First I feel I should point out that most competent IMAP providers including Google support searching on the server. Depending on the number of your emails and your phone this may actually be faster than searching on the device although you are limited by the search options your provider supports. Definitely the Gmail app supports searching, although the original question was about Yahoo anyway, so I'm not entirely sure why we're talking about a lack of searching on GApps. I don't know much about Yahoo, but I somewhat doubt they don't allow searching so I strongly suspect, as I think other respondents, that this is not a limitation of Yahoo but simply of the app they're using or even that they're simply confused. IIRC this isn't the first time the OP has asked something which was actually very simple. To put if a different way, this seems to me to be similar to when someone says my Windows 10 computer keeps crashing and someone else says to switch to Linux or Windows 7, when the problem is actually their RAM is defective and so of course the suggestion doesn't actually help their problem in any way and even if it does for some weird reason, it still wasn't a useful suggestion for their problem.

As for the login credential bit, not necessarily true depending on what you mean by login credentials. Although Android phones normally use a Google Account and of course all the Google Apps tend to use this account, the account password is not AFAIK stored on the phone from this for a long time (or ever). An auth token (similar to a cookie) is stored instead [1]. You may be able to use this auth token for generic IMAP access, but I strongly suspect you cannot do so. Of course the Gmail app will have access to the account and should be able access all emails, and you can probably modify it to download them all, but this doesn't change the fact these aren't generic login credentials which would allow any and all access. Now if you've logged into your Google account on a web browser and stored the password, or if you've used some third party account then maybe your password is stored. That said, Google and most providers, even Yahoo, are discouraging this sort of thing by moving to tokenisation login systems (generally OAuth2) [2] [3] [4] [5]. Now since this token allows IMAP from some client, if you know what you're doing I'm sure you can re-use it to allow IMAP from your own client, but this doesn't change the point that your comment seems to suggest the username and password is stored on the phone.

Probably a more important point, and I suspect this is why Elizium23 touched on it, is if you're remotely aware, the third thing you should do when you lose your phone or especially if it is stolen, is to change your email password. (Second would be to report it to your mobile company to block your number. First, I'll get into that later.) This will mean even if the password is stored, it should be useless. So should any tokens since changing the password should invalidate these. (Most providers will also allow you to invalidate them without changing password.) I suspect this is what Elizium23 was thinking since it was what I was thinking before you replied.

If the person who stole or found your phone is competent maybe they'll quickly steal your stuff before you have the opportunity to stop them, but if they don't they only have access to what's on the phone. So if you have all your emails stored, they will have access to these but not if you don't store them and they need to be downloaded and you stop them before they can. Remembering also they may need to deal with the pin/fingerprint/face/whatever authentication first if you've enabled these. Now if you don't bother to change your password, this is a moot point but still, someone who loses or has their phone stolen may search and find suggestions to do these after the fact, but that doesn't help them with mistakes they made before their phone was stolen/lost.

And these and competence touch on an important point. If you do enable some sort of lock protection on your phone, while they often can be broken depending on precisely what you enabled, they may often slow down an attacker, giving you more time to try and protect your data. Of course they may not be broken depending on the competence. Although I don't like Apple for various reasons, their devices in particular tend to be hard to break except for the most dedicated attackers so it's possible that you may get not have to worry even if you did store everything on your phone. Attackers may also consider whether it's worth the time and risk, compared to just wiping your phone and selling it, especially dedicated attackers.

Also both Android [6] and iOS [7] have methods to erase a phone remotely. These obviously rely on the phone having internet access (e.g. if it has data) and obeying the command and that you didn't disable it due to fear it would be abused or whatever. If your phone was stolen, you probably should do this first. If it was simply lost, I guess you have to decide if it's worth the risk of simply locking it (which also tends to be an option).

For the reasons, after disabling any lock screen if possible, a competent attacker will turn off the phone, and when they turn it back on, store the phone in a Faraday cage or at least remove the SIM until they break it and break these systems. But in reality it seems quite likely that the vast majority of people who find and keep phones, and probably at least a majority even those who steal them are not so competent. For the latter, they may eventually hand over the phone to someone who is so, but it may be too late by then. Now this may suggest you don't have to worry about either, but still, the more you store on the phone, the more that may be compromised.

But competence also gets at other point. I mean sure you may be unlucky and your phone will end up in the hands of someone who goes through a lot of effort to get everything they can. But and especially if you don't do the basics like bother to lock your phone or you're just unlucky and the person either gets it when it's unlocked or manages to unlock it (if you're using PIN a person doesn't have to be that competent to watch you before they steal it), there's a fair chance that the person is just going to fool around and find whatever they think is interesting or useful. If you have a bunch of nudes in your email, these will probably be a prime target. If these aren't stored on the phone, depending on when and if you change your password you may stop them before they get access. Especially since many thieves may not want to stick around.

As said, most probably if you remotely wipe your phone this will stop the average opportunist. Still it's not that hard to learn that if you don't, the phone gets wiped or maybe even someone shows up at your door asking why there's a stolen phone at your house. And learning to turn off the phone and use it somewhere where it can't get internet access is not that hard. You can often also remove the SIM. (In some cases this may lock the phone in some way or kill the credentials, but not always.) In addition, if the phone owner regularly turns off mobile data, or simply doesn't have it, then these options won't be available unless the attacker themselves choose to connect. If the attacker is trying to access the email but didn't prevent the phone from wiping itself, they've probably just screwed themselves.

But ultimately giving an attacker all your emails including your nudes without needing to connect can be a disadvantage. You increase the risk even an opportunistic attacker will get access, simply by luck or minor competence. The more work they need to do to get your emails, the less likely they are probably going to. If they just unlock your phone, open your email and can see every email, the more likely this is to happen.

Note that I'm explicitly not commenting on whether or not you should do so. Simply pointing out that it's complicated and IMO misleading to suggest there's no different since there can be big differences.

I will say I find the "privacy" comment is IMO also missing the point. Plenty of people don't want some random person who found their phone looking at all their emails especially not their nudes etc. I mean sure, the kind of people who email nudes probably also have local copies of a lot of them, but maybe not all. It may be true that it's theoretically possible a Google staff member may look at your nudes and private emails, and it may be true these are subject to automated analysis, but I think it's entirely reasonable that people either don't care, or aren't completely happy about the stuff Google etc does and the risk that is entailed, without thinking they should just put up with any random person who steals their phone being able to see all their private emails, including those may use to try and compromise their accounts, harass their friends and colleagues or fool them, etc.

I think this includes plenty of people who do have a fair idea of what's going on and what's possible, rather than simply the naïve. I don't think we should assume that these people's opinions or views of what they care about are wrong, just because some people disagree with them. If anything stories like [8] [9] illustrate the point IMO that plenty of people feel that way. In other words, plenty of people will make decision which for them, based even on the best available evidence and information, is what works best for them based on what they care about, what risks they consider are worth worrying about, what disadvantages are worth putting up with, etc etc and even though you may feel different from them, this doesn't mean they are wrong or stupid.

Nil Einne (talk) 08:11, 19 November 2019 (UTC)[reply]

And I just confirmed below, as I expected, that the Yahoo Mail official app does indeed have searching from what I can tell, including full text search. I'm sure it's server side, which does mean more data will be used for searching. But as said, there can be advantages in speed depending on the quality of your clients indexing and data connection. (And if it doesn't index, well.....) More to the point, the advantages of server side vs client side searching haven't really been touched upon except very loosely in SinisterLefty's reply, and then a very vague comment on it being crap. The suggestion has been to do it client side just because it the OP couldn't find searching in their client and we don't even know what that is which again IMO makes no sense. Nil Einne (talk) 08:38, 19 November 2019 (UTC)[reply]

This is too long for me to read it whole but the part which I did I don't see how it relates to using IMAP or flat out misses the point. For example OAuth and IMAP: Google gives you a special IMAP-only password. So actually using IMAP is more secure than logging in normally since the password that is stolen can only be used to access, write and delete the e-mails, not lock out the account owner. Sure you could set up OAuth too (assuming it works something like an SSH key so it provides the same extra security) but I never bothered to figure out how it works and I bet most regular people won't either. They will be using the regular login password and storing that in the phone memory to be stolen by the attacker. Telling them to set up a second IMAP password is something they will understand and be able to do, and it will actually help them. 93.142.92.186 (talk) 06:14, 20 November 2019 (UTC)[reply]

Well first, the original stated reason was "would also be a good idea in case your fickle free e-mail provider ever decides to up and close your account for no reason", not people locking themselves out of their accounts. This is why I worded my reply carefully. Depending on how your provider "close your account for no reason", you could very well find your local cache is deleted. If they just stop letting you log in then your cache should be safe. OTOH, if they turn it into an empty account, your client is likely to perceive all emails are deleted and delete the entire cache. I note that Yahoo and Outlook still I believe empty accounts if they aren't logged into in some time. (Possibly a year.) This isn't really "close" IMO, but it is a case where all your emails are likely to disappear in such a way that any IMAP cahce will also be cleared.

Second, I actually think the most likely scenario is one where a user accidentally deleted emails, nothing involving a third party or their provider screwing up. In this case, it may not be possible to recover the email from the provider, especially if you've marked it as permanently deleted or this has happened over time. E.g. for Gmail only Gsuite customers have any hope of recovering emails once they're deleted from the trash (whether because something did that or after 30 days) [10] [11]. It sounds like for Outlook you can recover emails provided it's not a child's account even without Officer 365 etc but of course with caveats [12]. Anyway this which IMO is the most likely scenario where emails are lost is also something for which an improperly set up backup is basically useless hence why I suggested if you are going to go down this route, you probably should do some basics to ensure you actually have a backup which will protect such things.

Third, it's not true that there's nothing you can do. In fact, most major providers have methods of recovery which ultimately involve convincing some tech support person to reset your password in the worse case e.g. [13] [14] [15] [16] [17]. (Possibly this doesn't include Yahoo, I'm not sure. Yahoo has a very poor record nowadays anyway.) It's true these methods can fall through [18], but this doesn't change that they exist. While most providers would prefer if you rely on their automated systems and provider numerous ways for password resets with minimal or no involvement of customer support, and also generally wouldn't mind if you just make a new account, most also would much rather keep their marketing leads/customers than not, so providing support for such basics as regaining access to accounts is in their interest. Such processes tend to be quite difficult because otherwise social engineering will mean anyone competent can compromise your account just by convincing customer service that you are the legitimate owner when you aren't [19] [20] [/www.wired.com/2012/08/apple-amazon-mat-honan-hacking/] [21] [22] [23]. So for something like a random account with a random provider who has little real information on you, it may be almost impossible without friends in high places (as per the Techcrunch story), you'd note that from what I saw, none of those involved seem to be either Google or Microsoft customer support the ones subject to social engineering (although Apple and Amazon were involved albeit I didn't check the details). That said, this is a difficult thing to search since the far more common scenario is social engineering the customer, fooling them into sending the reset code or similar.

Fourth, I also wonder whether it's actually far more likely that someone's account will be compromised than for the person to lose access from forgetting the password, particularly for an account where they actually care about the data. As I said above, and the earlier sources somewhat attest, gaining control of someone's email account often ensures you can also gain control over a lot of their stuff since password resets by email are a very common feature so it tends to be a big target. Plus the data may also help any social engineering attempt. That said, most of these aren't going to be deleting all your emails unless it's a particular sort of attack probably a ransom ware attack. They're only likely to delete emails to try and hide their compromise. And many people nowadays tend to have some form of recovery probably via their mobile number. (This would vary from country to country. In places where it's common to change numbers a lot e.g. due to changing prepaid providers for better rates and either a lack of number portability or simply not using it, it's far more likely to arise since the number stored in the account may not be one the customer has access to any more.)

Fifth, if you did happen to lose access solely from forgetting your password, I'd note that putting all the other methods of recovery aside there's a contradiction between this and the above. If it is indeed possible to recover the password from the phone (and as I said, it may not be), then the person losing access should be able to do this anyway, unless their either lost their phone or it gets lost from their phone. Which can happen, but still demonstrates that losing access is far from a simple scenario. More likely even if it is possible, the person may have no idea how to do it. But then such a person, even if they successfully set up their phone app with a local cache of the email and doesn't accidentally delete it or otherwise use an app which doesn't allow access when it cannot connect to the account, will probably still have no idea how to get the data out of the phone so they will be stuck with it being on this phone forever. Which further provides evidence of it not being a simple scenario, but IMO further demonstrates why the person should first be advised some basic sensible precautions rather than relying on something which may work in certain circumstances, but won't work in a lot of others.

Nil Einne (talk) 08:11, 19 November 2019 (UTC)[reply]

I can offer some real life experience here rather than speculations. I've had probably dozens if not more free e-mail accounts for various reasons (e.g. ad testing) and I've lost a fair bit of them. Yahoo mail does wipe the mailbox if you don't log in at all, I think it used to be 3 months but it hasn't happened to me in a long time. IMAP counts as a login here and so it does for Google and other services I've been with, so the idea that they'll still wipe your email is wrong. Second, I've been locked out/had my account deleted/shadowbanned or whatever you wanna call it. I don't know why they do it other than to piss off people with multiple accounts. In no case have I ever been able to get the account back. One time I got a response from Google support asking for ID documents. I told them it wouldn't help because I didn't keep identifying information in that mailbox but told them I'm obviously the owner of that account too from IP logs. Haven't heard from them. Another time I lost an important account tied to an e-wallet which even had a phone number, nothing worked and they didn't get back to me. I sorted it out eventually, nothing was stolen, then a few months later I decided to try re-registering the account, and that worked, so it was deleted for some reason. I never had any cases of identity theft or information being stolen and used against me that I know of, so my most reasonable assumption is that these accounts weren't hacked, but closed for some reason the companies don't want to reveal to me.

In no case that this happened to me, not a single one, did I lose cached emails, because the login credentials stopped working. Whether my mailbox was wiped, my email client couldn't know, because it couldn't log in. So that part is nonsense. And even if that happens, you can still configure your email client to copy old messages to an archive folder and things like that.

Most of your post is "I think it's more likely" and "I wonder if it's likely". I'm not gonna refute that other than say I disagree and at least have some experience with this. You're advising people to rely on proven to be unreliable mechanisms while telling them explicitly not to backup their mail based on spurious assumptions that they have a weak password and/or are forgetful and/or account thieves will delete all mail etc. 93.142.92.186 (talk) 06:14, 20 November 2019 (UTC)[reply]