News
5/20/2014
03:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Outlook.com Android App Leaves Email Messages Exposed

Researchers find Outlook.com emails unprotected by default on SD cards.

A Microsoft Outlook client app for Android devices stores, by default, email messages unencrypted on the device's SD cards, researchers say.

Erik Cabetas, managing director of Include Security, says the Outlook.com mobile client, which was developed by third-party app firm Seven Networks, leaves email messages in the clear on the removable SD cards. "Anyone can grab that and walk away," Cabetas says.

Android users must set up the device to encrypt the file system, something most consumers are likely unaware of, he says, noting that it's not a feature that's integrated with the Outlook.com service or app. "Users need to be aware so they can encrypt the file system of the SC card. Android has native tools to do that... but it's a [multi-click] setting and most don't know how to do that."

Outlook.com does have a PIN feature, but it only protects the user interface to the app, not the stored data on the file system, he says. "I could lock my phone with the PIN, but if someone reads the internal SD card, they still have all the data."

Other apps on the phone also could access the emails. "Any app on the phone can read that" information on the SD card. They don't need special permission. Phones nowadays come with preinstalled apps on them that could grab those emails."

Cabetas and his team contacted Microsoft's Security Response Center about the security weakness in the app, but Cabetas says Microsoft's response was that this was an issue with the device itself and outside the scope of the app and Microsoft's own security model.

A Microsoft spokesperson provided this statement in response to a press inquiry about the research:

Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s online privacy policy for more information.

Include's Cabetas says that, ideally, the app should alert users that it stores emails to the local file system. "As part of the app installation, it should alert the user that 'We store emails to your local file system. Would you like to encrypt it? Yes or no.' Even if a software vendor doesn't feel directly responsible for worrying about the local file system encryption, at least it should inform the user."

He recommends that users use full disk encryption for Android and SD card file systems, and the USB debugging (under the Developer Options setting) should be turned off.

Include says in a blog post that will be posted today:

Alternatively, Outlook.com for Android could use third-party addons (such as SQLcipher) to encrypt the SQLite database in tandem with transmitting the attachments as opaque binary blobs to ensure that the attachments can only be read by the Outlook.com app (perhaps using the JOBB tool). These methods would be useful for older devices (such as devices that run Android 4.0 and earlier) that do not support full disk encryption.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MrTibbs
50%
50%
MrTibbs,
User Rank: Apprentice
5/21/2014 | 6:34:44 PM
Re: Default Encryption
Hey Microsoft, At least a warning during installation is warranted here!

The Outlook desktop app has better controls over its local OST datafiles than this app.

I have used Touchdown for Exchange since Android 2.x, which DOES encrypt its datastore, plus I encrypt both internal storage and SD card and disable the developer option.

-MT

 
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
5/21/2014 | 3:41:08 PM
Re: Default Encryption
Randy you are right, but in this case I believe that the app itself his poor under security perspective. Microsoft statement has no sense. Guys who have designed the app have no clear idea of security requirements neither user privacy.

Since we will read reply like the one provided by MS we have no hope to user better application .... 

Please give a look to my post on the topic and read the stats I mentioned on HP Fortify study ...

http://securityaffairs.co/wordpress/25103/digital-id/outlook-app-leaks-encryption.html

Thanks

Pierluigi
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/21/2014 | 2:07:53 PM
Re: Default Encryption
Sad to say but the Android apps do not have the scrutiny that apple apps have. The android platform is solid but the apps need to be held to a higher level than they currently are.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
5/21/2014 | 12:21:57 PM
Re: Default Encryption
The reply provided by Microsoft is simply absurd. This is the wrong way to think security by design. Let's blame the others ... it's too easy!

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/20/2014 | 9:59:30 PM
Default Encryption
It seems that this is a gaping security flaw considering the ease of extraction for an SD card. Majority of users as posed in the article are default set to be unencrypted, so this hole will be available for many android based users. 

Is there any detriment to defaulting settings to encrypt instead of defaulting to unecrypted from a vendor perspective? Allow the user to make the choice but make them consciously choose to become vulnerable. This way the majority of unaware users will not be unknowlingly in danger.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partnerís Role in Perimeter Security
Title Partnerís Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3090
Published: 2014-09-23
IBM Rational ClearCase 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVE-2014-3101
Published: 2014-09-23
The login form in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not insert a delay after a failed authentication attempt, which makes it easier for remote attackers to obtain access via a brute-force attack.

CVE-2014-3103
Published: 2014-09-23
The Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http...

CVE-2014-3104
Published: 2014-09-23
IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVE-2014-3105
Published: 2014-09-23
The OSLC integration feature in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account n...

Best of the Web
Dark Reading Radio