A Microsoft Outlook client app for the Android platform lacks of encryption for the storage of email messages on the device’s SD cards. The unique protection mechanism implemented for the Outlook app is a PIN feature, but it is limited to the protection of the user interface and not the data stored on the file.
The Outlook.com mobile client app was developed by third-party app firm Seven Networks, researchers at Include Security discovered that it leaves email messages in the clear on the removable SD cards with obvious consequences for users’ privacy.
“Anyone can grab that and walk away,” said Erik Cabetas, managing director of Include Security.
Android users in order to protect their data have to set up their mobile devices to encrypt the file system, unfortunately the number of users that enable encryption by default is limited. The Outlook.com app doesn’t implement by default the data encryption.
“Users need to be aware so they can encrypt the file system of the SC card. Android has native tools to do that… but it’s a [multi-click] setting and most don’t know how to do that.” Cabetas added.
The PIN feature is not enough to protect Outlook.com user data, an attacker could steal the SD card and access to files stored on the SD as explained by Cabetas:
“I could lock my phone with the PIN, but if someone gets the SD card, they still have all the data.”
The risks for user privacy is high, any other application installed on the mobile device could have free access to the plain text data stored on the SD card by the Outlook application.
“Any app on the phone can read that” information on the SD card. They don’t need special permission. Phones nowadays come with preinstalled apps on them that could grab those emails.”
Experts at Include Security reported the flaw to Microsoft’s Security Response Center, but the reply was not positive, Microsoft’s response was that this is an issue related to the device itself and outside of their responsibility, let me add that this is absurd.
I’m not surprised by the discovery made by the Cabetas’s team, unfortunately similar situations are very common for mobile apps like evidenced by a recent study conducted by experts at the HP Fortify, following the results of the analysis that confirm my declaration:
Cabetas suggested to Microsoft to at least advice users of the lack of encryption for data stored by the app on the device file system.
“As part of the app installation, it should alert the user that ‘We store emails to your local file system. Would you like to encrypt it? Yes or no.’ Even if a software vendor doesn’t feel directly responsible for worrying about the local file system encryption, at least it should inform the user.”
Alternatively, Outlook.com for Android could use third-party addons (such as SQLcipher) to encrypt the SQLite database in tandem with transmitting the attachments as opaque binary blobs to ensure that the attachments can only be read by the Outlook.com app (perhaps using the JOBB tool). These methods would be useful for older devices (such as devices that run Android 4.0 and earlier) that do not support full disk encryption. he added.
Let me suggest you to use full disk encryption for Android and SD card file systems, and disable the feature USB debugging that could be abused by attackers and malware to gain the control of the device.
(Security Affairs – Mobile, Outlook)