Open source email app published on F-Droid

We are happy to announce that everyone can get the Tutanota Android app from F-Droid. Publishing the app on F-Droid was a challenge, but it was definitely worth it. To date, no email service has published their Android app on F-Droid, the number one platform for free and open source apps.

Most email services rely on Google’s GCM (now FCM) for push notifications, which make an F-Droid release impossible. If you search F-Droid for email apps, you will not find one app of a known email service, except for Tutanota, which - to be honest - makes us a bit proud.

Tutanota - guaranteed Google-free

With the app release on F-Droid, Tutanota now proves that it is possible to build a secure email service that is completely Google-free, giving people a real open source email alternative to services such as Gmail, Yahoo, Hushmail, GMX, Outlook, Fastmail, Posteo, Startmail, Mailbox.org and Protonmail.

"We are happy to see how enthusiastic Tutanota is about F-Droid and free software, having rewritten their app from scratch so it could be included. Furthermore, they take special measures to avoid tracking you, and the security looks solid with support for end-to-end encryption and two-factor authentication", says the F-Droid team.

You can get the new Tutanota app on F-Droid here.

Why is being Google-free important?

Google-free can not simply be achieved by quitting Gmail. Most email services rely on Google products: FCM for push notifications, Google Captcha or other dynamically loaded third party code.

If a client uses external services such as Google Push or Google Captcha, it is always possible for them to track user activity and collect personal information. When a provider trusts such a service so that it downloads and executes code dynamically, this opens an attack vector for malicious code injection. This could happen without the provider noticing.

Trusting third party code is a severe security threat that must not be underestimated: If Snowden had used a service with third party code, the NSA would not have needed to subpoena said service. They could simply ask Google or any other service providing code for said service to inject a snippet of code that logs the login password when the person signs in the next time.

Google Captcha: the best example why not to use Google

Lots of online services use Google's ReCAPTCHA to keep out spammers. This is not only not necessary, but also dangerous: Using Google Captcha subjects users to intensive tracking and fingerprinting that they are not able to opt-out of.

This article explains in detail how privacy-infringing Google Captcha is:

There is a good reason why ReCAPTCHA uses the google.com domain instead of one specific to ReCAPTCHA. This allows Google to receive any cookies that they have already set for you, effectively bypassing restrictions on setting third party cookies and allowing traffic correlation with all of Google’s other services, which most users use. ReCAPTCHA collects enough information that it could reliably de-anonymize many users that simply wish to prove that they are Not A Robot. As JavaScript is now required to even view a ReCAPTCHA, even a user running software such as TBB (Tor Browser Bundle) may find themselves giving away more information than they intend to, for example if they have resized their browser window (which is discouraged for exactly this reason).

Given all this tracking, using Google Captcha was never an option for Tutanota. That's why we've built our own captcha that is very simple and very effective.

What Tutanota does to guarantee maximum security

We at Tutanota make sure that the Tutanota application does not address other applications and does not load and execute external code from other services.

We use code from other open source libraries in Tutanota, but these are statically coded into our application, and we make sure that these applications can not load code. To protect your privacy to the maximum, we have implemented the following measures:

No usage of external services such as Google Captcha

No usage of Google libraries in the Android app (no Google Push)

Using our own push notification system

No reloading of external code from other libraries

Reviewed all implemented open source libraries

Using strict Content Security Policy header (CSP)

Using an HTML sanitizer for showing unknown content (in emails) to prevent XSS-attacks

By default, no external content is loaded from other servers (pictures and videos in your emails)

Built our own secure desktop clients instead of allowing Pop/IMAP

The desktop client also lets you verify the signature so you can be sure that no one has tampered with the code.

With the open sourced code, we make sure that there can never be an encryption backdoor in Tutanota.

Open source calendar

In 2019, we've added an open souce encrypted calendar to your open source email client. This is another step for Tutanota in becoming a full-fledged Gmail alternative.

Focus on privacy, security and ease-of-use

From its early days, Tutanota has been published on GitHub as open source, licensed under GPLv3.

We build Tutanota to establish a secure alternative to mainstream email services like Gmail, GMX and Yahoo that spy on their users. Quitting Google is not easy, but the effort is worth it: You will regain control over your data. When you use services like Tutanota's fully encrypted mailbox, you own your data - no one else can access it.

And, of course, when it comes to quitting Google, F-Droid is one of the most important platforms you’ll need as this is the best place to get Google-free Android apps with automatic updates.

Our Android and iOS apps have been published as open source from the start. The original Tutanota Android app has been built based on Cordova, which in the past made it impossible to publish it on F-Droid because the F-Droid servers could not build the app.

Not being able to publish our Android app on F-Droid was one of the main reasons we started to re-build the entire Tutanota web client. We are privacy and open source enthusiasts, we ourselves use F-Droid. Consequently our app must be published there, no matter the effort.

In the past year, we have completely re-build our mail client and published the new mail client with lots of enhancements in public beta. The new client is much faster, comes with a better design, enables search on encrypted data, supports 2FA and auto-sync, and it is not based on Cordova anymore.

This update finally makes it possible to publish the brand-new Tutanota Android app on F-Droid!

Tutanota enables you to quit Gmail

We are very excited about this release, not only because of the new features, but most of all because the new Android app finally comes without any ties to Google services. To us this update was very important as it enables you to use an open source email alternative where the entire client code is pusblished on GitHub.

We encourage our users to leave Google behind - offering a Google-free Android app, therefore, is a minimum requirement that we demanded from ourselves.

We are very happy that we can now get our own app from F-Droid, and we recommend that you get it from F-Droid as well. :)

If you love open source as much as we do, join us on Mastodon, our favorite open source social network.

Why open source emails are better

The code of open source email clients can be inspected by the security community to make sure that the code is free from bugs and backdoors. This is important because only with open source you know that the code is doing what the service promises: securing your emails.

Help us to build the best open source email service!

At Tutanota we are a passionate team of privacy and open source advocates.

We are always on the lookout for developers to join our team. We are committed to sustainable growth and invest all income generated from selling Tutanota into our team. We want to make sure that everyone joining our team is as passionate about privacy and open source as we are.

With the entire team sharing our vision of a private and secure Internet, it is much easier to prioritize development steps such as publishing the Android app on F-Droid or building a desktop client with built-in encryption.

Published on GitHub since 2014

Making Tutanota an open source email service is one of the most important challenges for us. To date we have published the entire cient code of Tutanota on GitHub.

Since most people being active on GitHub are developers themselves, they gave us very valuable feedback on how to improve Tutanota and its security.

We want many more people to watch our code and to build it locally. We are convinced that it is crucial for any secure email service that the community digs deep into the code to further improve its security.

After our open source release in September 2014, we have added many improvements to Tutanota. We have implemented DANE support, which immensely enhances the security of SSL. We have build an Android and an iOS app, and published these as open source email apps as well.

We would have loved to add our open source email app on F-Droid right then as well. Unfortunately, as described above this was not possible at the time so we focused on improving the Tutanota email client and the app features.

However, we know that many of our users do not want to use Google - for a very good reason - so we made the app available on our website as well.

We were able to publish the apps around Christmas 2014, and it was a great feeling receiving so many thank-you emails at this time of the year! Only a few months later, we added an extended version of Tutanota for only €1 per month, which is constantly growing in features. This now enables us to keep Tutanota running independently.

We then published the Android app on F-Droid in 2018. The only issue that's left for us to do is to open source the server part of Tutanota as well. We plan to develop a small, open source server for personal and business use that can be set up easily. As this needs a lot of development effort, we can't give an exact estimate as to when this feature will be released, but it is definitely on our to-do list.

Join our open source translation project

Shortly after the open source release, we also started a translation project for Tutanota. By now around 180 volunteers have joined and translated Tutanota into more than 30 languages. This support is simply amazing!

It shows us that a secure email alternative is needed around the world, particularly in countries where people lack freedom of expression and a right to privacy. We are constantly adding languages to Tutanota, and we are happy about everyone who wants to join the Tutanota translation project.

We have planned many more features to improve your open source email clients. We are very happy about all the feedback we receive in our community forum so that we can decide better what to prioritize.

Check here what features such as desktop clients, offline availability, email import, open source calendar etc. are planned for the future or are already available.

Happy encrypting!