrastructure, which means that it’s not truly ‘out of their own reach’.

[Some] find #irony in the fact that Readdle recommends not sharing your credentials with anyone while maintaining a feature that has you sharing them with them. Features like settings sync make a big difference in convenience, but as always, it’s important to read the Privacy Policy of the software and services you use.