Does official Gmail app use a secure connection?

Question

As simple as that, when I'm using the official Gmail app to access my email account, does it use a secure connection?

Answer 1

According to this Google page the Android Gmail app uses an SSL connection in both directions.

Answer 2

One should be careful to differentiate between the gmail app, and the default mail client.

Gmail App

The Gmail app is the pre-installed app created by Google that can only be used with Gmail. The answer to whether or not the Gmail app is secure requires some understanding of Android app security. This passage from the dev guide explains how developers may connect to an SSL Socket to securely send TCP/IP communications.

Since the Gmail app uses SSL Sockets when sending and receiving mail, all communications are secure [citation needed].

Mail Client

Unlike the Gmail app, the default mail client can be used with any email account, including Gmail. When using this client to send and receive Gmail, an SSL connection must be used. The app is therefore also secure. Google explains how to do this in their help pages.

Answer 3

I don't believe that it does use SSL, but my evidence is circumstantial/anecdotal.

Yesterday I connected to a public WiFi from my Nexus 7. The native Gmail client successfully retrieved mail (on two accounts), but when I went to open a Google website through Chrome, I got the "The site's security certificate is not trusted!" message. Chrome for Android wouldn't give me any more details (what the specific problem was), but it seems to me that if the SSL connection wasn't good enough for Chrome, it shouldn't have been good enough for the Gmail app either. Ergo, either Gmail doesn't use SSL, or it doesn't use it securely (which amounts to the same thing).

I'd welcome another explanation, but based on the above, I changed the passwords on both those accounts immediately after.