Privacy guides recommends OpenKeychain under the category of “Encryption Software” that is used by many aplications on Android to provide encryption support, even some recommended email apps like FairEmail and K-9 Mail.
I understand why it is useful and recommended (althought I never used it), but this warning on the official GitHub page made me think:
“WARNING: This software is no longer actively developed. We will still apply security fixes where reported, and do basic maintenance work, but no new features or will be worked on. We will try to consider and merge contributions where possible.”
The latest commit to the official GitHub repository happened at January 5, 2023 (more than one year ago).
The latest source code release on GitHub was version 5.8.2 at January 7, 2023 (one year ago).
The situation is similar with the Play Store app (5.8.2, January 5, 2023) and with the F-Droid app (5.8.2, January 8, 2023).
I don’t know how often encryption software needs to be updated so that the end-user can use the software without security concerns.
My questions are:
Should PrivacyGuides still recommend OpenKeychain? Are there any good alternatives to OpenKeychain?
Discussion in K-9 Mail forum about OpenKeychain: OpenKeychain no longer being developed - K-9 Mail Forum
Developers of another aplication reliant on OpenKeychain discussing to stop relying on it and how:
This issue on OpenKeychain’s issue tracker claims that OpenKeychain isn’t compatible with Android 14, which is concerning. OpenKeychain will stop working on Android 14 · Issue #2836 · open-keychain/open-keychain · GitHub
This is the link shared in the issue that explains why that is the case.
Davranış değişiklikleri: Android 14 veya sonraki bir sürümü hedefleyen uygulamalar | Android Developers
A security vulnerability was suposedly discovered and reported without any answer (very concerning, even if it isn’t true because none of the official developers answered to that GitHub issue): Vulnerability in OpenKeychain · Issue #2856 · open-keychain/open-keychain · GitHub
Another developer discussing concerns about OpenKeychain: Support encryption · Issue #33 · amake/orgro · GitHub
After finding all of this, I am more concerned about this recomendation and the projects that rely on it than when I started writting this post.
I didn’t contact the developer directly, but due to the lack of activity in the GitHub repository, I would say that this project seems unmaintained.
EDIT: These two issues are present in the official K-9 mail issue tracker (one open since september 2021 and the other since May 2022), but the main developer behind the email app didn’t say anything in any of those issues, so I think it is reasonable to assume that K-9 mail developers aren’t working on that yet.
On the FairEmail front, there is no public issue tracker, just a form that someone can write in and an email is sent to the FairEmail developer, that may answer to you (thought I didn’t try it out, so I don’t know).
What I could find is that the developer behind FairEmail seems to have reverted FairEmail’s target SDK to 33 (targets Android 13) due to the issue in OpenKeychain’s issue tracker related to lack of Android 14 support mencioned above.
But the f-droid and the Play Store versions of FairEmail indicate target SDK of 34 (Android 14), so I don’t know what to think about the target SDK.
Also, this is written in the Fair Email documentation (the section “Planned features”):
“ Autocrypt Setup Message (section 4.4) (IMO it is not a good idea to let an email client handle sensitive encryption keys for an exceptional use case while OpenKeychain can export keys too)” - would this mean that FairEmail may not introduce the functionality of PGP encryption for emails using an open source library available online?
In some of the links mentioned in this post, some users sugested libraries to integrate PGP encryption support into K-9 mail without using OpenKeychain, maybe that would work also for FairEmail? These seem to be maintained libraries as of now:
K-9 mail on Play Store seems to target SDK 31 (Android 12), which makes sense considering this open issue in GitHub.
But this says that K-9 mail on f-droid targets Android 13 (target SDK 33), which is strange.
I saw the target SDKs for apps on the Play Store using Aurora Store.