Apparently, Microsoft’s Outlook.com app for Android exposes user data by giving the impression that it encrypts email when it actually doesn’t do that. Security firm Include Security is reporting that the Outlook.com Android app provides weak security when it comes to protecting user data.
“The app allows users to access their Outlook.com email on Android devices. In the course of our research we found that the on-device email storage doesn’t really make any effort to ensure confidentiality of messages and attachments within the phone file system itself. After notifying Microsoft (vendor notification timeline is found at the end of this post) they disagreed that our concern was a direct responsibility of their software, in light of similar problems with iOS being deemed a concern by privacy advocates we thought it’d be a good idea to share what we see with the Outlook.com app,” Include Security reports.
Include Security has identified two key areas of concern. First, email attachments are stored in a file system area that is accessible to any app or 3rd parties who have physical access to your phone. Second, the email themselves are stores on the file system, while the “Pincode” feature of the Outlook.com app only applies to the UI of the app. The “Pincode” feature does nothing in protecting the confidentiality of email messages on the file system. This gives off the false sense that your email messages are protected, when in fact, they are not.
As you can see from the image below, when setting up a “Pincode,” you are told to add a secure password in order to “protect your email.”
“Outlook.com provides a Pincode feature. When activated, users have to enter a code in order to interact with the application (launch it, resume it, etc). This feature is not enabled by default in the application: the user must manually enable this feature. We’ve found that the Pincode feature does not encrypt the underlying data, it only protects the Graphical User Interface, and we feel this is a behavior users should be aware of,” Inside Security adds.
Inside Security recommends that you disable USB debugging (Settings > Developer Options > USB Debugging) on Android, effectively preventing 3rd parties from getting access to any data in plain-text, from a messaging app or other apps that may choose to store private data on the SDCard. It is also being recommended to change the email attachments download directory (Settings > General > Attachments Settings > Attachment Folder) to something other than the removable SD card.
Microsoft was made aware of this issue and had the following to say: “Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s online privacy policy for more information,” a Microsoft spokesperson stated.
