The Cloud Application Security Assessment (CASA) is an annual security review required by Google for apps that request access to restricted scopes such as Gmail data. It verifies that an app follows solid security practices for handling, storing, and accessing user information.

Thunderbird for Android and K-9 Mail have completed the CASA assessment at Tier 2, covering broader access to Gmail features. The process was carried out by NetSentries, an approved ADA assessor. We'd like to thank the team for their support. They have been supportive throughout, communicated clearly at every step, and were generous with their time and guidance. If your application requires a CASA review as well, please reach out to them.

The code in this repository underwent an extensive security audit in collaboration with the Open Source Technology Improvement Fund (OSTIF) and 7ASecurity in the first half of 2023. OSTIF and 7ASecurity were amazing partners that provided a helpful guiding hand, and made the process of doing the audit a breeze. We really appreciated their professionalism and expertise. For more details, see our blog post.

These are the SHA-256 fingerprints for our signing certificates:

• Thunderbird: B6:52:47:79:B3:DB:BC:5A:C1:7A:5A:C2:71:DD:B2:9D:CF:BF:72:35:78:C2:38:E0:3C:3C:21:78:11:35:6D:D1
• Thunderbird Beta: 05:6B:FA:FB:45:02:49:50:2F:D9:22:62:28:70:4C:25:29:E1:B8:22:DA:06:76:0D:47:A8:5C:95:57:74:1F:BD
• K-9 Mail: 55:C8:A5:23:B9:73:35:F5:BF:60:DF:E8:A9:F3:E1:DD:E7:44:51:6D:93:57:E8:0A:92:5B:7B:22:E4:F5:55:24

You can use the following command to retrieve and verify the certificate before installation:

apksigner verify -v --print-certs <path-to-apk>

You can report a security vulnerability through the vulnerability reporting form.

We appreciate your support in making Thunderbird for Android as safe as possible!