Privacy guides recommends OpenKeychain under the category of “Encryption Software” that is used by many aplications on Android to provide encryption support, even some recommended email apps like FairEmail and K-9 Mail.
I understand why it is useful and recommended (althought I never used it), but this warning on the official GitHub page made me think:
“WARNING: This software is no longer actively developed. We will still apply security fixes where reported, and do basic maintenance work, but no new features or will be worked on. We will try to consider and merge contributions where possible.”
The latest commit to the official GitHub repository happened at January 5, 2023 (more than one year ago).
The latest source code release on GitHub was version 5.8.2 at January 7, 2023 (one year ago).
The situation is similar with the Play Store app (5.8.2, January 5, 2023) and with the F-Droid app (5.8.2, January 8, 2023).
I don’t know how often encryption software needs to be updated so that the end-user can use the software without security concerns.
My questions are:
Should PrivacyGuides still recommend OpenKeychain? Are there any good alternatives to OpenKeychain?
After finding all of this, I am more concerned about this recomendation and the projects that rely on it than when I started writting this post.
I didn’t contact the developer directly, but due to the lack of activity in the GitHub repository, I would say that this project seems unmaintained.
EDIT: These two issues are present in the official K-9 mail issue tracker (one open since september 2021 and the other since May 2022), but the main developer behind the email app didn’t say anything in any of those issues, so I think it is reasonable to assume that K-9 mail developers aren’t working on that yet.
On the FairEmail front, there is no public issue tracker, just a form that someone can write in and an email is sent to the FairEmail developer, that may answer to you (thought I didn’t try it out, so I don’t know).
What I could find is that the developer behind FairEmail seems to have reverted FairEmail’s target SDK to 33 (targets Android 13) due to the issue in OpenKeychain’s issue tracker related to lack of Android 14 support mencioned above.
But the f-droid and the Play Store versions of FairEmail indicate target SDK of 34 (Android 14), so I don’t know what to think about the target SDK.
Also, this is written in the Fair Email documentation (the section “Planned features”):
“ Autocrypt Setup Message (section 4.4) (IMO it is not a good idea to let an email client handle sensitive encryption keys for an exceptional use case while OpenKeychain can export keys too)” - would this mean that FairEmail may not introduce the functionality of PGP encryption for emails using an open source library available online?
In some of the links mentioned in this post, some users sugested libraries to integrate PGP encryption support into K-9 mail without using OpenKeychain, maybe that would work also for FairEmail? These seem to be maintained libraries as of now:
K-9 mail on Play Store seems to target SDK 31 (Android 12), which makes sense considering this open issue in GitHub.
But this says that K-9 mail on f-droid targets Android 13 (target SDK 33), which is strange.
I saw the target SDKs for apps on the Play Store using Aurora Store.
I would happily move on to some other alternative ,if one existed. There seems to be no other project currently providing openpgp support. Sadly we have to rely on openkeychain for k-9mail.
Also i won’t suggest generating key-pair through openkeychain , as it may have some misconfiguration and you won’t be able to backup and restore into other applications. I faced this multiple times.
If openkeychain ever stops working there are still some options..
You copy encrypted text from mail and decrypt it in a tool of your choose. Obviously pretty inconvenient if you use pgp a lot. If someone could suggested some app for this?
Mailvelope extension is working with Kiwi Browser, I tested it long ago with nextcloud webmail (disroot) and it worked fine.
Mutt mail client in Termux. h4x0r feelings included
I would like to edit my post again, but I think that I can’t (at least I don’t find an option), so I will writte this as a reply:
The K-9 mail beta versions in f-droid target SDK 33 (Android 13), which is also likely to be the case for the Play Store beta versions (see the information in this blog post in the section “Targeting Android 13”).
While the stable versions of K-9 mail target SDK 32 (Android 12) in both f-droid (visible trought the link above) and the Play Store (visible trought Aurora Store).
Maybe K-9 Mail will at some point offer OpenPGP encryption for emails without requiring OpenKeychain, someone commented in the blog post linked in the end of this reply of mine:
“Just make sure you get Spam filtering and Open PGP into it, guys!”
And the comment above is an answer to that comment about OpenPGP suport in K-9 mail:
“Lee, these are on the list! May be a while, but we are planning on incorporating these features into K-9.”
The citations were copied from the link above:
Sure it is an old comment and an old reply from an old blog post, but it is still possible to happen.
Well that depends on how you look at things. If you use any of the recommended provider that have a mobile client this issue does not exist. So that would without doubt be the best thing to do.
I understand this is a sad realty but this clearly makes a point for the mail solutions that offer their own app.
I get that not everyone can choose the mail provider in all cases. But I think a warning would be appropriate
According to this, the security issue with OpenKeychain should be fixed (and the issue report in GitHub was also closed).
Also, considering that the OpenKeychain target sdk is updated to 34, the app should still work with Android 14 and with emails clients which target sdk 34, so this issue should be closed soon and FairEmail and K-9 mail should be free to target sdk 34.
K-9 mail may take a while to target sdk 34 as it just recently started to target sdk 33, but FairEmail can revert the downgrade of its target sdk from 34 to 33, maybe already did it considering the target sdk shown in Aurora Store is 34, and the same is true for the f-droid build.
I think that this aleviates most concerns about OpenKeychain, the only concern left in my knowledge is possible lack of maintenance in the future, in case new issues arise and someone needs to fix them.
Also, the most recent version of OpenKeychain (6.0.0.) is available in f-droid and the source code in GitHub (source code only), but its not available yet in Play Store (it should appear there soon).
I’m also fine with not making any changes to our recommendation at this time. The warning on the GitHub repo implies that no new features will be added, not that it will suddenly break or will develop security issues. No longer adding features to a “basically complete” app should be fine with us (see also: Remove PrivacyBlur - #7 by jonah).
The time to respond to a security vulnerability is a little long, but not entirely unreasonable for a project like this, especially for a bug which wasn’t high severity.
Therefore I will tag this suggestion as rejected for organizational purposes, but obviously let us know if the situation changes at some point.
I suggest the removal of Openkeychain as a recommendation for encryption software on the Android OS as its no longer being maintained. I have continued the discussion here after it was closed in an earlier proposal in Reconsider OpenKeychain Though the developer has put a note on his github page that they are going to apply security fixes , but still there are major issues with the app which are not fixed and make it not a reliable piece of software.
For instance its not supporting with newer implementation of gpg 2.3 onward , for which a request was made in this issue . Not supporting gpg 2.3+ spec makes it highly unreliable for anyone trying to manage openpgp key crossplatoform. This makes it not interoperable with current implementation of Opengpg on other OS like windows , linux and macOS which generally uses the Gnupg’s version 2.4+ spec. So bascially you can’t use a Opengpg keys generated on other OS like linux or windows and then import it into openkeychain for decrypting/encrypting data by default . This has been seen to be reported multiple times - here , here , here. Therefore creating confusion among users and very subpar experience. So users are forced to generate separate keys for their mobile device. The Openkeychain developer has not communicated in anyway whether it will support newer gpg versions using the OCB (AEAD) encryption and make it interoperable.
Personally i wouldn’t want to maintain 2 different types of openpgp keys for my different OS.
So from what i explained in the above section , it does actually break the basic way in which openpgp keys are handled and are not made interoperable. The developer would require to reconsider this implementation with the current spec of gpg 2.4+ for it to be usable on android too. Without addressing it , users are going to be left clueless of the inconsistency with the app.
There are several other issues like these Decryption Error · Issue #2931 · open-keychain/open-keychain · GitHub and other usability bugs reported all over their github issue pages which i am not sure is going to be addressed soon.
Though i understand there may not be a replacement right now for this app on android but given the state of the app i wouldn’t recommend anyone to use it and get confused due to the interoperability issues it has , let alone the need to support more encryption algorithms.
I would agree that this software should be considered not being maintained. In general, not adding new features is okay aslong as we still have a dev who monitors the project and brings out updates to fix security issues. However if the software falls behind to the point that there are usability issues, it becomes problamatic.
Its hard enough to get people to try new private software and services, having them download software which breaks or doesn’t work can turn them off privacy friendly alternatives entirely.
So I would vote for removal. I wonder if anyone knows of any alternatives?
i would really hoped this project was still maintained for lack of alternatives, But its basically gone EOL. Maybe there was less demand for programs depending upon externel apps for openpgp implementation. So far Protonmail has its own implementation of opengpg in its android app and probably in future thunderbird are going to do the same , when they realise openkeychain is no longer reliable.
Well… PGP usage is already quite a niche, even among privacy enthusiasts, let alone managing your keys on android, so I am personally not that surprised.
It is unfortunate though, having options is never a bad thing.
While this isn’t actively maintained, there is no reason to remove it until a replacement exists.
Currently it is still needed for PGP support in email programs like k9/Thunderbird/Fairmail so until an alternative exists I can’t see this being possible.
We should start tracking native support for PGP in things like Thunderbird (it’s the only reason I have this installed).
Problem is though is the we require software to be maintained, even if there is no alternative. If anything, we would have to either alter our requirement, or remove it.
Autocrypt Setup Message (section 4.4) (IMO it is not a good idea to let an email client handle sensitive encryption keys for an exceptional use case while OpenKeychain can export keys too)” - would this mean that FairEmail may not introduce the functionality of PGP encryption for emails using an open source library available online?