There are two issues with the way Microsoft’s Outlook application encrypts content on older versions of Android that could expose users’ emails and email attachments.
Paolo Soto, a researcher with the security firm Include Security, said his team initially dug up the vulnerabilities in November 2013 and reported them to Microsoft in December. A blog entry the company posted on Wednesday, after double checking with Microsoft’s Security Response Center to see if it was planning a fix, marks the first time the findings have been made public.
The main problem with the app is the way it stores email on Android devices fails to ensure that the messages and attachments are kept confidential.
In particular the way the email attachments are stored – on the SDcard partition, a world-readable folder – makes it so any application or third party that has physical access to the phone could access them.
Google made it so SDcard, a memory storage device and path, became not world-readable on Android 4.4 in October 2013 but as the researchers note, the lion’s share of devices running the mobile operating system are still running an older version of it.
The emails meanwhile are stored on the app-specific file system, a path that users may assume is encrypted with a password, but isn’t.
While Outlook lets users enter a pincode to access the app, it doesn’t protect the messages, just the app’s GUI, or Graphical User Interface.
“The pincode is sufficient to stop a party who only will try to access the Outlook client via the phone screen interface,” Soto writes, “It will not prevent a party who has access to the file system on the device via USB.”
As Soto notes, it doesn’t matter whether the phone is rooted or not, there are still techniques that third parties could use to extract email information by exploiting utilities and loose permissions.
When the researchers contacted Microsoft in December the company insisted the issue wasn’t a direct responsibility of its software and that users shouldn’t expect data encryption by default.
Specifically, according to the researchers, Microsoft claims “users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made.” When asked to reconsider the researchers’ findings as recently as last week, the Redmond-based company reiterated its standing.
“We feel this is a behavior users should be aware of,” Soto said, describing the app’s lack of encryption.
The app, which is available on Google’s Play marketplace, was made in conjunction with Seven Networks, a California-based mobile traffic management firm.
Include Security points out that any concerned Android owners who use Outlook and want to avoid their content being read can tweak a few settings to add an extra layer of security. Users can turn off USB debugging in Settings, use Full Disk Encryption for Android and SDcard, as well as changing the directory that email attachments are saved in to thwart would-be spies.
In a way, the issues mirror a similar one recently brought to light in how Apple’s iOS handles emails and attachments.
In April, German security researcher Andreas Kurtz, found out that email attachments can be read without encryption or restriction. All an attacker would have to do is access the device’s file system, MobileMail.app, in the most recent build of iOS.