Is Blue Mail really spying?

End of last week reports emerged, that the 5-star rated Android mail client BlueMail is leaking credentials. The app submits username and passwords to their own servers. The story was featured in the German IT-news portal Golem and German newspaper Süddeutsche Zeitung. Originally the malicous behaviour has been uncovered by Mike Kuketz.

The story caught my attention, because I have been using the feature rich mail client for over a year. I immediatelly reacted to this security breach with changing passwords and replacing the app. To warn other users I corrected my 5 star rating to a 1 star rating by stating the leak.

Interesstingly the vendor keeps denying the transmitting of the credentials. Any negative app rating Google Play Store is commented with This is simply not true, please read our official statement, Fake news, and It’s not true. This is a defamation..

Maybe the original author made an error?

Time to do science and see, what the app really transmits.

Outline

The app version under test is 1.9.3.20. That’s the version in which the behaviour was originally discovered. This version can be downloaded from ApkMirror – Blue Mail – Email & Calendar App 1.9.3.20.

Since I don’t want to change my passwords all over again, I’ll use the mail testing suite Greenmail to provide IMAP and STMP servers for the mail account test1@angband:

java -Dgreenmail.setup.test.all -Dgreenmail.users=test1:pwd1@angband -Dgreenmail.verbose -jar greenmail-standalone.jar

First try

So firt step is to fire up an AVD running Android 8.1 in tcpdumping mode:

sudo ANDROID_SDK_HOME=/home/itsame/.android ./emulator -engine auto -tcpdump /tmp/android.cap -avd Pixel_API_27 -writable-system

Finally drop the apk-file and setup the mail account.

First result

Opening the capture file in wireshark shows that the app heavily communicates with the servers at bluemailapp.com. This is nothing serious. Furthermore any communication is encrypted. That’s a plus, but for the scenario a minus. I want to look into the packets.

Time for heavier tools.

Second try

To intercept encrypted traffic, I need a man-in-the-middle. The Burp Suite will do fine. So I start a http proxy in Burp Suite and set the proxy in the Android Emulator. Next step is to install the proxy certificate as trusted certifacte in the AVD.

CA woes

Normally I’d just add the proxy certificate as trusted user certificate, but Android N has enforced security guidelines. So the proxy certificate needs to be installed as System CA. This isn’t so easy.

First export the Burp Proxy certificate in P12 format. The convert the P12 file to a PEM file according to Converting PKCS#12 certificate into PEM using OpenSSL:

openssl pkcs12 -in burp.p12 -out burp.crt.pem -clcerts -nokeys

Next step is to add the CA as System Ca: Android 7 Nougat and certificate authorities. Remember the emulator parameter -writable-system:

Retrieve old hash

openssl x509 -inform PEM -subject_hash_old -in burp.crt.pem | head -1

Let’s say it’s 9a5ba575. The Android CA schema is <OLD_HASH>.0, so the filename is 9a5ba575.0. Create the file through

openssl x509 -inform PEM -text -in burp.crt.pem > 9a5ba575.0

Some further layout restrictions apply. Make sure, that the certificate block is before the id block:

-----BEGIN CERTIFICATE-----
snip
qGzdQfyJ3VgOBqZLTQ==
-----END CERTIFICATE-----
Certificate:
    Data:
snip

Then put the certificate on the device via adb:

adb root
adb remount
adb push 9a5ba580.0 /system/etc/security/cacerts/
adb shell
chmod 644 /system/etc/security/cacerts/9a5ba580.0
reboot

Verify now that the cerificate is listed as trusted system CA.

Capturing

So. Finally. Time to open Blue Mail and setup an new account:

  • Press Add other account
  • Press Other Email
  • Enter Email address and Password
  • Leave Automatic checked
  • Press Next

And instantly Burp Suite intercepts following post request:

POST /autoconfig?ver=1.0 HTTP/1.1
build: 12303
app_version: 1.9.3.20
brand: BL
and_id: 34285c80-4328-4610-9312-70863500716a
android_id: d9831f98b1f74bb1
user_id: -1
device_id: undefined_device_id
country_code: 
vendor_id: d9831f98b1f74bb1
device_type: android
Content-Length: 66
Content-Type: application/x-www-form-urlencoded
Host: mtu.bluemailapp.com
Connection: close

email=test1%40angband&password=pwd1&client_orig_account_type=other

At this point the sacred credentials have been sent out to a Blue Mail Inc. server!

The intention is propably to automatically configure the account settings. But this is implemented in a very stupid way!

Summary

Blue Mail is sending email creditals to its own servers. Period. No discussion. You have a security breach. The mail account is compromised. Mike Kuketz is right. The reports are true. You must change passwords. You must uninstall Blue Mail. You must find another mail client.

15 Gedanken zu „Is Blue Mail really spying?

  1. Mzzique

    He is right. On numerous occasions as soon as I add Bluemail someone begins to change what I write in my emails as i write them. There is something within Bluemail that is not secure and I have to change all my email passwords on other accounts as a result. This happened once 3 years ago. I tried to use it again last year and had the same issue. I would definitely advise anyone to steer clear of Bluemail.

    Antwort
  2. Frank

    I just wiped my phone and flashed a new version of Android Nougat to the ROM since it’s an old phone not supported since Lollipop and I wanted to give the phone a new lease of life. The point being a deeply wiped my phone.

    Upon reinstating everything plus reinstating BlueMail, I noticed it’s Trash folder filled up with about 25 random emails from between 2 years and one month ago, all of which I know for a FACT that I have deleted long ago. One if them is very sensitive too, yet Bam! Here they are again. The only explanation I can think of is they are stored at BlueMail and something I did during my setup triggered a glitch for it to download a selection from BlueMail’s „archive“ of my private correspondence.

    Be warned.

    Antwort
    1. Friederich Egger

      Hi,
      read your article about BlueMail‘s privacy leak. I searched the web for similar results and found some hints, that a newer version of BlueMail (1.9.4.2) is not „vulnerable“ to this leak. Did you maybe repeat your test with a newer version of BM? The company is again stating, that the new BM version stops sending the password.
      [because i‘m an android novice, do you maybe have more information on how to „replay“ your testing setup – any help is greatly apreciated]

      Antwort
      1. benbloggt Autor

        I haven’t tested newer versions of BlueMail. So I can’t make any statement about their current state. They may say that, they aren’t sending the password anymore, but last time they also didn’t admit sending it. Also they blocked me on all their social media channels.
        So without further proof, I’m still sceptical.

  3. Friederich Egger

    Hi Ben,
    thank you for your reply to my question. I understand your sceptical attitude. So i will have to test it myself. This can take a while to find a test setup, but if you are interested i will post the result on your blog as answer to your reply.
    Best, Friederich

    Antwort
  4. MaxG

    I can’t believe everyone is surprised by this! I heard of BlueMail long time ago as I have multiple emails and I wanted an app that could group all of them in the same place on my phone – as in windows outlook. But then… I never installed it. I always thought that me giving all my emails account details to „somebody“ „somewhere“ wouldn’t be wise. It’s a free after all and we all know the rules of life: nothing is free and… we are not naive anymore and we know very well now that when a product is free… then WE are the product. Same applies to those apps to manage multiple bank accounts: are we really so naive?

    Antwort
  5. Monkey

    Thank you. I stopped right before giving BM permission to my gmail account, searched for some info and found your detailed article. Even if they now closed this security hole, I don’t trust someone who once acted this carelessly with people’s personal data and, once caught, still denied it to the death. It doesn’t seem like a reasonable thing to do.

    Antwort
  6. Bet

    Thanks for doing all the groundwork to prove this! I was looking for a cross-platform (windows/android) client and ran across them. As soon as it is obvious you don’t know who ‚they‘ are – I get suspicious. Didn’t install, started researching and ran across your page. Thanks!

    Antwort

// comments

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden /  Ändern )

Google Foto

Du kommentierst mit Deinem Google-Konto. Abmelden /  Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden /  Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden /  Ändern )

Verbinde mit %s