Unfortunate naïve design decision

[rafael-santiago]

Hi there! It is not about a real bug, but it could be understood as a conceptual one. Recently my tutanota mobile app only offers the option of save a credential ("auto login" dig it?), it is not possible just do not save any credential if I am not feeling like to. Why is it a bad design decision? I believe that save credentials even encrypted in flash memory can spread data along this kind of storage device that it really hard of promoting a good data wiping. I am an information security professional and for the sake of my "professional paranoia" I could not avoid complaining about this naïve design decision.

There is another problem: a scenario where a person has her/his mobile device stolen, maybe by coercion/violence, she/he was pushed to unlock the device! Again, I believe it is bad, sorry!

Sometimes less is more in infosec...

Some pretty paranoid people could think that tutanota could put some shortcut for some reason for someone. I believe that do not save anything could remains for folks that are not about saving sensitive data in flash memory and/nor enable auto login.

Rafael

--

[charlag]

Hello, this is not a naive decision, it is a result of analysis and it fits most users' threats. In your ad-hoc threat model, if you are forced to unlock your device why wouldn't you be forced to type in your tuta password?

Tuta now works like every other mobile app. In case this is not desirable it is possible to use a browser version and not store credentials.

[rafael-santiago]

Hello, this is not a naive decision, it is a result of analysis and it fits most users' threats. In your ad-hoc threat model, if you are forced to unlock your device why wouldn't you be forced to type in your tuta password?

Tuta now works like every other mobile app. In case this is not desirable it is possible to use a browser version and not store credentials.

If my mobile is stolen, if all apps are in auto login, the damage it will be worse. Recently in Brazil, people are pushed by criminals in the street to unlock the device before they runaway with the mobile, in this way they can use the mobile (probably to commit other crimes), but if tutanota is in auto login, this person did not only lost her/his device, but also her/his email account and other things that could be escalated from there. Why IB apps does not stay in auto login? This is real life, it is what happens out there not only in one single spot/country whatever... Doing a thing just because everyone does it will make you just an yet another email app... I believe that basing an app related to infosec in behaviors that appears in big techs apps (that are amazing when dealing with users and their data) is not a smart decision at all... Maybe be more against the grain it would make the difference here... But it is okay, I will uninstall the app and only use in the web or maybe change the email. It does not attend my requirements anymore. Closing the issue without waiting a counter argument just shows that it is an yet another autocracy haha! Thanks and farewell!

[charlag]

You can still protect your app with pin biometric. As I said, ad-hoc threat modeling is flawed and it has nothing to do with big or small tech.

[rafael-santiago]

All this madness with biometric is bad because along the years companies have shown incompetent on protecting even flat passwords (that when leak could be easily changed) but what to do about leaked biometric data? With all this horror _H_istory that we have watching year after year I do not feel sure on using biometric in every place (only where it is really required such as IB stuff, things that I really do not live without and that have some local law protecting me about misusages or misconducts about my data). But for me it is okay, the best solution was abandon tutatona as my email of choice for day to day stuff, it is not the end of world, sincerely...