Overview

Settings and Options in the Preferences Screen
    General
    Mail Synchronization Settings
    Password Settings
The In-App Security Architecture and Usage Models
    General Security Information
    About Trusted Sources
    Security Settings

Settings and Options in the Preferences Screen:

General

Store data on SD Card? (Default is checked): Please be aware that a lot of Android devices use “built-in” sd-card-storage and it may not be a separate sd-card you plugged in the device where the data will be stored.

Encrypt data on SD Card? (Default is unchecked): For performance reasons the option is not used by default on older devices.

Debug (Default is unchecked): If you experience any problems with the app, please turn on this option and send us an Error Report (using the Menu -> Send Error option). With Debug checked the log-file information is in more details for us to analyze your problem.

Cleanup: This option is useful if you need space on your phone. A cleanup will empty older entries in the message database which are out of the time frame of storage settings. See Mail Synchronization Settings for more details.

Clear recent contacts: This option deletes the stored e-mail addresses from your created messages. This can be used to get rid of mistyped addresses.

Mail Synchronization Settings

Peak Time Start (Default is 08:00h): During peak time the app is checking in shorter intervals for new messages than outside this time of day.

Peak Time End (Default is 18:00h): See above.

Peak Time Interval (Default is manual): Choose the interval for “in peak time” usage.

Off-Peak Time Interval (Default is manual): Choose the interval for “off peak time” usage.

Days to Store Messages locally (Default is 30 days): You will see only messages that are within this time period in your folders. Older messages will be deleted from the local store by automatic or manual cleanup processes.

Message Download Size (Default is Headers only): Upon the size of the message depends the automatic download of the whole message or just the header information. Choose this according your needs in prompt message viewing and most of all according to your mobile provider cost plan if you are stuck without a wlan.

Download POP3 mails (Default is unchecked): If you are using a POP3 account you synchronize your mails with this option. Please be aware that there could be problems with the local message store if messages are deleted on server.

Use Pushmail (Default is unchecked): If you use this option the app holds an “open line” with your mail server to get immediate information of new mails. Please be sure that you activate “always-on mobile data” in your phone settings to make this work properly.

Account-sync-Interval (Default is 24 hours): This is the time interval in which your account will be completely synchronized with your mail server.

Limit Number of new Mails (Default is 25): Set here the upmost limit of messages for each mail check. If you use pushmail this will not matter in your daily experience.

Password Settings

Change Master-Password: Yes, you can do it right here! To deactivate the Master-Password change it to a blank password.

Password Validity (Default is 5 minutes): If you use a Master-Password, which we definitely recommend for security reasons, you can set the time in which it stays in memory for further use.

Password Validity after Screen-Off (Default is unchecked): If checked the Master-Password stays in memory for further use until you turned your screen-off for the Password Validity (see above) period.

The In-App Security Architecture and Usage Models:

General Security Information

There are two different places where data is stored:

  • the Messages & Attachment Store (in the Android user area which can be on a sd-card)
  • the Messages & Key-Store database (in the internal Android App area)

Your keys are stored encrypted with your PIN and message content is stored encrypted in database. If you enable the option Encrypt data on SD Card the file based messages store is encrypted too. Attachments are stored unencrypted at the moment! To protect the message store y During the setup process a 2048bit-rsa-key for this installation is generated. It is protected by the Master-Password. If, at your own risk, you choose not to use the Master-Password the data in general will still be encrypted with this key. Please be aware that eventually you will not notice unauthorized access to the data!
For usability optimizations we also provide an option in the security settings where you can choose a specific time period in which you don’t have to re-enter the Master-Password even after a screen-off.

The certificates and keypairs of your .p12 files or your pgp-keypairs are secured separately. For each key you have to set a specific PIN during the import process. You can change the PIN anytime in Cert-Store. This means that every time the key is needed to digitally sign or de-/encrypt a message you are prompted for the PIN.
Again for usability reasons you can optimize the app for your needs with the option that the PIN shall be stored encrypted within the app.
There is no export-function in R2Mail2, so make sure that you backup your keys and certificates separately and with all the activation info needed in case you forget your PIN. The backup function of R2Mail2 can be used to import all your keys and certificates on an other device but is not designed for key backup.

About Trusted Sources

During the setup process the Android root store is imported in the app Key-Store. If you don’t use certificates from those trusted sources, please be aware that you have to import the root certificates separately to ensure a correct validation of certificates and digital signatures. In general the way into the trusted sources for Android is secured by the Google policy. We are also convinced that Google understands the importance of updating or informing its users of any threat in the proper time.
Anyway, if you choose your own trusted roots, make certain that you have certificate policies (CP) and certificate practice statements (CPS) available and that you can understand (language and terms in general) and rely on this information.

Security Settings

Download Intermediate Certificates (Checked by default): This options handles the automatic download and verification of the certificates used in the hierarchy between the root and the user certificate. This option only is used once for user certificates that have the same hierarchy. If present in the local Key-Store no download takes place.

Revocation Checking (Default is OCSP/Fallback CRL): Trust Center provide very different “experiences” when it comes to revocation handling. Some do not have OCSP (Online Certificate Status Protocol) at all, some others have CRL (Certificate Revocation List) issuing time intervals which are more than not satisfying. So in general for the user the option of OCSP is to be preferred because of the smaller amount of data exchange and the prompt response of the certificate status (valid, revoked, suspended, etc.).
If you know that you, or someone you communicate with, are serviced by a trust center that offers just one option, you can set this as the singular used mode here. We do not recommend to disable this option.

Use System Root Store (Checked by default): Please see section “About Trusted Sources”.

Encryption Standard (Default is S/MIME then PGP): The big question is: What kind of person are you? It’s not that bad as the cats and dogs question, but … do you prefer S/MIME or PGP? Here you can opt for your preferred method. Please be aware that the people you communicate with could be using the “other” option, if you opt for a singular method, and you will not be able to decipher messages with this person.

Combine S/MIME and PGP (Checked by default): In general its not a good idea to mix encryption standards, but if you and your recipients doesn’t use the same standard this could be of use. This options decide to use both standards within one mail – for example: provides the possibility to encrypt with PGP and sign with S/MIME. See section above.

Behavior “Combine disabled”:

↓ Sign / Encrypt → Not S/MIME PGP S/MIME & PGP (multiple recipients)
Not Plain S/MIME enc PGP enc 2 MSGs: S/MIME enc & PGP enc
S/MIME S/MIME sign S/MIME sign + enc X X
PGP PGP sign X PGP sign + PGP enc X
S/MIME & PGP S/MIME or PGP sign S/MIME sign + enc PGP sign + PGP enc 2 MSGs: S/MIME sign + enc & PGP sign + PGP enc

Behavior “Combine enabled”:

↓ Sign / Encrypt → Not S/MIME PGP S/MIME & PGP (multiple recipients)
Not Plain S/MIME enc PGP enc 2 MSGs: S/MIME enc & PGP enc
S/MIME S/MIME sign S/MIME sign + enc S/MIME sign + PGP enc 2 MSGs: S/MIME sign + enc & S/MIME sign + PGP enc
PGP PGP sign S/MIME sign + PGP enc PGP sign + PGP enc 2 MSGs: PGP sign + enc & PGP sign + S/MIME enc

Digest (SHA1 by default): The market is in a in-between stage of which digests are used or provided by software. SHA1 is the least common denominator in the software world right now. If you now for a fact that your communication partners use software that can handle better, do it! This is an option concerning the liability of your digital signatures. Your trust center should provide you with a policy where you can find more detailed explanations.

Encryption Algorithm (Default is AES 256bit): More is better! Fallback on lower encryption algorithms should only be used, if your communication partners are restricted by software. Again, more detailed explanations should be provided by your trust center!