Feeds

You've got Mail! But someone else is reading it in Outlook for Android

Researchers say Redmond forgot to encrypt messages stored on Android SD cards

Protecting users from Firesheep and other Sidejacking attacks with SSL

Researchers have plucked privacy holes in Microsoft's Outlook Android app that expose user data when user security setting screws were not tightened.

New York-based Include Security pointed out that Redmond's app, which has chalked up tens of millions of downloads, stored user data on the removable SD card that could be read by other applications.

"In the course of our research we found that the on-device email storage doesn't really make any effort to ensure confidentiality of messages and attachments within the phone filesystem itself," Include Security bod Paolo Soto said in a post.

"We've found that many messaging applications (stored email or instant message and chat apps) store their messages in a way that makes it easy for rogue apps or third parties with physical access to the mobile device to obtain access to the messages."

The security firm tested a string of apps and narrowed in on Outlook for what it identified as a series of privacy failures.

Soto said any third party app with the READ_EXTERNAL_STORAGE permission could access Outlook email attachments stored on the SD card for users who did not specifically encrypt card data or activate the private folders for devices operating Android 4.4.

Reading Outlook attachments did not require devices to be rooted, the company said, meaning an attacker with a stolen phone in hand could tap in with an ADB shell and open the sdcard/attachments folder.

Emails were stored but not encrypted within the app file system. Soto found the app's PIN code was below 'common user expectation' as it served merely as a locked gate and did not encrypt user data.

"We feel users should be aware of cases like this as they often expect that their phone's emails are 'protected' when using mobile messaging applications."

The privacy risks were reported to Microsoft which said Android users should encrypt data on their SD cards.

"Users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made," Redmond said.

The security firm recommended developers enable encryption in similar apps or transmit attachments as opaque binary blobs. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.