Block link prefetching
I used https://emailprivacytester.com to send a message to my GMail acount (through a sneakemail.com redirection though I don't think that is relevant).
I opened the message in the GMail web site and nothing was detected by the Privacy Tester. I allowed images and some privacy leaks were detected (I know that remote images leak privacy).
Then I opened the message in Boxer and, just by opening it, the Privacy tester site got a link prefetch connection https://emailprivacytester.com/test/link_prefetch that allowed them to get my IP address and full user agent string with details of telephone model and Android build.
Allowing images in Boxer activated the leaks Image Submit Button,
Image tag, CSS background-image, Picture tag, Video poster, Img srcset attr, Object tag - data, SVG inline with remote image,
CSS content, Background attribute.
To compare I opened the message in the GMail Android app and nothing leaked. I allowed images and three leaks contacted the Privacy Tester. Besides, the Gmail app uses a proxy to contact the sites and does not reveal my IP address and a very detailed User-Agent.
I request that at least you block the link prefetch connections. I expect that allowing pictures discloses me, but I did not expect it from merely opening a message.
Thanks for the program, anyway.
I use Boxer 2.8.0 (245) in Cyanogen OS 12.1.1-YOG7DAS2FI on Wileyfox Swift.