Privacy guides recommends OpenKeychain under the category of “Encryption Software” that is used by many aplications on Android to provide encryption support, even some recommended email apps like FairEmail and K-9 Mail.
I understand why it is useful and recommended (althought I never used it), but this warning on the official GitHub page made me think:
“WARNING: This software is no longer actively developed. We will still apply security fixes where reported, and do basic maintenance work, but no new features or will be worked on. We will try to consider and merge contributions where possible.”
The latest commit to the official GitHub repository happened at January 5, 2023 (more than one year ago).
The latest source code release on GitHub was version 5.8.2 at January 7, 2023 (one year ago).
The situation is similar with the Play Store app (5.8.2, January 5, 2023) and with the F-Droid app (5.8.2, January 8, 2023).
I don’t know how often encryption software needs to be updated so that the end-user can use the software without security concerns.
My questions are:
Should PrivacyGuides still recommend OpenKeychain? Are there any good alternatives to OpenKeychain?
After finding all of this, I am more concerned about this recomendation and the projects that rely on it than when I started writting this post.
I didn’t contact the developer directly, but due to the lack of activity in the GitHub repository, I would say that this project seems unmaintained.
EDIT: These two issues are present in the official K-9 mail issue tracker (one open since september 2021 and the other since May 2022), but the main developer behind the email app didn’t say anything in any of those issues, so I think it is reasonable to assume that K-9 mail developers aren’t working on that yet.
On the FairEmail front, there is no public issue tracker, just a form that someone can write in and an email is sent to the FairEmail developer, that may answer to you (thought I didn’t try it out, so I don’t know).
What I could find is that the developer behind FairEmail seems to have reverted FairEmail’s target SDK to 33 (targets Android 13) due to the issue in OpenKeychain’s issue tracker related to lack of Android 14 support mencioned above.
But the f-droid and the Play Store versions of FairEmail indicate target SDK of 34 (Android 14), so I don’t know what to think about the target SDK.
Also, this is written in the Fair Email documentation (the section “Planned features”):
“ Autocrypt Setup Message (section 4.4) (IMO it is not a good idea to let an email client handle sensitive encryption keys for an exceptional use case while OpenKeychain can export keys too)” - would this mean that FairEmail may not introduce the functionality of PGP encryption for emails using an open source library available online?
In some of the links mentioned in this post, some users sugested libraries to integrate PGP encryption support into K-9 mail without using OpenKeychain, maybe that would work also for FairEmail? These seem to be maintained libraries as of now:
K-9 mail on Play Store seems to target SDK 31 (Android 12), which makes sense considering this open issue in GitHub.
But this says that K-9 mail on f-droid targets Android 13 (target SDK 33), which is strange.
I saw the target SDKs for apps on the Play Store using Aurora Store.
I would happily move on to some other alternative ,if one existed. There seems to be no other project currently providing openpgp support. Sadly we have to rely on openkeychain for k-9mail.
Also i won’t suggest generating key-pair through openkeychain , as it may have some misconfiguration and you won’t be able to backup and restore into other applications. I faced this multiple times.
If openkeychain ever stops working there are still some options…
You copy encrypted text from mail and decrypt it in a tool of your choose. Obviously pretty inconvenient if you use pgp a lot. If someone could suggested some app for this?
Mailvelope extension is working with Kiwi Browser, I tested it long ago with nextcloud webmail (disroot) and it worked fine.
Mutt mail client in Termux. h4x0r feelings included
I would like to edit my post again, but I think that I can’t (at least I don’t find an option), so I will writte this as a reply:
The K-9 mail beta versions in f-droid target SDK 33 (Android 13), which is also likely to be the case for the Play Store beta versions (see the information in this blog post in the section “Targeting Android 13”).
While the stable versions of K-9 mail target SDK 32 (Android 12) in both f-droid (visible trought the link above) and the Play Store (visible trought Aurora Store).
Maybe K-9 Mail will at some point offer OpenPGP encryption for emails without requiring OpenKeychain, someone commented in the blog post linked in the end of this reply of mine:
“Just make sure you get Spam filtering and Open PGP into it, guys!”
And the comment above is an answer to that comment about OpenPGP suport in K-9 mail:
“Lee, these are on the list! May be a while, but we are planning on incorporating these features into K-9.”
The citations were copied from the link above:
Sure it is an old comment and an old reply from an old blog post, but it is still possible to happen.
Well that depends on how you look at things. If you use any of the recommended provider that have a mobile client this issue does not exist. So that would without doubt be the best thing to do.
I understand this is a sad realty but this clearly makes a point for the mail solutions that offer their own app.
I get that not everyone can choose the mail provider in all cases. But I think a warning would be appropriate
According to this, the security issue with OpenKeychain should be fixed (and the issue report in GitHub was also closed).
Also, considering that the OpenKeychain target sdk is updated to 34, the app should still work with Android 14 and with emails clients which target sdk 34, so this issue should be closed soon and FairEmail and K-9 mail should be free to target sdk 34.
K-9 mail may take a while to target sdk 34 as it just recently started to target sdk 33, but FairEmail can revert the downgrade of its target sdk from 34 to 33, maybe already did it considering the target sdk shown in Aurora Store is 34, and the same is true for the f-droid build.
I think that this aleviates most concerns about OpenKeychain, the only concern left in my knowledge is possible lack of maintenance in the future, in case new issues arise and someone needs to fix them.
Also, the most recent version of OpenKeychain (6.0.0.) is available in f-droid and the source code in GitHub (source code only), but its not available yet in Play Store (it should appear there soon).
I’m also fine with not making any changes to our recommendation at this time. The warning on the GitHub repo implies that no new features will be added, not that it will suddenly break or will develop security issues. No longer adding features to a “basically complete” app should be fine with us (see also: Remove PrivacyBlur - #7 by jonah).
The time to respond to a security vulnerability is a little long, but not entirely unreasonable for a project like this, especially for a bug which wasn’t high severity.
Therefore I will tag this suggestion as rejected for organizational purposes, but obviously let us know if the situation changes at some point.
Autocrypt Setup Message (section 4.4) (IMO it is not a good idea to let an email client handle sensitive encryption keys for an exceptional use case while OpenKeychain can export keys too)” - would this mean that FairEmail may not introduce the functionality of PGP encryption for emails using an open source library available online?