Outlook for Android fails to keep emails confidential
Posted on 27 May 2014.
Did you know that Outlook and many other email and mobile messaging Android apps store your emails and messages on the device's SD card, unencrypted, and accessible to any third-party app that is permitted to access the card's contents?

Couple that with the (widely given) permission to access the Internet, and your potentially confidential conversations might be exfiltrated and stored on remote servers for attackers to peruse and misuse.

"We feel a key security and privacy attribute of any mobile messaging application is the ability to maintain the confidentiality of data stored on the device the app runs on. If a device is stolen or compromised, a 3rd party may try to obtain access to locally cached messages," researchers from New York-based consultancy Include Security shared on the company blog.

"We've found that many messaging applications (stored email or IM/chat apps) store their messages in a way that makes it easy for rogue apps or 3rd parties with physical access to the mobile device to obtain access to the messages."

While there are different apps that do this, the researchers have singled out Outlook for Android in order to explain the problem, probably because the app has been downloaded by tens of million users.

In regards to Outlook for Android, they have discovered that "email attachments are stored in a file system area that is accessible to any application or to third parties who have physical access to the phone", and that "the emails themselves are stored on the app-specific filesystem, and the 'Pincode' feature of the Outlook.com app only protects the Graphical User Interface."

They disclosed part of their research in order to increase user awareness, they say, as Microsoft has repeatedly noted that "...users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made."

What can users do to protect their communications? Apart from using Android's Full Disk Encryption feature to encrypt all data (app data, downloaded files, and so on), they can also change the folder where email attachments are downloaded (go to Settings > General > Attachments Settings > Attachment Folder), and make it one that's not located on the SD card.

For more technical details about their research, as well as for their recommendations for mobile app developers regarding how to solve this problem, check out the researchers' post.









Spotlight

Behavioral analysis and information security

Posted on 22 September 2014.  |  In this interview, Kevin Watkins, Chief Architect at Appthority, talks about the benefits of using behavioral analysis in information security and how behavioral analysis can influence the evolution of security technologies.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //