Outlook.com Android App Leaves Email Messages Exposed

  /     /     /  
Publicated : 22/11/2024   Category : security


Outlook.com Android App Leaves Email Messages Exposed


Researchers find Outlook.com emails unprotected by default on SD cards.



A Microsoft Outlook client app for Android devices stores, by default, email messages unencrypted on the devices SD cards, researchers say.
Erik Cabetas, managing director of Include Security, says the Outlook.com mobile client, which was developed by third-party app firm Seven Networks, leaves email messages in the clear on the removable SD cards. Anyone can grab that and walk away, Cabetas says.
Android users must set up the device to encrypt the file system, something most consumers are likely unaware of, he says, noting that its not a feature thats integrated with the Outlook.com service or app. Users need to be aware so they can encrypt the file system of the SC card. Android has native tools to do that... but its a [multi-click] setting and most dont know how to do that.
Outlook.com does have a PIN feature, but it only protects the user interface to the app, not the stored data on the file system, he says. I could lock my phone with the PIN, but if someone reads the internal SD card, they still have all the data.
Other apps on the phone also could access the emails. Any app on the phone can read that information on the SD card. They dont need special permission. Phones nowadays come with preinstalled apps on them that could grab those emails.
Cabetas and his team contacted Microsofts Security Response Center about the security weakness in the app, but Cabetas says Microsofts response was that this was an issue with the device itself and outside the scope of the app and Microsofts own security model.
A Microsoft spokesperson provided this statement in response to a press inquiry about the research:
Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s
online privacy policy
for more information.
Includes Cabetas says that, ideally, the app should alert users that it stores emails to the local file system. As part of the app installation, it should alert the user that We store emails to your local file system. Would you like to encrypt it? Yes or no. Even if a software vendor doesnt feel directly responsible for worrying about the local file system encryption, at least it should inform the user.
He recommends that users use full disk encryption for Android and SD card file systems, and the USB debugging (under the Developer Options setting) should be turned off.
Include says in a blog post that will be posted today:
Alternatively, Outlook.com for Android could use third-party addons (such as SQLcipher) to encrypt the SQLite database in tandem with transmitting the attachments as opaque binary blobs to ensure that the attachments can only be read by the Outlook.com app (perhaps using the JOBB tool). These methods would be useful for older devices (such as devices that run Android 4.0 and earlier) that do not support full disk encryption.

Last News

▸ New threat discovered: Mobile phone ownership compromised. ◂
Discovered: 23/12/2024
Category: security

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Outlook.com Android App Leaves Email Messages Exposed