K-9 mail client is vulnerable to privacy leak

By TrustGo Security Labs On February 15, 2012 In Security

K-9 is the most popular email client for Android. It is an open-source e-mail client with numerous features, including search, IMAP push email, multi-folder sync, flagging, filing, signatures, bcc-self, PGP, mail on SD, etc. It has been downloaded between 1 million and 5 million times from Google Android Market.

K-9 version 4.005 has a vulnerability wherein a user’s email may be exposed to other apps. A malicious app without any system permissions can easily exploit K-9’s vulnerability to collect all the user’s emails and leak them to an arbitrary website.

Application information

App name K-9 Mail
App vendor K-9 Dog Walkers
Package name com.fsck.k9
Affected version 4.005
Updated January 27, 2012
Affected users 1,000,000 – 5,000,000
Category Communication
Vendor’s website
App download link

Vulnerability information

Found date 2012/2/13
Found by trustGo
Impact Privacy leak
Severity High
Distribution High
Has POC Yes


A malicious app can obtains user’s email from K-9 without user’s consent.

K-9 claims ContainProvidercom.fsck.k9.provider.MessageProvider:

<provider android:name="com.fsck.k9.provider.MessageProvider" android:authorities="com.fsck.k9.messageprovider" android:multiprocess="true" android:grantUriPermissions="true" android:readPermission="com.fsck.k9.permission.READ_MESSAGES" android:writePermission="com.fsck.k9.permission.DELETE_MESSAGES"/>

K-9 claims permission “com.fsck.k9.permission.READ_MESSAGES” as:

<permission android:name="com.fsck.k9.permission.READ_MESSAGES" android:permissionGroup="android.permission-group.MESSAGES" android:protectionLevel="normal" android:label="@string/read_messages_label" android:description="@string/read_messages_desc"/>

Since permission “com.fsck.k9.permission.READ_MESSAGES” protection level is normal, any app can request this permission. Meanwhile, app has this permission can read emails in K-9 mail client.

Thus an app can get emails from K-9 by only claim permission “com.fsck.k9.permission.READ_MESSAGES”. Combined with INTERNET permission which is very common used, an app can easily leak user’s emails to certain websites. Even without INTERNET permission, an app can also leak user’s emails to internet by exploiting another feature of web browser on Android system.

This is very dangerous when users access business email with K-9 mail client.