Light iOS App
Download the Light iOS App user manual here.
Introduction to Light App
The Light App ( in development ) is designed for email security on iOS platform. With standard S/MIME protocol and X.509 format certiﬁcate support, Light can send and receive signed and encrypted email and compatible with popular email clients, such as Microsoft Outlook, Mozilla Thunderbird, macOS Mail… etc.. With integration of KX906 Smart Token, private keys can be stored safely within certiﬁed secure element and work on different OS, such as Windows, Ubuntu, macOS…etc. in the same hardware security manner. Light is all about email security and making it simple.
Connect KX906 Smart Token
(1) Connect KX906 Smart Token to iOS device by Lightning Connector.
(2) With successfully connected KX906 Smart Token, the “loading” and “Getting key lists” indicator will be prompted sequentially. If none of the indicator is shown more than 5 seconds, remove and plug again to connect.
(3) When connecting with KX906 Smart Token, keys within KX906 Smart Token will be checked and mapped with the registered key lists in Light App.
Email Account Management
Light supports Gmail account through Google OAuth authentication and standard email account through IMAP and POP3 protocols.
(1) Gmail account settings
Set up a gmail account through Google OAuth authentication.
(2) Standard email account settings
Set up a standard email account through IMAP or POP3 protocols. Email address, password, host DNS or IP, port number and connection type are required to complete the setting and connect to the mail server.
For connection type, both of incoming and sending server settings, three options, “ Clear ”, “ StartTLS ” and “ TLS ” can be selected. Consult email server administrator for correct settings before mail account setup.
For sending server ( Outgoing or SMTP server ) setting, authentication type must be correctly chosen. There are five options, ”None”, “Password”, “MD5 Challenge-Response”, “NTLM” and “Kerberos Version 5 - GSSAPI” can be selected. Consult email server administrator for correct settings before mail account setup.
With correct settings and successful connection, the mail list can be retrieved from mail server.
Basic Operations of Light
Email account switch, email folder switch, Light settings, email list refresh, email content viewing and email composing are basic operations of Light.
Email account, Contacts, Security and KX906 Smart Token can be set up in Light settings.
(1) Email Account setting
Reference “Email Account Management” for email account setting.
(2) Contact setting
Contacts can be imported from iOS contacts. The first time of contacts tapped, authorization to iOS contacts access dialog will be prompted. You can also configure again in iOS —> Settings.
(3) Security setting
Certificates and private key reference from hardware can be set up in the security setting. Click “Register a hardware” to establish reference links of Light and private keys within KX906 Smart Token. Only key pair with corresponding certificate can be established.
If KX906 Smart Token is unauthenticated, the login dialog ( fingerprint or PIN ) will be prompted before establishing reference link.
Public key ( Certificate ) sharing can be done by email, a signed email is recommended.
Certificate repository is the keychain for certificates, include personal and other’s certificates.
(4) KX906 Smart Token setting
KX906 Smart Token authentication type, fingerprint or PIN, can be configured.
Email Signing and Protection
Light provides standard S/MIME email signing, encryption and decryption by hardware secure element within KX906 Smart Token. Hardware key registration has to be done before email signing and decryption, reference Light security setting chapter for instructions. For S/MIME email signing and decryption, the certificate subject alternative name (RFC822 Name) value must be the same with the email address.
(1) Email Signing
Compose a new mail, click on the gray signature icon to enable email signing. If KX906 Smart Token is not yet authenticated, login dialog will be prompted. With successful login, the signature icon will turn into green color. With green signature icon, the composed email will be signed before transferring.
Finish email compose and click transfer icon to send out singed email.
Tap and drag down to refresh the email list. A signed email with signature icon is received.
The same signed email shown in Mozilla Thunderbird and macOS Mail is as below.
(2) Email Encryption and Decryption
Compose a new mail, input the recipient email address and then click on the gray encryption icon to enable email encryption. When clicking gray encryption icon, Light will search the certificate repository for the encryption certificates corresponding to recipient email addresses. With successful email address and recipient encryption certificate mapping, the encryption icon will turn into blue color. With blue encryption icon, the composed email will be encrypted before transferring. If not all the recipient email addresses and corresponding encryption certificates can be mapped, the encryption icon will turn into red color and the composed is forbidden to be transferred.
Remove the disallowed recipient email address ( in red color ) or add the corresponding recipient encryption certificate into certificate repository of Light to enable encryption email transferring.
Finish email compose and click transfer icon to send out encrypted email.
Tap and drag down to refresh the email list. An encrypted email with encryption icon is received.
For the following situations, the encrypted email may not be decrypted correctly.
A. With KX906 Smart Token connected, but no corresponding private key found.
B. With KX906 Smart Token connected, but corresponding private key and certificate have not yet been registered to Light.
C. KX906 Smart Token has not yet been connected to Light.
The same encrypted email shown in Mozilla Thunderbird and macOS Mail is as below.
(3) Signed and Encrypted Email
When an email is signed and encrypted, the email content will be signed first and then encrypted by recipient certificates.
The signed and encrypted email is shown as as encrypted email. With corresponding private key, email content can be decrypted and seen.
Recipient certificate can be shared through email. Recipient certificate can be imported into Light certificate repository through email attachment operation.
(1) Certificate Sharing
Personal certificate can be shared through email and a signed email is recommended.
(2) Certificate Importing
Recipient certificate can be imported into Light certificate repository through email attachment.
After operation of recipient certificate import, check Light certificate repository to see the one imported for later use of encrypted email.
Last Updated: 16 Mar 2019