Outlook for Android fails to keep emails confidential

Did you know that Outlook and many other email and mobile messaging Android apps store your emails and messages on the device’s SD card, unencrypted, and accessible to any third-party app that is permitted to access the card’s contents?

Couple that with the (widely given) permission to access the Internet, and your potentially confidential conversations might be exfiltrated and stored on remote servers for attackers to peruse and misuse.

“We feel a key security and privacy attribute of any mobile messaging application is the ability to maintain the confidentiality of data stored on the device the app runs on. If a device is stolen or compromised, a 3rd party may try to obtain access to locally cached messages,” researchers from New York-based consultancy Include Security shared on the company blog.

“We’ve found that many messaging applications (stored email or IM/chat apps) store their messages in a way that makes it easy for rogue apps or 3rd parties with physical access to the mobile device to obtain access to the messages.”

While there are different apps that do this, the researchers have singled out Outlook for Android in order to explain the problem, probably because the app has been downloaded by tens of million users.

In regards to Outlook for Android, they have discovered that “email attachments are stored in a file system area that is accessible to any application or to third parties who have physical access to the phone”, and that “the emails themselves are stored on the app-specific filesystem, and the ‘Pincode’ feature of the Outlook.com app only protects the Graphical User Interface.”

They disclosed part of their research in order to increase user awareness, they say, as Microsoft has repeatedly noted that “…users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made.”

What can users do to protect their communications? Apart from using Android’s Full Disk Encryption feature to encrypt all data (app data, downloaded files, and so on), they can also change the folder where email attachments are downloaded (go to Settings > General > Attachments Settings > Attachment Folder), and make it one that’s not located on the SD card.

For more technical details about their research, as well as for their recommendations for mobile app developers regarding how to solve this problem, check out the researchers’ post.

Don't miss