Today I'm going to show you some dangers on Android email applications you can find on the play store.
What you need to know about mails: your mails are stored on a mail server somewhere, according to your provider. If you're using Gmail, they are on Google's servers. Most of the people are using Gmail, or Microsoft (hotmail, msn, outlook), or mails from their internet provider.
When you're using a mail application, like stock mail app on your iPhone, or stock mail app on your Android, the application connects directly on the mail server, using standard protocols like IMAP or POP.
To send an email, the app is contacting the SMTP server with the SMTP protocol.
The danger with malicious apps: they are not contacting your mail server directly, they give your login information (mail address and password) to a dedicated server, which will do the connection to the mail server, and download all your mailbox. Then, your phone is only refreshing or getting email through this dedicated server, using HTTP or HTTPS access (like web browsing). It's not a bad idea, except ALL your mails are downloaded by someone else, and someone else knows your password!
I tried some emails app with my old Nexus phone. I made a fake mail account on my own mail server. I will connect these app on it, and I will see which IP addresses access my mail server on live on the logs...
AquaMail: seems good, directly connected.
MyMail: can't choose a personal IMAP mail :D So I can't test. Goodbye!
BlueMail: Bingo! First one :p After configuring the app, some externals IP addresses are connecting on the server: 220.127.116.11, 18.104.22.168. According to whois, these are Amazon IP addresses, but don't have more info.. On the server, my phone is connecting too on the server. Why these external IP? After the app removal, I still have access attempts...
TypeApp: looks the same as BlueMail graphically.. it's not good! Tada!! Same thing. IP addresses on my mail server: 22.214.171.124 and 126.96.36.199. Amazon servers! After the app removal, I still have access attempts too...
MailDroid: seems good :)
SolMail: Seems good too.
GMX Mail: Seems good!
Mail.ru: Jackpot! Access from 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199 ... All from Russia. In contrary with TypeApp or Bluemail, which does external access and direct access from the phone, when you refresh the mails on Mail.ru's app, it's only a Russian IP which is connecting to the mail server.. never the phone.
So, for my part, I can't trust this kind of applications, which are not using the standard way.
Maybe the application which are doing external accesses are not all bad, but sorry I can't trust this. Nothing can prove me all my personal data is not used for something else (commercial?), and removed when I remove the app.
When you think an app like Mail.ru is used by 10 Millions users and more...
This is the best advice I can tell: always be careful with applications you're using.
You can use for example K9mail, open source software and very trusty app.