SMS Forwarding

SMS2Email Buddy and PigeonHole Android Apps

Security and Usage Recommendations

March 2016

This is an update to my previous article about security in PigeonHole and SMS2Email Buddy apps. You may refer to the article dated Nov 2015 if you have not read it.

The use of a more secured methodology (e.g. OAuth2.0) means that more network overheads are introduced. For an SMS received, you will be redirected to your Gmail account to key in your password to exchange for a token. It is more secured because this token, rather than your password, is stored in the phone. The app then uses it to access your sender Gmail account to send out the email. Subsequent accesses can be performed until the token expires and the app repeats the process to acquire a new token. This severely affects the functionality of our apps to perform efficient SMS forwarding. Hence in the meantime, until we can incorporate this authentication mechanism without sacrificing efficiency, you may be required to specify the settings to 'allow less secure apps access' in your sender Gmail account.

However, we encourage you to follow these recommendations when using these apps to minimise your risks: • Consider creating a separate Gmail account and using the corresponding Gmail address (e.g. as the sender. That way, even if this account is compromised, your other Gmail accounts are still safe. • Do not connect to the public wifi to prevent hackers from sniffing your credentials. • This might not be applicable but if you are using the app as a means to backup your personal SMS, try entering Gmail addresses as recipients so that the emails are not forwarded externally. According to [Google, March 2016], emails sent from Google to Hotmail, iCloud are 100% encrypted (Yahoo and AOL are 99.99%) so entering recipient(s) from these domains should also be secured. • If you do unfortunately lose your phone, quickly change the passwords of senders in these apps. For that matter, do also change the passwords of any services (e.g. email, ecommerce, etc.) you have previously accessed on your phone.

If you have any queries, please drop us a line.

Ken Lim

Founder & CEO

November 2015

Hello! Thank you for your interest in our SMS2Email Buddy or PigeonHole app. I am glad it has the features you need. However, I would like to share with you the internal workings of the app so that you are aware of its strengths and limitations.

The sender Gmail address (personal or created specifically for use with these apps) and password you key in our apps are stored in your phone (never on our server). They are used to connect to the Gmail server (via SMTP port 465) to help you send out an email, from the Gmail address, to your recipient(s). This does not conform to the latest OAuth2.0 authorisation standard where a token (rather than a password) is used instead. Hence, you might experience problems when you try to send a test email as described here.

One of the remedies is to 'allow less secure apps access to your account'. Should you use these apps since they are less secured? It is important to see the entire picture and not just the security standards in place.

Traditionally, SMS messages are 'decoupled' from the Internet. Without touching on the details, it is reasonable to say that your SMS messages are less likely to be intercepted in the network (different switches in the backbone). However, email was never designed with security in mind and there are a few points along the network where your emails can be compromised:
• Between the mail client in your phone to the source mail server (e.g. Google, ISP)
• Between the source mail server to recipient mail server
• Between your recipient mail server to your recipient phone

Even if links (a) and (c) are secured, you cannot control what happens in link (b). Some mail servers do exchange emails in clear text. Hence, if you wish to send the content of your SMS over email, you must be prepared that it could be intercepted and read. At the very least, Google has access to all your emails in your Gmail account and hence your SMS content if you were to use these apps. In any case, if your phone has been infected with malware - hackers have special devices to create fake networks in free public Wifi waiting for you to log on - then it does not matter how secure you connect to the Telco/ISP because all SMSes, emails and data residing in your phone could be sent 'behind your back' to an unauthorised server.

That said, we will explore incorporating OAuth2.0 if it does not compromise the reliability of our apps due to the additional overheads introduced.

With these considerations in mind, if you decide that you still want to use our apps, I thank you for your support and welcome you onboard. I can guarantee you one thing: we do not have any knowledge of your SMS messages or password and that is one thing less for you to worry about.

Ken Lim

Founder & CEO