The following article presents a high-level overview of ProtonMail’s Android security model and explains how the app protects users’ sensitive data. You can view our Android app’s open source code on GitHub. We also explain the importance of open source to Proton in our Android open source announcement.
For more information on what threats ProtonMail is designed to counter, read our threat model.
Although the document covers technical subject matter, we wrote it to be as accessible as possible to the general audience.
The ProtonMail Android app stores as little data as possible on the user’s device. This approach allows the app to provide higher data security and more efficiently use the device’s storage space. However, it does need to store some data locally. This data includes:
- Encrypted messages (only messages opened since the last login are stored), attachments (only attachments viewed since the last login), and metadata
- Public and private keys for encrypting and decrypting messages
- Access tokens for communication with the ProtonMail API
- User account details (e.g., username, time of last message, etc.)
- Application and account settings
- Miscellaneous preferences
The app keeps some of this data in secured (encrypted) key-value pairs or inside a local database. Almost all of this data is encrypted at rest.
Protection of application assets
Although the username persists in the application, the user’s password is neither persistent nor cached. After the user enters their password, it is immediately delegated to the app’s internal Secure Remote Password (SRP) Protocol logic.
Learn more about the Android app’s authentication process.
The application keeps databases in its private storage space where they are inaccessible to other applications, and all sensitive data is encrypted.
Secure shared preferences
One of Android’s mechanisms for storing application data is Shared Preferences, which, in a nutshell, stores data in key-value pairs. Because this data is kept in plaintext, we have added a custom encryption wrapper around it. This wrapper keeps all persistent data contained in our application’s preferences private and encrypted. Additionally, the keys used for the custom encryption wrapper are protected by the Android Keystore.
Require user approval to load embedded images and remote content
By default, the app blocks embedded images and remote content. The user has to manually load them or disable this block in the app’s settings.
Our app downloads regular attachments into the primary storage folder of the device (i.e., the Downloads folder). However, we handle other types of embedded and remote content somewhat differently:
- Remote content (e.g., linked images) is never downloaded to persistent storage.
- Embedded images are downloaded similarly to regular attachments, but they are kept in the application’s private storage (instead of a public directory).
Push notification encryption
ProtonMail’s push notification servers always encrypt the notifications they send, and the ProtonMail client decrypts these notifications locally. These notifications are never stored on the device.
Application auto-locking and biometrics
We have implemented a straightforward, PIN-based feature to automatically lock the application after a period of inactivity. Once the app is locked, it prompts the user to enter their PIN to unlock it. (Users can activate this PIN protection in the settings.) If users choose this option, they can also open the app using the device’s own biometric authentication (the user will have to have already registered their biometric data before they can override the PIN). This lets users benefit from the convenience of their device’s biometric scanners without lowering the security level of the app.
There are two ways to download and update the ProtonMail Android app. One is via the Google Play Store, which lets the user take advantage of the update mechanism in Google Play to retrieve and apply app updates.
You can also download our app directly from our website as an APK file. Alongside the download link, users can find the SHA-256 checksum they need to verify the integrity of the APK file.
Here we describe the potential attack vectors of the Android client and how we mitigate these attacks.
Man-in-the-middle (MITM) attacks are more difficult to accomplish against ProtonMail because of our use of end-to-end encryption and zero-access encryption. We have implemented several safeguards in our overall security architecture, like Address Verification, which prevent MITM via a fake public key. We have also put in place protection against network-level MITM attacks.
We use the TrustKit-Android open source library for certificate pinning to prevent an imposter server, even one equipped with an otherwise valid TLS certificate, from being able to pose as ProtonMail and intercept network traffic.
Attacks from a malicious app (sandboxed)
Android Lollipop 5.0, which included SELinux, was the first Android version to feature a strengthened Application Sandbox. Each subsequent major Android OS release came with improved application sandboxing, to the point that now a malicious application (assuming it does not have root privileges) poses very little threat to the ProtonMail Android app.
Android security model scope
No application can protect its users against every potential threat 100% of the time. ProtonMail Android provides additional protection to its users’ data, but certain conditions are outside of the scope of this security model.
User device security
We assume that users keep their Android devices secure. For instance, if an advanced user roots their device, we expect them to understand that this makes it much easier for malicious applications to bypass the restrictions of the Android application sandbox.
We also expect the user’s device to be free of any malicious software (keyloggers, screen recorders, etc.) that could monitor the user’s actions.
We do our best to protect users’ data even when their device is compromised. However, all security systems are more likely to fail if the device in question is already compromised.
Our application is up-to-date with and attempts to leverage all of the most recent security improvements offered by the current Android operating system (OS). While our client supports a broad range of Android OS versions (all the way back to Android 5.0 Lollipop), we highly recommend users regularly update their Android OS so that they are always using the most recent release.
Audits and open source
We released the ProtonMail Android client as free and open source software under a GNU General Public License. The app has been audited by the respected security firm SEC Consult, and we have published the results of this audit.
Our recommendations for keeping your device secure
We have an entire article dedicated to covering how to protect your privacy on Android devices. However, here are five basic steps you can take to improve your Android device’s security.
- Enable biometric or PIN protection in the device settings.
- Keep your Android OS updated to the most recent version.
- Encrypt your device.
- Do not root your device unless you understand the consequences and have a very good reason for doing so.
- Do not open links or download attachments from untrusted senders.
If you have any questions about our ProtonMail Android security model, please contact our team at firstname.lastname@example.org. Thank you for your support.
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.