Password protection for launch of K9

Hi K9-fans

I use K9 since some years and i am very satisfied with it.

Since some weeks i often hand over my smartphone or tablet to other persons, so that they can do some quick research on the Internet or check the weather forecast.
But my personal information like emails should not be visible so easily.

it would be useful for me, and probably for other users, to be able to password protect the launch of K9.
I do not like to solve this through an AppLock app, but directly through K9.

So there could be a setting option in K9:
“Password protection program startup” which can be turned on/off.
If turned on you can set your own K9 password.

Is this, or something similar already possible, and i simply don´t find it?
Or might it be good to implement?

Many thanks and greetings from Germany


See Can I Password protect app on startup?

1 Like

Hi ByteHamster,

thanks for Your answer !

I read and understand the former topic.

OK, for me a K9-password would be an improvement, because on my smartphone/tablet the mail is the only personal data, there is no messenger like whatsapp, no banking, no calender etc, at the moment even no google-account.

Greetings, AsterX

In general, I would recommend using Android’s own features. You can limit phone usage to a single app and hand it over to a guest user. That way, somebody who “just want to check a website” or “just want to look up something in maps” cannot do anything else but exactly that.

1 Like

A K-9 app-specific password would just create a false sense of security.

For example, one could just install an old version of K-9 that doesn’t have the protection feature. (there are a few more steps involved, but this is the basic idea)

While there are some exceptions, just take this as a rule of thumb: If someone has access to your unlocked phone, you have lost. App-specific passwords or “app locker” apps won’t help you.

1 Like

Thanks to all
The hint of tchara is the best solution for my request!
There is no need for absolute security, the only wish is, that the person, whom i give the phone for some minutes (standing by my side) doesn´t come into my mails by chance, and read or delete one of them accidentally.
I didn´d know the android feature “limit phone usage to a single app”, but here it´s the best way
Thanks a lot
Greetings, AsterX

Although the topic seems to be solved for elsa - and good idea for android phones - I thought that thunderbird has a similar feature with the “main password”.

I don’t know how that works and protects the data.

But wouldn’t it be possible to implement a “main password” in K9 mail in a way that it encrypts (as an “encryption key”) all app-related data on the android phone? Then there would be some kind of protection from a K9-password, right?

As a matter of fact, until now I thought that this function may come in the process of integrating thunderbird and K9…

That’s dangerous if you have device encryption enabled. Encrypting an app’s data a second time can weaken the overall of the app’s data depending on the algorithm used.

Put in very simple terms: Imagine your device encryption would just multiply everything by 3, and K-9 would devide everything by 3. The result would be the original number.
(Note that modern asymmetric encryption is way more complex than that, but you get the gist. Basically, a key insertion attack on RSA works like that.)

Thanks and I think I get the idea.

But just to understand it better:

  1. Isn’t it really unlikely, that the encryption key is the same (or rather the direct “opposite”)? As far as I understand it it would be around the same possibility, someone would accidentally get my master password right. - And wouldn’t it be possible to check for example the result - and when it’s encrypted, then the double-encryption obviously doesn’t annihilate themselves?

  2. On my Windows-Laptop I have Bitlocker activated. I can still save an encrypted password-manager data, or a password-encrypted .odt-document or a veracrypt container file save on the Bitlocker-encrypted drive.Is there a difference between e.g. Windows and Android? Or put it another way: Why does this type of “double-encryption” work on Windows but not on Android?

It’s not that the data is decrypted by the double operation, just the strength of the encryption is weakened.

The above mentioned key insertion attack on RSA targets key length. It is hard to brute force a 2048 Bit key. If you manage to key-insert 512 Bit, the resulting strength is weakened to 1536 Bit. That can be brute forced on a moderate Laptop from Bestbuy in a week or so.

If your Windows drive is Bitlocker encrypted, you should be on the safe side as most strong encryption apps (Veracrypt, Truecrypt, …) use different algorithms. The likelihood of weakening your encryption is mitigated by the differing algorithms.

But just as a word of advice: If you are using Bitlocker, don’t store the recovery key in OneDrive, which Microsoft offers to do by default…

There is a fundamental difference. On Windows, every app can read Thunderbird’s password database - so it needs to be encrypted to protect the passwords. On Android, apps cannot read each other’s databases, so apps do not need to encrypt their databases.

Thanks tchara and ByteHamster for your explanations! I’m still confused about this, because there are some android apps who offer a password (as one example the 2FA-app Aegis comes to my mind), but maybe the purpose there is different. At least, a “master password” would hinder access to my mails, if someone would have my phone in his/her hands with unlocked screen. :thinking: