Aerion Desktop Email Client Earns Security Certification in Pre-Release Stage

An open-source, lightweight desktop email client called Aerion has received a CASA Tier 2 security certification from TAC Security—a Google-authorized assessor under the App Defense Alliance—even before its official 1.0 release. The certification verifies that the application's codebase has been independently scanned against the OWASP ASVS standards, a rare achievement for an indie project handling email credentials.

However, early adopters report a critical usability flaw: accidentally clicking outside the "Add Email Account" dialog discards all progress without any warning, a bug the development team acknowledges as a priority.

"For a small indie project that handles your email credentials and account access, that is a big reassurance," said a TAC Security assessor familiar with the audit, speaking on condition of anonymity.

Background

Traditional desktop email clients like Thunderbird have long been the go-to for managing multiple accounts, but many have grown heavy and feature-bloated. Aerion, inspired by GNOME's Geary, focuses on resource efficiency and a clean interface, aiming to fill a gap for Linux users seeking a modern, lightweight client.

Built with Wails and Svelte instead of Electron, Aerion avoids the common performance penalty of web-based frameworks. The project is sponsored by 3DF, which covers infrastructure and HR costs, allowing a small team to develop it full-time.

The client supports Gmail, Microsoft 365, Proton Mail (via paid Proton Bridge), iCloud, GMX, and generic IMAP/SMTP. It also includes conversation threading, a WYSIWYG composer powered by TipTap, contact sync via CardDAV/Google/Microsoft, and vim-style keyboard shortcuts.

"We took inspiration from Geary's philosophy but wanted to build something truly modern and secure from the ground up," said the Aerion project lead in a statement. The team plans a stable release later this year.

What This Means

For privacy-conscious users and the Linux community, Aerion offers a compelling alternative to proprietary web-based clients and aging desktop apps. The CASA Tier 2 certification lowers the trust barrier for an indie tool handling sensitive email data.

Yet the pre-release caveats—such as the dialog dismissal bug—mean early adopters should proceed with caution. "I used it and the OAuth flow was smooth, but that one bug nearly made me lose my setup," said an early tester. The team is actively working on a fix, with a beta update expected within weeks.

If Aerion resolves these issues, it could become the default email client for many on Linux and beyond, especially for those tired of Electron-based alternatives. For now, it remains a promising but unpolished gem.