03:50 PM
Connect Directly
50% Android App Leaves Email Messages Exposed

Researchers find emails unprotected by default on SD cards.

A Microsoft Outlook client app for Android devices stores, by default, email messages unencrypted on the device's SD cards, researchers say.

Erik Cabetas, managing director of Include Security, says the mobile client, which was developed by third-party app firm Seven Networks, leaves email messages in the clear on the removable SD cards. "Anyone can grab that and walk away," Cabetas says.

Android users must set up the device to encrypt the file system, something most consumers are likely unaware of, he says, noting that it's not a feature that's integrated with the service or app. "Users need to be aware so they can encrypt the file system of the SC card. Android has native tools to do that... but it's a [multi-click] setting and most don't know how to do that." does have a PIN feature, but it only protects the user interface to the app, not the stored data on the file system, he says. "I could lock my phone with the PIN, but if someone reads the internal SD card, they still have all the data."

Other apps on the phone also could access the emails. "Any app on the phone can read that" information on the SD card. They don't need special permission. Phones nowadays come with preinstalled apps on them that could grab those emails."

Cabetas and his team contacted Microsoft's Security Response Center about the security weakness in the app, but Cabetas says Microsoft's response was that this was an issue with the device itself and outside the scope of the app and Microsoft's own security model.

A Microsoft spokesperson provided this statement in response to a press inquiry about the research:

Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s online privacy policy for more information.

Include's Cabetas says that, ideally, the app should alert users that it stores emails to the local file system. "As part of the app installation, it should alert the user that 'We store emails to your local file system. Would you like to encrypt it? Yes or no.' Even if a software vendor doesn't feel directly responsible for worrying about the local file system encryption, at least it should inform the user."

He recommends that users use full disk encryption for Android and SD card file systems, and the USB debugging (under the Developer Options setting) should be turned off.

Include says in a blog post that will be posted today:

Alternatively, for Android could use third-party addons (such as SQLcipher) to encrypt the SQLite database in tandem with transmitting the attachments as opaque binary blobs to ensure that the attachments can only be read by the app (perhaps using the JOBB tool). These methods would be useful for older devices (such as devices that run Android 4.0 and earlier) that do not support full disk encryption.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/21/2014 | 6:34:44 PM
Re: Default Encryption
Hey Microsoft, At least a warning during installation is warranted here!

The Outlook desktop app has better controls over its local OST datafiles than this app.

I have used Touchdown for Exchange since Android 2.x, which DOES encrypt its datastore, plus I encrypt both internal storage and SD card and disable the developer option.


User Rank: Ninja
5/21/2014 | 3:41:08 PM
Re: Default Encryption
Randy you are right, but in this case I believe that the app itself his poor under security perspective. Microsoft statement has no sense. Guys who have designed the app have no clear idea of security requirements neither user privacy.

Since we will read reply like the one provided by MS we have no hope to user better application .... 

Please give a look to my post on the topic and read the stats I mentioned on HP Fortify study ...


Randy Naramore
Randy Naramore,
User Rank: Ninja
5/21/2014 | 2:07:53 PM
Re: Default Encryption
Sad to say but the Android apps do not have the scrutiny that apple apps have. The android platform is solid but the apps need to be held to a higher level than they currently are.
User Rank: Ninja
5/21/2014 | 12:21:57 PM
Re: Default Encryption
The reply provided by Microsoft is simply absurd. This is the wrong way to think security by design. Let's blame the others ... it's too easy!

User Rank: Ninja
5/20/2014 | 9:59:30 PM
Default Encryption
It seems that this is a gaping security flaw considering the ease of extraction for an SD card. Majority of users as posed in the article are default set to be unencrypted, so this hole will be available for many android based users. 

Is there any detriment to defaulting settings to encrypt instead of defaulting to unecrypted from a vendor perspective? Allow the user to make the choice but make them consciously choose to become vulnerable. This way the majority of unaware users will not be unknowlingly in danger.
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio