Outlook Android App's Security Questionable

After reverse engineering popular mobile applications, researchers say that the Android version of Outlook.com, Microsoft's free email service, isn't very good at protecting the user's privacy.

In a blog, researchers Paolo Soto and Erik Cabetas from Inside Secure found that many messaging applications insecurely store their messages making it easy for rogue apps or criminals with physical access to the mobile device to access the messages. That means if the device falls into the hands of others, sensitive emails become child's play to retrieve.

In particular, with the Android Outlook app, they found:

  • The email attachments are stored in a file system area that is accessible to any application or to 3rd parties who have physical access to the phone.
  • The emails themselves are stored on the app-specific filesystem, and the "Pincode" feature of the Outlook.com app only protects the Graphical User Interface, it does nothing to ensure the confidentiality of messages on the filesystem of the mobile device.

For example, they found that they could use ADB shell to find the email attachments, which in their example is located in /sdcard/attachments.

sdcard

To counter rogue behavior and protect privacy, they recommend that users:

  • Disable their USB debugging (Settings => Developer Options => USB debugging).
  • Change the location where attachments are stored (Settings->general->Attachments Settings->Attachment Folder).
  • Use Full Disk Encryption for Android and SDcard file systems.

Download Whitepaper