New Nokia Smartphones Leak E-mail Passwords

Noksu writes "Despite of the recent plunge in Nokia's profits, the company is doing well in the surveillance business. The infamous 'Lex Nokia' got ratified in Finland and the company has launched a massive Nokoscope research project for data gathering. In the meantime Nokia's new smartphones forward e-mail account credentials to a remote server. Surprisingly enough, this is done in HTTP request headers. The company has been informed, but there has not been an official statement yet. Time for class action suit in the US?"

Anonymous Coward

[Anonymous Coward]

Welcome to the world of push email? How else would you like us to do it, buddy?

Re:Non-issue?

[Nos.]

I guess Nokia getting your email account credentials isn't an issue for you.

Re:Non-issue?

[InsertWittyNameHere]

If you setup an email on your Blackberry with BIS (not BES) then RIM has your credentials.

Why is it an issue now with only Nokia?

Re:Solution:

[tritonman]

After reading the article, it doesn't seem that it uses the HTTP headers, it appears to use actual URL parameters, which is probably 100x worse. Either way, if it sends plain text passwords, that's just idiotic.

More amateurish BS from Nokia

[Anonymous Coward]

I'm not surprised that the amateurs at Nokia would do this. The S60 platform on the whole seems like a throwback to the early 2000's, back when smartphone users were a marginalized bunch who would put up with niggling annoyances as long as they could receive email on their devices. If the iPhone OS is pretty much OS X on a phone, then S60 is like running Windows 98 on your phone.

I'm pretty much convinced that anyone using a Nokia smartphone right now is a masochist. My experience with an E71 has been horrendous. The built-in email client cannot handle HTML and even though there's IMAP support, you can't move messages between folders. You can't even save sent messages to your own IMAP folder, so they're forever stuck in your phone's own "Sent" folder. You can either pull messages at varying time intervals, or you can use IMAP IDLE without message retrieval, but inexplicably you can't have both at the same time. Even if you use IMAP IDLE, only changes to the inbox are monitored. Why does anyone even use the built-in client? Well, only Nokia's own applications are given the ability to present notifications on the home screen.

Almost everybody who uses their E71 for serious emailing chooses to buy Profimail for $30, even though it also has quite a few missing features. It can't detect the phone's volume settings, so if you're in a meeting you'll have to silence both your phone and Profimail. The vibration alert doesn't work on my phone.

The new "Mail by Nokia" system is hilariously crappy. They want you to give them the logins to your mail accounts, then they retrieve your email. Why would anyone do this? The only benefits, as far as I can tell, are push notifications and a slightly less ugly interface that completely ignores your own UI settings. The (very beta) web interface for setting up your Mail by Nokia account is incredibly limited. I still can't figure out how I managed to set up my FastMail account to work with them. After using Nokia Mail for a day I decided that these amateurs are probably not going to be storing my information in any secure manner, so I disabled my Nokia account and changed all of my email passwords.

The whole platform is locked down because applications need to be signed. The Symbian Foundation, in the interest of locking down your phone past the point of usability, uses an insanely complex system to approve applications before signing them. The entry cost is enormous, on the order of thousands of dollars, which effectively shuts out most hobbyists from producing signed applications. Instead, they release unsigned applications, and all the users have to allow their phones to accept them. So what was the point of locking down the platform in the first place?

Maybe I'm spoiled from having used an iPod touch. The App Store is amazingly simple and convenient, and the community has a critical mass of users and developers. For most common uses, I can assume that there's an app out there that can do what I want. Not so for a Nokia phone.

Re:More amateurish BS from Nokia

[Anonymusing]

The new "Mail by Nokia" system is hilariously crappy. They want you to give them the logins to your mail accounts, then they retrieve your email. Why would anyone do this?

Probably for the same reason that people let Gmail do this [google.com].

Re:Solution:

[janeuner]

In the clear? No.

In apache access logs? muahahah....

Re:How else to do push email?

[godel_56]

This request is https. If, during setup, you asked for push IMAP, or any number of other imaginable features for your mail account, sending your credentials to a Nokia or wireless carrier server will be necessary.

Not only have you not RTFA but you haven't bothered to read the previous Slashdot comments. He is NOT using push email and he intercepted the communications on his own network using Webscarab and Wireshark. Nokia are only providing the comms terminal and have neither the need or the right to know his password or account details.

Re:An issue.

[Culture20]

it is still not such a big deal.

Not a big deal to have your credentials sent to a third party? What if Nokia's wizard used a Finnish government server instead?
What if a Chinese-made phone was sending username/password to a Chinese government server?
What if Antti Järjestelmävalvojanen, a (fictitious) Nokia network admin, starts storing them on his thumb drive?