When you view a HTML email using Androids standard IMAP client, it loads certain remote content without warning. This potentially leaks information to the sender about when a message has been read, and the IP address it was read from.
Images in HTML aren’t fetched until you hit the “Show pictures” button, but it does load remote content from the following two HTML tags as soon as you view the message, no matter what you do.
<link rel="stylesheet" type="text/css" href="http://tracker.example.com/web-bug?id=xxxxxxxxxx"> <iframe src="http://tracker.example.com/web-bug?id=xxxxxxxxxx"></iframe>
I’ve previously found similar issues in other email clients:
Apple Mail Privacy Hole (Fixed for Apple Mail. Not fixed for iPhone)
DNS Prefetch Exposure on Thunderbird and Webmail (Fixed in some webmail clients. Not fixed in Thunderbird)
This bug has been reported to Google