Outlook.com Android app exposing user data

A Security firm has stated that Microsoft’s very own Outlook.com app, which is available on the Android Play Store, is exposing users' data.

The firm in question, Include Security says that e-mail attachments that the Outlook.com app stores in the file system area of the Android OS leaves them accessible to “any application or to 3rd parties who have physical access to the phone."

The firm also said that “The emails themselves are stored on the app-specific filesystem, and the 'Pincode' feature of the Outlook.com app only protects the Graphical User Interface, it does nothing to ensure the confidentiality of messages on the filesystem of the mobile device”

This filesystem issue only impacts users on versions of Android prior to version 4.4 (KitKat) as the latest version of the Google mobile OS has forced apps to have private folders on the built-in storage area of the device. The risk is very high for many users though, as a large percentage of Android devices are still not running (or not able to run) the latest version of the Android OS.

Zdnet, who have also reported the story received a response from Microsoft on the issues:

“Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers' data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft's online privacy policy for more information.”

Include Security also found another issue with the "Pincode" feature of the Outlook.com app stating that although the application asks you to create a pincode to protect your email, it actually only protects the Graphical User Interface and does not encrypt any of the data. Although many tech-savvy users will realise this is likely the case, a survey of less tech minded users made by the company found that many though it would protect their emails.

At the moment Outlook.com app users best option is to either update to the latest version of the Android operating system if possible or await a fix from Microsoft, though in relation to the "Pincode" issue, they have stated that "users of the app should not expect encryption of transmitted or stored messages".

Source: Include Security

Report a problem with article
Previous Story

MetroTalk, third-party Google Voice app for Windows Phone, is dead

Next Story

Samsung Galaxy Tab S to feature an OLED screen, leak suggests

34 Comments

Commenting is disabled on this article.

"the Outlook.com app stores in the file system area of the Android OS leaves them accessible to “any application or to 3rd parties who have physical access to the phone.""

Just a question so is it stored under data/data or Android/data?

tanjiajun_34 said,
"the Outlook.com app stores in the file system area of the Android OS leaves them accessible to “any application or to 3rd parties who have physical access to the phone.""

Just a question so is it stored under data/data or Android/data?


I suppose in this case it's Android/data which is accessible by other apps instead of data/data(only for one specific app). So it's the app developers fault for using that directory.

Edit:

The attachments are stored in: /sdcard/attachments

I know this is not going to go over well, but I don't know why anyone would use an Android considering the security issues. I pity users that use Android that have no tech experience.

Yeah me too. I use android and an app called "Xprivacy" so no problems whatsoever. Complete control over all apps including system apps. I wish WP could do everything I needed, but it's just not mature enough. I've replaced lugging my laptop around with my GS3 that's been tinkered with to the hilt.

I like many things about WP, just hope I have the same freedom and flexibility from it one day to do what I need. Can't believe they don't even have a file manager yet...maybe Total commander could help out like it does with Android.

notta said,
I know this is not going to go over well, but I don't know why anyone would use an Android considering the security issues. I pity users that use Android that have no tech experience.
Same as people who are still using XP. They probably know about the risks too but they have this mentality that they themselves won't ever be effected by it.

At least android allows the use of a file manager.

And why can't people just stop blaming every damn os for the users their fault, if a user installs a crappy app from a third party app store AND even accepts all the app permissions on install it's his own fault that he gets problems.

It's the very same story on every desktop os and nobody is blaming the os in that case.

I love how the article blames Outlook.com when this is an ANDROID issue. The source article simply uses Outlook.com app as an example. EVERY app that handles attachments or files can do the same thing, hence it's an Android 'common problem' as the source cites it.

Did you even read the source article? Even with just a quick look at the headers... "Root Cause: A Common Problem with the Privacy of Mobile Messaging Messaging Apps".

The problem is mobile messaging apps not ensuring their data stays private on the user's phone...

To put it in your words, I love how the comment I'm replying to blames Android when this is an app development issue (meaning MICROSOFT and other app makers). The source article simply uses apps from Android as an example. EVERY app that handles attachments or files can encrypt their data, hence it's an developer "messaging app common problem" to more accurately cite the source.

Edited by Pluto is a Planet, May 27 2014, 3:00am :

Pluto is a Planet said,
Did you even read the source article?

Did you even read my comment? I said the source article was correct and the Neowin article was not. And while yes developers 'can' encrypt their data, it's still an Android issue because they ALLOW them not to and don't make it MANDATORY for every developer. This is not a Microsoft nor developer issue, but simply a poor implementation on Android's side to protect user's data.

j2006 said,

Did you even read my comment? I said the source article was correct and the Neowin article was not. And while yes developers 'can' encrypt their data, it's still an Android issue because they ALLOW them not to and don't make it MANDATORY for every developer. This is not a Microsoft nor developer issue, but simply a poor implementation on Android's side to protect user's data.
The article just looks at Android as an example. It barely even mentions Android. If that's all you took from the article, then you're extremely narrow-minded. Especially considering that your idea of how an app ecosystem should work exists nowhere. You might as well remove the blame from Android and just blame all OS's for this sort of problem because it certainly doesn't only happen on Android.

j2006 said,

And while yes developers 'can' encrypt their data, it's still an Android issue because they ALLOW them not to and don't make it MANDATORY for every developer.

Wait a sec you want to prevent apps from reading other app data??? So we end up with the same thing as ios: no file explorer that can browse all files...

It's a developer his duty to protect necessary files, there are enough things in the sdk of ios, andoid, wp etc to do so.

And secondly I would find it a nightmare if I couldn't access my attachments with any other apps without going trough the outlook app and tapping "open with" which shows in most cases all the apps I don't want to open the attachment with.

One of the best features of Android is that you can take any file and put it on the SD card for any app to read.

As long as Outlook desn't download any attachments without user interaction, I don't see a problem.

It's not a android fault, every app can save data so that it's inaccessible by other apps on android if you at least write your app correctly.

Edit: it seems to be about attachments, this sounds quite normal to me, any file manager can access my downloaded attachments on my pc too.

anothercookie said,
So android specific problem and not necessarily outlook.com

The source article calls it a "common problem", their words, just using Outlook as an example. They also go on to talk about their previous article that describes the same thing on iOS. And as mentioned, there's encryption and making sure you're not running an old version of the operating system. They get updated for a reason, sandboxing being a pretty nifty addition, pity it took so long to get in there.

recursive said,
lol yeah because Google wrote the outlook app and it is integrated into Android.
recursive said,
lol yeah because Google wrote the outlook app and it is integrated into Android.
recursive said,
lol yeah because Google wrote the outlook app and it is integrated into Android.
This ^

recursive said,
lol yeah because Google wrote the outlook app and it is integrated into Android.

No, Google made Android such that any app can access anything on the file system without you even knowing. Openness is no excuse for it, afterall they did fix it in KitKat, but apps have way too much access in Android, more than is ever necessary. I mean you can write an app to take pics and record video of people in compromising positions with them none the wiser. Android is creep heaven. That is just sloppy coding and laziness on the part of Google who just leave it up to third party devs and OEMs to fill in the holes and add basic features in the name of openness. Coupled with Google's 'I don't give an eff about your privacy' attitude and 'if you use Android, you basically sell your life to us' policy just keep reinforcing the point that Android is a bug, not a feature and should have never made it out the doors.

AsherGZ said,

No, Google made Android such that any app can access anything on the file system without you even knowing. Openness is no excuse for it, afterall they did fix it in KitKat, but apps have way too much access in Android, more than is ever necessary. I mean you can write an app to take pics and record video of people in compromising positions with them none the wiser. Android is creep heaven. That is just sloppy coding and laziness on the part of Google who just leave it up to third party devs and OEMs to fill in the holes and add basic features in the name of openness. Coupled with Google's 'I don't give an eff about your privacy' attitude and 'if you use Android, you basically sell your life to us' policy just keep reinforcing the point that Android is a bug, not a feature and should have never made it out the doors.
Have you ever tried using a PC before?

Pluto is a Planet said,
Have you ever tried using a PC before?
Oh please. Are you really comparing a full blown OS to what some script kiddies came up with in their basements overnight?

AsherGZ said,
Oh please. Are you really comparing a full blown OS to what some script kiddies came up with in their basements overnight?
Or you can just ignore my point, but it still stands: Every single problem you listed exists in both.

AsherGZ said,
Oh please. Are you really comparing a full blown OS to what some script kiddies came up with in their basements overnight?

No the comparison is between a PC OS and Android, not Android and Windows Phone.

Yeerrrrr I never saw the need to use a third party email app when android has one built in that handles everything anyway.

AsherGZ said,
Does it? I thought stock Android only had a Gmail app and OEMs include their own crappy email clients on their phones.

Nope stock Android has an email client which supports Exchange, Exchange Active sync (outlook.com) and various other protocols. Been using my hotmail / outlook account in this since hotmail got Exchange Active Sync support.

xbbdc said,
try getting your outlook calendars using the default email app.

All your outlook calendars appear in the default calendar app, just like any other synced calendars.

Strange, I to switch from the default mail app to the Outlook.com app due to problems with the calendars. I guess I can give it another try.