I’m writing an Android email client app, based on the Javamail API. I can log into GMail accounts from it, but I want to make sure that the login process is actually secure.
So I use code like this:
Session session = Session.getDefaultInstance(props, null);
Store store = session.getStore("imaps");
store.connect("imap.gmail.com", "usernameEditText.getText().toString()",
"passwordEditText.getText().toString()");
Since I am not storing the passwords themselves at any point (they are passed directly from the text boxes and stored in Google’s servers), I’m pretty sure I shouldn’t have to worry about hashing and encrypting things as if I was keeping the passwords in my own DB–but is this secure at all, or can the user/password combination potentially be intercepted as the packets created by my app are sent to Google’s servers?
If I understand correctly, the “imaps” store ensures that this is an SSL connection and so the traffic should be encrypted, but I want to make sure I’m not misunderstanding things.
Thanks!
Don’t worry. All data in IMAP over SSL connection are encrypted. However for sending email, the Transport.send method will use the default transport protocol,
which remains “smtp”. To enable SMTP connections over SSL, set the
“mail.smtp.ssl.enable” property to “true”. This is usually the easiest
approach.
Alternatively, to change the default transport protocol
returned by the Session.getTransport() method to SMTP over SSL, set
the property “mail.transport.protocol” to “smtps”. To change the
transport used for internet addresses (as returned by the
Session.getTransport(Address) method, and used by the Transport.send
method), use
session.setProtocolForAddress("rfc822", "smtps");You can find more information in Notes for use of SSL with JavaMail.