Not only do newer versions of Android give users control over granting each permission to an app that requests it, thus slowing down privilege escalation attacks that have been possible in the past. But Android 7.1 actually rolls back permissions, which have been granted in the past. When we upgrade, the apps are optimized in such a way that many of their permissions default to Not Granted, until an effort is made by the user to Grant Them.
Further, since version 6.0.1 , Android has a feature called Doze. What it seems to do is cancel alarms which apps had set, to wake themselves again in the background. It cuts down significantly on the battery consumption of a fully up-to-date Google Pixel C.
Unfortunately, this also interferes with how the email apps Kaiten and K-9 work, which try to poll the email servers at regular, user-configured intervals, but which eventually stall in their older way of doing so, instead displaying the message ‘Sync Disabled’. On my own Pixel C, I have had to whitelist the Kaiten app, to exclude it from Battery Optimization manually, so that now it is fetching emails from the server again.
To illustrate what I mean, I will use the app ‘Kaiten’, which is a simple, old-fashioned email app. It prefers IMAP but also does POP. Kaiten, like ‘K-9′, has a companion app named ‘APG’, which was supposed to become like ‘a GPG For Android’. APG manages public and private keys, and also performs encryption, based on a GnuPG-type system (RSA, ElGamal etc.)
We should have APG installed before Kaiten, in order for Kaiten to be able to use features provided by APG. The way Kaiten used to access APG was, using the Group ID belonging to APG. Access to this GID was a permission which Android 4 and 5 would indicate, as usual, without giving the user a choice in the matter, if we wanted to continue installing Kaiten.
Android 7.1 recognizes that in general, such a permission would also give Kaiten access to the private keys stored by the app APG, and treats this as a wrong which Android 7.1 must right. Therefore, Android 7.1 takes away this general access to the keys, and replaces it with only access to “key information”, which is not sensitive, such as the name of the key. Kaiten does not even have access to the public keys.
What this means in practice, is that Kaiten opens the APG app when I want to select a key to use, to sign or encrypt an email, and after finishing in that app, control is returned to the email app. In order for anything to work properly between these two apps now, the information needs to be fed between them, and each app stays in control of its own information.
I cannot even whitelist Kaiten anymore, to give it access to the keys stored in APG. Therefore, I have yet to test fully whether the cryptography features of the email app, that once worked, still work under Android 7.1 . I just know for now that it still composes and receives regular emails.
There is a note to add about ‘Kaiten’ and ‘K-9′. Back in 2014, Kaiten was the more-advanced of the two apps, and cost money to purchase, which was thus contributed to the same programmers. But since that year, Kaiten has received no further upgrades. In the meantime, K-9 has received steady upgrades, and has caught up with the abilities of Kaiten. Therefore, it would not be honest advice on my part, that users should pay to use Kaiten specifically. K-9 also works, and also interacts with APG.
One thing which I can firmly tell people Not to do, is to try using Kaiten – or K-9 – for GMail. Because we already have a GMail app, which is integrated with our Google accounts, we should use either it or other apps from Google for our GMail. It is only for other, generic, non-GMail email, that we should use either Kaiten or K-9.
Google will not even allow us to use either, unless we also switch off much of the extra security which Google has, that does not belong to classic IMAP, POP or SMTPS authentication. Kaiten allows the use of SSL, but is otherwise only as well-protected as our passwords with the server.
But on the previous subject, the switch from Kaiten back to K-9 is said to be possible, by exporting its settings, which can by now be imported into K-9. The only reason I am still using Kaiten, is the fact that it seems to keep working for me, even under Android 7.1 . If that was ever to stop, the reader could amuse himself, watching me switch back to K-9, and then whitelisting that app from Battery Optimization, as I must then also do…
For some unexplained reason, ‘APG’ has also not been updated recently, but few people say ‘Stop using it.’
Personally, I trust the much-hyped encryption software less, than traditional GnuPG, public-key cryptography, that I understand. The benefit of relieving the user of the need to understand public and private keys, is surpassed to my mind, by the risk that an app might offer no real security, but sound very fashionable.
(Edit : )
I have just carried out a test, in which I sent myself a simple text email, signed with a private key I own, the public key to which I have stored on the APG app on my Pixel C.
Kaiten is still able to open APG and ask this other app to verify the signature. It should therefore be just as able to ask APG to encrypt a message, before control is returned to Kaiten, and the message sent out by it as an email.
What I also recall though, is that Kaiten was never capable of PGP/MIME, for which reason I sent this test to myself using an Inline Signature.