That link only talks about pgp/gpg, but yeah - their solution (haven't figured out the whole thing yet) seems to be "Send everything to our servers, others can get it from there using our app (or a web application)".
No gpg/pgp relation. No IMAP support¹.
They do support SMTP if
a) the recipient is not on the same platform
b) you're sending an unencrypted mail (only possible to external users anyway)
If you send an encrypted mail to an external user, they basically just get a link or something. "View the real mail here"?
I believe the intentions are good, but that's trying to solve the problem by killing off most things I require for my mails, unfortunately.
Firstly, Android checks app signatures and as far as I know the market app doesn't have any ability to override that. It can do a few privileged things like skip showing the permissions screen, but I think the OS still wants to see correct signatures. So even if the app store was hacked the phone itself might reject a bogus upgrade.
Secondly, that slide is more like some junior GCHQ guy noodling around, I think. It is old and dates from a time before Google used SSL for everything. I doubt it's possible to do via purely technical attacks now.
Thirdly, it'd almost certainly be easier to attack the developer laptop/workstation to steal the signing keys directly than attack Android head on. I plan to do some research this summer into splitting the RSA signing keys used by Android apps to allow for threshold signed online updates for Android and maybe iOS.
The only way to change the signing key for an app (on an unrooted phone at least) is by completely uninstalling it (which deletes the main data directory) and then installing a new version. In fact, Google lost the key for their OTP authenticator app at one point, requiring all users to install the new app manually before they would receive updates again.
APG is discontinued. You should use OpenKeychain now instead - http://www.openkeychain.org - OpenKeychain does everything APG did, more, and has a much nicer interface. It even lets you use a Yubikey as a PGP smartcard over NFC so you don't have to store your PGP keys on your phone - https://grepular.com/An_NFC_PGP_SmartCard_For_Android
The one thing that K-9 misses, which is pretty major IMO, is PGP/MIME support. It only works with inline PGP.
I don't know about Apple, but I doubt Google will because of the features they've been putting out lately (i.e.: Now cards for flights, etc based on emails).
I have to be honest, I have given up on pgp. From what I know there is no way to have encrypted communications between more than two people. So why even bother pursuing the dream of everyone using it if there is such a roadblock in the way of common communication habits.
PGP absolutely supports multiple recipients. As the other reply says, the (small) symmetric key is encrypted separately with the public key of every recipient.
A good alternative is Countermail [https://countermail.com/] (probably more secure than Tutanova, to the extent possible for these services) and an app such as K-9 Mail.
Don't forget https://protonmail.ch
They are working on iOS and Android apps, and from what I've seen they have the most promise of making encryption simple for ALL.
http://tutanota.uservoice.com/knowledgebase/articles/470724-...