First I feel I should point out that most competent IMAP providers including Google support searching on the server. Depending on the number of your emails and your phone this may actually be faster than searching on the device although you are limited by the search options your provider supports. Definitely the Gmail app supports searching, although the original question was about Yahoo anyway, so I'm not entirely sure why we're talking about a lack of searching on GApps. I don't know much about Yahoo, but I somewhat doubt they don't allow searching so I strongly suspect, as I think other respondents, that this is not a limitation of Yahoo but simply of the app they're using or even that they're simply confused. IIRC this isn't the first time the OP has asked something which was actually very simple. To put if a different way, this seems to me to be similar to when someone says my Windows 10 computer keeps crashing and someone else says to switch to Linux or Windows 7, when the problem is actually their RAM is defective and so of course the suggestion doesn't actually help their problem in any way and even if it does for some weird reason, it still wasn't a useful suggestion for their problem.
As for the login credential bit, not necessarily true depending on what you mean by login credentials. Although Android phones normally use a Google Account and of course all the Google Apps tend to use this account, the account password is not AFAIK stored on the phone from this for a long time (or ever). An auth token (similar to a cookie) is stored instead [1]. You may be able to use this auth token for generic IMAP access, but I strongly suspect you cannot do so. Of course the Gmail app will have access to the account and should be able access all emails, and you can probably modify it to download them all, but this doesn't change the fact these aren't generic login credentials which would allow any and all access. Now if you've logged into your Google account on a web browser and stored the password, or if you've used some third party account then maybe your password is stored. That said, Google and most providers, even Yahoo, are discouraging this sort of thing by moving to tokenisation login systems (generally OAuth2) [2] [3] [4] [5]. Now since this token allows IMAP from some client, if you know what you're doing I'm sure you can re-use it to allow IMAP from your own client, but this doesn't change the point that your comment seems to suggest the username and password is stored on the phone.
Probably a more important point, and I suspect this is why Elizium23 touched on it, is if you're remotely aware, the third thing you should do when you lose your phone or especially if it is stolen, is to change your email password. (Second would be to report it to your mobile company to block your number. First, I'll get into that later.) This will mean even if the password is stored, it should be useless. So should any tokens since changing the password should invalidate these. (Most providers will also allow you to invalidate them without changing password.) I suspect this is what Elizium23 was thinking since it was what I was thinking before you replied.
If the person who stole or found your phone is competent maybe they'll quickly steal your stuff before you have the opportunity to stop them, but if they don't they only have access to what's on the phone. So if you have all your emails stored, they will have access to these but not if you don't store them and they need to be downloaded and you stop them before they can. Remembering also they may need to deal with the pin/fingerprint/face/whatever authentication first if you've enabled these. Now if you don't bother to change your password, this is a moot point but still, someone who loses or has their phone stolen may search and find suggestions to do these after the fact, but that doesn't help them with mistakes they made before their phone was stolen/lost.
And these and competence touch on an important point. If you do enable some sort of lock protection on your phone, while they often can be broken depending on precisely what you enabled, they may often slow down an attacker, giving you more time to try and protect your data. Of course they may not be broken depending on the competence. Although I don't like Apple for various reasons, their devices in particular tend to be hard to break except for the most dedicated attackers so it's possible that you may get not have to worry even if you did store everything on your phone. Attackers may also consider whether it's worth the time and risk, compared to just wiping your phone and selling it, especially dedicated attackers.
Also both Android [6] and iOS [7] have methods to erase a phone remotely. These obviously rely on the phone having internet access (e.g. if it has data) and obeying the command and that you didn't disable it due to fear it would be abused or whatever. If your phone was stolen, you probably should do this first. If it was simply lost, I guess you have to decide if it's worth the risk of simply locking it (which also tends to be an option).
For the reasons, after disabling any lock screen if possible, a competent attacker will turn off the phone, and when they turn it back on, store the phone in a Faraday cage or at least remove the SIM until they break it and break these systems. But in reality it seems quite likely that the vast majority of people who find and keep phones, and probably at least a majority even those who steal them are not so competent. For the latter, they may eventually hand over the phone to someone who is so, but it may be too late by then. Now this may suggest you don't have to worry about either, but still, the more you store on the phone, the more that may be compromised.
But competence also gets at other point. I mean sure you may be unlucky and your phone will end up in the hands of someone who goes through a lot of effort to get everything they can. But and especially if you don't do the basics like bother to lock your phone or you're just unlucky and the person either gets it when it's unlocked or manages to unlock it (if you're using PIN a person doesn't have to be that competent to watch you before they steal it), there's a fair chance that the person is just going to fool around and find whatever they think is interesting or useful. If you have a bunch of nudes in your email, these will probably be a prime target. If these aren't stored on the phone, depending on when and if you change your password you may stop them before they get access. Especially since many thieves may not want to stick around.
As said, most probably if you remotely wipe your phone this will stop the average opportunist. Still it's not that hard to learn that if you don't, the phone gets wiped or maybe even someone shows up at your door asking why there's a stolen phone at your house. And learning to turn off the phone and use it somewhere where it can't get internet access is not that hard. You can often also remove the SIM. (In some cases this may lock the phone in some way or kill the credentials, but not always.) In addition, if the phone owner regularly turns off mobile data, or simply doesn't have it, then these options won't be available unless the attacker themselves choose to connect. If the attacker is trying to access the email but didn't prevent the phone from wiping itself, they've probably just screwed themselves.
But ultimately giving an attacker all your emails including your nudes without needing to connect can be a disadvantage. You increase the risk even an opportunistic attacker will get access, simply by luck or minor competence. The more work they need to do to get your emails, the less likely they are probably going to. If they just unlock your phone, open your email and can see every email, the more likely this is to happen.
Note that I'm explicitly not commenting on whether or not you should do so. Simply pointing out that it's complicated and IMO misleading to suggest there's no different since there can be big differences.
I will say I find the "privacy" comment is IMO also missing the point. Plenty of people don't want some random person who found their phone looking at all their emails especially not their nudes etc. I mean sure, the kind of people who email nudes probably also have local copies of a lot of them, but maybe not all. It may be true that it's theoretically possible a Google staff member may look at your nudes and private emails, and it may be true these are subject to automated analysis, but I think it's entirely reasonable that people either don't care, or aren't completely happy about the stuff Google etc does and the risk that is entailed, without thinking they should just put up with any random person who steals their phone being able to see all their private emails, including those may use to try and compromise their accounts, harass their friends and colleagues or fool them, etc.
I think this includes plenty of people who do have a fair idea of what's going on and what's possible, rather than simply the naïve. I don't think we should assume that these people's opinions or views of what they care about are wrong, just because some people disagree with them. If anything stories like [8] [9] illustrate the point IMO that plenty of people feel that way. In other words, plenty of people will make decision which for them, based even on the best available evidence and information, is what works best for them based on what they care about, what risks they consider are worth worrying about, what disadvantages are worth putting up with, etc etc and even though you may feel different from them, this doesn't mean they are wrong or stupid.
Nil Einne (talk) 08:11, 19 November 2019 (UTC)[reply]
- And I just confirmed below, as I expected, that the Yahoo Mail official app does indeed have searching from what I can tell, including full text search. I'm sure it's server side, which does mean more data will be used for searching. But as said, there can be advantages in speed depending on the quality of your clients indexing and data connection. (And if it doesn't index, well.....) More to the point, the advantages of server side vs client side searching haven't really been touched upon except very loosely in SinisterLefty's reply, and then a very vague comment on it being crap. The suggestion has been to do it client side just because it the OP couldn't find searching in their client and we don't even know what that is which again IMO makes no sense. Nil Einne (talk) 08:38, 19 November 2019 (UTC)[reply]
- This is too long for me to read it whole but the part which I did I don't see how it relates to using IMAP or flat out misses the point. For example OAuth and IMAP: Google gives you a special IMAP-only password. So actually using IMAP is more secure than logging in normally since the password that is stolen can only be used to access, write and delete the e-mails, not lock out the account owner. Sure you could set up OAuth too (assuming it works something like an SSH key so it provides the same extra security) but I never bothered to figure out how it works and I bet most regular people won't either. They will be using the regular login password and storing that in the phone memory to be stolen by the attacker. Telling them to set up a second IMAP password is something they will understand and be able to do, and it will actually help them. 93.142.92.186 (talk) 06:14, 20 November 2019 (UTC)[reply]