Jump to content

Wikipedia:Reference desk/Archives/Computing/2019 November 16

From Wikipedia, the free encyclopedia
Computing desk
< November 15 << Oct | November | Dec >> Current desk >
Welcome to the Wikipedia Computing Reference Desk Archives
The page you are currently viewing is a transcluded archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages.


November 16

[edit]

Search in Yahoo mail

[edit]

from a smartphone. As opposed to a regular computer, in Yahoo-mail application on a smartphone there's no search line in the top of the page. How, then, one can execute a search whithin the mail ? בנצי (talk) 17:59, 16 November 2019 (UTC)[reply]

It's possible your app just doesn't support that. Did you choose a "lite" version of the app ? If so, there might be a larger app you could download that does include this. Note that I don't refer to the size of the app so much as how much RAM and data it uses. In particular, searching through the titles shouldn't be too bad, but searching through the content of emails would be far worse. (This all depends on whether such a search is performed at the server or on your phone. If on the server, there should be no problem for the phone.) SinisterLefty (talk) 19:27, 16 November 2019 (UTC)[reply]
I like K-9 Mail which is a FOSS Android email app that is an IMAP client. It has a search button that I think is able to work independently of the IMAP back end. 67.164.113.165 (talk) 22:37, 16 November 2019 (UTC)[reply]
Storing your mail locally via IMAP would also be a good idea in case your fickle free e-mail provider ever decides to up and close your account for no reason. 93.136.94.213 (talk) 06:39, 17 November 2019 (UTC)[reply]
As far as I was aware, IMAP, by its very definition, uses the server to store emails, and only downloads what it needs on demand. It is possible to tell some IMAP clients to download more stuff for offline use, but this is not a typical use case of IMAP. POP3 is a protocol that works totally offline after the message downloads. But I don't believe that anyone on a smartphone wants to download all their email to the phone as a "backup" or hedge against a negligent provider. That seems to me more of a sitting-at-home, desktop-computer task. Elizium23 (talk) 21:29, 17 November 2019 (UTC)[reply]
I do just that (lol). It's not like you have 500GB of spam so you don't have space. 93.136.94.213 (talk) 21:34, 17 November 2019 (UTC)[reply]
That is a decidedly poor privacy practice. Personally, I attempt to minimize all the personal information that can be found on my mobile devices. Downloading my email would be sheer folly, and not any kind of 'backup' to lock it away in an easily-lost flash memory format. I guess it's the way of the future that people's primary computing devices are their smartphones, always in their pockets, but it's not a best practice, and it's one you won't catch me doing, or counseling to other users. Elizium23 (talk) 21:50, 17 November 2019 (UTC)[reply]
1. If someone gets ahold of your cell phone and hacks into it, they can setup IMAP themselves and steal all your emails anyway, as you have login credentials on your phone. 2. Any backup is better than no backup from a data preservation standpoint. 3. If you cache all emails via IMAP you don't have to use the crapp that comes with the email provider, so you can, for example, search your emails. 4. Of course it's better to have your sensitive data on a real computer, of course people flush their privacy down the bowl because it's easier to use GApps than real software etc. etc. Of course setting up IMAP on your computer (hopefully Linux or Win 7) and backing up the mailbox would be the best solution (and of course that's not even complicated). But most of the time we're dealing with people for whom this is all as easy and appealing as running a marathon. In this case, the user either has a rooted, de-Googled phone, or he/she has already surrendered their privacy. So, having a somewhat insecure backup is unlikely to hurt them more and he/she can search e-mails. 93.136.31.83 (talk) 01:53, 19 November 2019 (UTC)[reply]
Collapsing long reply as we're getting fairly OT of the original question Nil Einne (talk) 08:11, 19 November 2019 (UTC)[reply]

First I feel I should point out that most competent IMAP providers including Google support searching on the server. Depending on the number of your emails and your phone this may actually be faster than searching on the device although you are limited by the search options your provider supports. Definitely the Gmail app supports searching, although the original question was about Yahoo anyway, so I'm not entirely sure why we're talking about a lack of searching on GApps. I don't know much about Yahoo, but I somewhat doubt they don't allow searching so I strongly suspect, as I think other respondents, that this is not a limitation of Yahoo but simply of the app they're using or even that they're simply confused. IIRC this isn't the first time the OP has asked something which was actually very simple. To put if a different way, this seems to me to be similar to when someone says my Windows 10 computer keeps crashing and someone else says to switch to Linux or Windows 7, when the problem is actually their RAM is defective and so of course the suggestion doesn't actually help their problem in any way and even if it does for some weird reason, it still wasn't a useful suggestion for their problem.

As for the login credential bit, not necessarily true depending on what you mean by login credentials. Although Android phones normally use a Google Account and of course all the Google Apps tend to use this account, the account password is not AFAIK stored on the phone from this for a long time (or ever). An auth token (similar to a cookie) is stored instead [1]. You may be able to use this auth token for generic IMAP access, but I strongly suspect you cannot do so. Of course the Gmail app will have access to the account and should be able access all emails, and you can probably modify it to download them all, but this doesn't change the fact these aren't generic login credentials which would allow any and all access. Now if you've logged into your Google account on a web browser and stored the password, or if you've used some third party account then maybe your password is stored. That said, Google and most providers, even Yahoo, are discouraging this sort of thing by moving to tokenisation login systems (generally OAuth2) [2] [3] [4] [5]. Now since this token allows IMAP from some client, if you know what you're doing I'm sure you can re-use it to allow IMAP from your own client, but this doesn't change the point that your comment seems to suggest the username and password is stored on the phone.

Probably a more important point, and I suspect this is why Elizium23 touched on it, is if you're remotely aware, the third thing you should do when you lose your phone or especially if it is stolen, is to change your email password. (Second would be to report it to your mobile company to block your number. First, I'll get into that later.) This will mean even if the password is stored, it should be useless. So should any tokens since changing the password should invalidate these. (Most providers will also allow you to invalidate them without changing password.) I suspect this is what Elizium23 was thinking since it was what I was thinking before you replied.

If the person who stole or found your phone is competent maybe they'll quickly steal your stuff before you have the opportunity to stop them, but if they don't they only have access to what's on the phone. So if you have all your emails stored, they will have access to these but not if you don't store them and they need to be downloaded and you stop them before they can. Remembering also they may need to deal with the pin/fingerprint/face/whatever authentication first if you've enabled these. Now if you don't bother to change your password, this is a moot point but still, someone who loses or has their phone stolen may search and find suggestions to do these after the fact, but that doesn't help them with mistakes they made before their phone was stolen/lost.

And these and competence touch on an important point. If you do enable some sort of lock protection on your phone, while they often can be broken depending on precisely what you enabled, they may often slow down an attacker, giving you more time to try and protect your data. Of course they may not be broken depending on the competence. Although I don't like Apple for various reasons, their devices in particular tend to be hard to break except for the most dedicated attackers so it's possible that you may get not have to worry even if you did store everything on your phone. Attackers may also consider whether it's worth the time and risk, compared to just wiping your phone and selling it, especially dedicated attackers.

Also both Android [6] and iOS [7] have methods to erase a phone remotely. These obviously rely on the phone having internet access (e.g. if it has data) and obeying the command and that you didn't disable it due to fear it would be abused or whatever. If your phone was stolen, you probably should do this first. If it was simply lost, I guess you have to decide if it's worth the risk of simply locking it (which also tends to be an option).

For the reasons, after disabling any lock screen if possible, a competent attacker will turn off the phone, and when they turn it back on, store the phone in a Faraday cage or at least remove the SIM until they break it and break these systems. But in reality it seems quite likely that the vast majority of people who find and keep phones, and probably at least a majority even those who steal them are not so competent. For the latter, they may eventually hand over the phone to someone who is so, but it may be too late by then. Now this may suggest you don't have to worry about either, but still, the more you store on the phone, the more that may be compromised.

But competence also gets at other point. I mean sure you may be unlucky and your phone will end up in the hands of someone who goes through a lot of effort to get everything they can. But and especially if you don't do the basics like bother to lock your phone or you're just unlucky and the person either gets it when it's unlocked or manages to unlock it (if you're using PIN a person doesn't have to be that competent to watch you before they steal it), there's a fair chance that the person is just going to fool around and find whatever they think is interesting or useful. If you have a bunch of nudes in your email, these will probably be a prime target. If these aren't stored on the phone, depending on when and if you change your password you may stop them before they get access. Especially since many thieves may not want to stick around.

As said, most probably if you remotely wipe your phone this will stop the average opportunist. Still it's not that hard to learn that if you don't, the phone gets wiped or maybe even someone shows up at your door asking why there's a stolen phone at your house. And learning to turn off the phone and use it somewhere where it can't get internet access is not that hard. You can often also remove the SIM. (In some cases this may lock the phone in some way or kill the credentials, but not always.) In addition, if the phone owner regularly turns off mobile data, or simply doesn't have it, then these options won't be available unless the attacker themselves choose to connect. If the attacker is trying to access the email but didn't prevent the phone from wiping itself, they've probably just screwed themselves.

But ultimately giving an attacker all your emails including your nudes without needing to connect can be a disadvantage. You increase the risk even an opportunistic attacker will get access, simply by luck or minor competence. The more work they need to do to get your emails, the less likely they are probably going to. If they just unlock your phone, open your email and can see every email, the more likely this is to happen.

Note that I'm explicitly not commenting on whether or not you should do so. Simply pointing out that it's complicated and IMO misleading to suggest there's no different since there can be big differences.

I will say I find the "privacy" comment is IMO also missing the point. Plenty of people don't want some random person who found their phone looking at all their emails especially not their nudes etc. I mean sure, the kind of people who email nudes probably also have local copies of a lot of them, but maybe not all. It may be true that it's theoretically possible a Google staff member may look at your nudes and private emails, and it may be true these are subject to automated analysis, but I think it's entirely reasonable that people either don't care, or aren't completely happy about the stuff Google etc does and the risk that is entailed, without thinking they should just put up with any random person who steals their phone being able to see all their private emails, including those may use to try and compromise their accounts, harass their friends and colleagues or fool them, etc.

I think this includes plenty of people who do have a fair idea of what's going on and what's possible, rather than simply the naïve. I don't think we should assume that these people's opinions or views of what they care about are wrong, just because some people disagree with them. If anything stories like [8] [9] illustrate the point IMO that plenty of people feel that way. In other words, plenty of people will make decision which for them, based even on the best available evidence and information, is what works best for them based on what they care about, what risks they consider are worth worrying about, what disadvantages are worth putting up with, etc etc and even though you may feel different from them, this doesn't mean they are wrong or stupid.

Nil Einne (talk) 08:11, 19 November 2019 (UTC)[reply]

And I just confirmed below, as I expected, that the Yahoo Mail official app does indeed have searching from what I can tell, including full text search. I'm sure it's server side, which does mean more data will be used for searching. But as said, there can be advantages in speed depending on the quality of your clients indexing and data connection. (And if it doesn't index, well.....) More to the point, the advantages of server side vs client side searching haven't really been touched upon except very loosely in SinisterLefty's reply, and then a very vague comment on it being crap. The suggestion has been to do it client side just because it the OP couldn't find searching in their client and we don't even know what that is which again IMO makes no sense. Nil Einne (talk) 08:38, 19 November 2019 (UTC)[reply]
This is too long for me to read it whole but the part which I did I don't see how it relates to using IMAP or flat out misses the point. For example OAuth and IMAP: Google gives you a special IMAP-only password. So actually using IMAP is more secure than logging in normally since the password that is stolen can only be used to access, write and delete the e-mails, not lock out the account owner. Sure you could set up OAuth too (assuming it works something like an SSH key so it provides the same extra security) but I never bothered to figure out how it works and I bet most regular people won't either. They will be using the regular login password and storing that in the phone memory to be stolen by the attacker. Telling them to set up a second IMAP password is something they will understand and be able to do, and it will actually help them. 93.142.92.186 (talk) 06:14, 20 November 2019 (UTC)[reply]
The design of IMAP means that the emails are supposed to stay on the server and the server is the authoritative record of those emails but I don't know if I'd agree that it's not a typical use case for all emails to be cached, at least on desktops. Even more so if the client has been connecting to the server from the beginning. That said, I said cache for a reason. Since the server us the authoritative record of the emails, the client will generally follow the server in deleting any emails the server has marked as deleted. If you are using your local cache as a backup, you need to very carefully set up your client or otherwise you may find your backup is useless in certain circumstances of emails disappearing from the server. Of course another solution which should save most emails except for recent ones is to ensure there are regular, unmodifiable backups of your backup as you probably should anyway. That way if your client does delete the local cache, you can still get them back and modify your settings so it doesn't keep happening. (Well frankly with any decent email client, just preventing it from connecting to the server should be enough.) Nil Einne (talk) 09:57, 18 November 2019 (UTC)[reply]
If someone gets into your email account and deletes emails then yeah that would reflect on the cache. But I think if you have a secure password, the most common problem is just getting locked out, and there's nothing you can do to get your account back since Big Data doesn't do support for marketing leads customers. I'd agree that having a real backup would be a lot better than just using the email client cache. 93.136.31.83 (talk) 01:53, 19 November 2019 (UTC)[reply]
Collapsing long reply as we're getting fairly OT of the original question Nil Einne (talk) 08:11, 19 November 2019 (UTC)[reply]

Well first, the original stated reason was "would also be a good idea in case your fickle free e-mail provider ever decides to up and close your account for no reason", not people locking themselves out of their accounts. This is why I worded my reply carefully. Depending on how your provider "close your account for no reason", you could very well find your local cache is deleted. If they just stop letting you log in then your cache should be safe. OTOH, if they turn it into an empty account, your client is likely to perceive all emails are deleted and delete the entire cache. I note that Yahoo and Outlook still I believe empty accounts if they aren't logged into in some time. (Possibly a year.) This isn't really "close" IMO, but it is a case where all your emails are likely to disappear in such a way that any IMAP cahce will also be cleared.

Second, I actually think the most likely scenario is one where a user accidentally deleted emails, nothing involving a third party or their provider screwing up. In this case, it may not be possible to recover the email from the provider, especially if you've marked it as permanently deleted or this has happened over time. E.g. for Gmail only Gsuite customers have any hope of recovering emails once they're deleted from the trash (whether because something did that or after 30 days) [10] [11]. It sounds like for Outlook you can recover emails provided it's not a child's account even without Officer 365 etc but of course with caveats [12]. Anyway this which IMO is the most likely scenario where emails are lost is also something for which an improperly set up backup is basically useless hence why I suggested if you are going to go down this route, you probably should do some basics to ensure you actually have a backup which will protect such things.

Third, it's not true that there's nothing you can do. In fact, most major providers have methods of recovery which ultimately involve convincing some tech support person to reset your password in the worse case e.g. [13] [14] [15] [16] [17]. (Possibly this doesn't include Yahoo, I'm not sure. Yahoo has a very poor record nowadays anyway.) It's true these methods can fall through [18], but this doesn't change that they exist. While most providers would prefer if you rely on their automated systems and provider numerous ways for password resets with minimal or no involvement of customer support, and also generally wouldn't mind if you just make a new account, most also would much rather keep their marketing leads/customers than not, so providing support for such basics as regaining access to accounts is in their interest. Such processes tend to be quite difficult because otherwise social engineering will mean anyone competent can compromise your account just by convincing customer service that you are the legitimate owner when you aren't [19] [20] [/www.wired.com/2012/08/apple-amazon-mat-honan-hacking/] [21] [22] [23]. So for something like a random account with a random provider who has little real information on you, it may be almost impossible without friends in high places (as per the Techcrunch story), you'd note that from what I saw, none of those involved seem to be either Google or Microsoft customer support the ones subject to social engineering (although Apple and Amazon were involved albeit I didn't check the details). That said, this is a difficult thing to search since the far more common scenario is social engineering the customer, fooling them into sending the reset code or similar.

Fourth, I also wonder whether it's actually far more likely that someone's account will be compromised than for the person to lose access from forgetting the password, particularly for an account where they actually care about the data. As I said above, and the earlier sources somewhat attest, gaining control of someone's email account often ensures you can also gain control over a lot of their stuff since password resets by email are a very common feature so it tends to be a big target. Plus the data may also help any social engineering attempt. That said, most of these aren't going to be deleting all your emails unless it's a particular sort of attack probably a ransom ware attack. They're only likely to delete emails to try and hide their compromise. And many people nowadays tend to have some form of recovery probably via their mobile number. (This would vary from country to country. In places where it's common to change numbers a lot e.g. due to changing prepaid providers for better rates and either a lack of number portability or simply not using it, it's far more likely to arise since the number stored in the account may not be one the customer has access to any more.)

Fifth, if you did happen to lose access solely from forgetting your password, I'd note that putting all the other methods of recovery aside there's a contradiction between this and the above. If it is indeed possible to recover the password from the phone (and as I said, it may not be), then the person losing access should be able to do this anyway, unless their either lost their phone or it gets lost from their phone. Which can happen, but still demonstrates that losing access is far from a simple scenario. More likely even if it is possible, the person may have no idea how to do it. But then such a person, even if they successfully set up their phone app with a local cache of the email and doesn't accidentally delete it or otherwise use an app which doesn't allow access when it cannot connect to the account, will probably still have no idea how to get the data out of the phone so they will be stuck with it being on this phone forever. Which further provides evidence of it not being a simple scenario, but IMO further demonstrates why the person should first be advised some basic sensible precautions rather than relying on something which may work in certain circumstances, but won't work in a lot of others.

Nil Einne (talk) 08:11, 19 November 2019 (UTC)[reply]

I can offer some real life experience here rather than speculations. I've had probably dozens if not more free e-mail accounts for various reasons (e.g. ad testing) and I've lost a fair bit of them. Yahoo mail does wipe the mailbox if you don't log in at all, I think it used to be 3 months but it hasn't happened to me in a long time. IMAP counts as a login here and so it does for Google and other services I've been with, so the idea that they'll still wipe your email is wrong. Second, I've been locked out/had my account deleted/shadowbanned or whatever you wanna call it. I don't know why they do it other than to piss off people with multiple accounts. In no case have I ever been able to get the account back. One time I got a response from Google support asking for ID documents. I told them it wouldn't help because I didn't keep identifying information in that mailbox but told them I'm obviously the owner of that account too from IP logs. Haven't heard from them. Another time I lost an important account tied to an e-wallet which even had a phone number, nothing worked and they didn't get back to me. I sorted it out eventually, nothing was stolen, then a few months later I decided to try re-registering the account, and that worked, so it was deleted for some reason. I never had any cases of identity theft or information being stolen and used against me that I know of, so my most reasonable assumption is that these accounts weren't hacked, but closed for some reason the companies don't want to reveal to me.
In no case that this happened to me, not a single one, did I lose cached emails, because the login credentials stopped working. Whether my mailbox was wiped, my email client couldn't know, because it couldn't log in. So that part is nonsense. And even if that happens, you can still configure your email client to copy old messages to an archive folder and things like that.
Most of your post is "I think it's more likely" and "I wonder if it's likely". I'm not gonna refute that other than say I disagree and at least have some experience with this. You're advising people to rely on proven to be unreliable mechanisms while telling them explicitly not to backup their mail based on spurious assumptions that they have a weak password and/or are forgetful and/or account thieves will delete all mail etc. 93.142.92.186 (talk) 06:14, 20 November 2019 (UTC)[reply]
I just confirmed that the Yahoo Mail app from Yahoo on Android, this one [24] has a search magnifying glass at the top right. When you click on it, a search bar shows up. It seems to perform some degree of full text search. I don't know if the magnifying glass is on the left if you use RTL text, but either way it probably should be there in the main official app. You could use some other app if you had a reason to, but if it's solely for searching there's no established reason to except maybe to save mobile data. Are you sure you're using the official Yahoo app? Note that I cannot find any evidence of an official lite app, it's possible it only shows up in certain markets but even a general Google search didn't find anything so I wouldn't be surprised if it simply doesn't exist. There may be unofficial lite apps, but I wouldn't trust them. Also is this Android or iOS? Nil Einne (talk) 08:32, 19 November 2019 (UTC)[reply]