Feeds

You've got Mail! But someone else is reading it in Outlook for Android

Researchers say Redmond forgot to encrypt messages stored on Android SD cards

Internet Security Threat Report 2014

Researchers have plucked privacy holes in Microsoft's Outlook Android app that expose user data when user security setting screws were not tightened.

New York-based Include Security pointed out that Redmond's app, which has chalked up tens of millions of downloads, stored user data on the removable SD card that could be read by other applications.

"In the course of our research we found that the on-device email storage doesn't really make any effort to ensure confidentiality of messages and attachments within the phone filesystem itself," Include Security bod Paolo Soto said in a post.

"We've found that many messaging applications (stored email or instant message and chat apps) store their messages in a way that makes it easy for rogue apps or third parties with physical access to the mobile device to obtain access to the messages."

The security firm tested a string of apps and narrowed in on Outlook for what it identified as a series of privacy failures.

Soto said any third party app with the READ_EXTERNAL_STORAGE permission could access Outlook email attachments stored on the SD card for users who did not specifically encrypt card data or activate the private folders for devices operating Android 4.4.

Reading Outlook attachments did not require devices to be rooted, the company said, meaning an attacker with a stolen phone in hand could tap in with an ADB shell and open the sdcard/attachments folder.

Emails were stored but not encrypted within the app file system. Soto found the app's PIN code was below 'common user expectation' as it served merely as a locked gate and did not encrypt user data.

"We feel users should be aware of cases like this as they often expect that their phone's emails are 'protected' when using mobile messaging applications."

The privacy risks were reported to Microsoft which said Android users should encrypt data on their SD cards.

"Users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made," Redmond said.

The security firm recommended developers enable encryption in similar apps or transmit attachments as opaque binary blobs. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.