Feeds

You've got Mail! But someone else is reading it in Outlook for Android

Researchers say Redmond forgot to encrypt messages stored on Android SD cards

Seven Steps to Software Security

Researchers have plucked privacy holes in Microsoft's Outlook Android app that expose user data when user security setting screws were not tightened.

New York-based Include Security pointed out that Redmond's app, which has chalked up tens of millions of downloads, stored user data on the removable SD card that could be read by other applications.

"In the course of our research we found that the on-device email storage doesn't really make any effort to ensure confidentiality of messages and attachments within the phone filesystem itself," Include Security bod Paolo Soto said in a post.

"We've found that many messaging applications (stored email or instant message and chat apps) store their messages in a way that makes it easy for rogue apps or third parties with physical access to the mobile device to obtain access to the messages."

The security firm tested a string of apps and narrowed in on Outlook for what it identified as a series of privacy failures.

Soto said any third party app with the READ_EXTERNAL_STORAGE permission could access Outlook email attachments stored on the SD card for users who did not specifically encrypt card data or activate the private folders for devices operating Android 4.4.

Reading Outlook attachments did not require devices to be rooted, the company said, meaning an attacker with a stolen phone in hand could tap in with an ADB shell and open the sdcard/attachments folder.

Emails were stored but not encrypted within the app file system. Soto found the app's PIN code was below 'common user expectation' as it served merely as a locked gate and did not encrypt user data.

"We feel users should be aware of cases like this as they often expect that their phone's emails are 'protected' when using mobile messaging applications."

The privacy risks were reported to Microsoft which said Android users should encrypt data on their SD cards.

"Users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made," Redmond said.

The security firm recommended developers enable encryption in similar apps or transmit attachments as opaque binary blobs. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.