A Microsoft Outlook client app for Android devices stores, by default, email messages unencrypted on the device's SD cards, researchers say.
Erik Cabetas, managing director of Include Security, says the Outlook.com mobile client, which was developed by third-party app firm Seven Networks, leaves email messages in the clear on the removable SD cards. "Anyone can grab that and walk away," Cabetas says.
Android users must set up the device to encrypt the file system, something most consumers are likely unaware of, he says, noting that it's not a feature that's integrated with the Outlook.com service or app. "Users need to be aware so they can encrypt the file system of the SC card. Android has native tools to do that... but it's a [multi-click] setting and most don't know how to do that."
Outlook.com does have a PIN feature, but it only protects the user interface to the app, not the stored data on the file system, he says. "I could lock my phone with the PIN, but if someone reads the internal SD card, they still have all the data."
Other apps on the phone also could access the emails. "Any app on the phone can read that" information on the SD card. They don't need special permission. Phones nowadays come with preinstalled apps on them that could grab those emails."
Cabetas and his team contacted Microsoft's Security Response Center about the security weakness in the app, but Cabetas says Microsoft's response was that this was an issue with the device itself and outside the scope of the app and Microsoft's own security model.
A Microsoft spokesperson provided this statement in response to a press inquiry about the research:
Include's Cabetas says that, ideally, the app should alert users that it stores emails to the local file system. "As part of the app installation, it should alert the user that 'We store emails to your local file system. Would you like to encrypt it? Yes or no.' Even if a software vendor doesn't feel directly responsible for worrying about the local file system encryption, at least it should inform the user."
He recommends that users use full disk encryption for Android and SD card file systems, and the USB debugging (under the Developer Options setting) should be turned off.
Include says in a blog post that will be posted today:
Alternatively, Outlook.com for Android could use third-party addons (such as SQLcipher) to encrypt the SQLite database in tandem with transmitting the attachments as opaque binary blobs to ensure that the attachments can only be read by the Outlook.com app (perhaps using the JOBB tool). These methods would be useful for older devices (such as devices that run Android 4.0 and earlier) that do not support full disk encryption.