A Security firm has stated that Microsoft’s very own Outlook.com app, which is available on the Android Play Store, is exposing users' data.
The firm in question, Include Security says that e-mail attachments that the Outlook.com app stores in the file system area of the Android OS leaves them accessible to “any application or to 3rd parties who have physical access to the phone."
The firm also said that “The emails themselves are stored on the app-specific filesystem, and the 'Pincode' feature of the Outlook.com app only protects the Graphical User Interface, it does nothing to ensure the confidentiality of messages on the filesystem of the mobile device”
This filesystem issue only impacts users on versions of Android prior to version 4.4 (KitKat) as the latest version of the Google mobile OS has forced apps to have private folders on the built-in storage area of the device. The risk is very high for many users though, as a large percentage of Android devices are still not running (or not able to run) the latest version of the Android OS.
Zdnet, who have also reported the story received a response from Microsoft on the issues:
Include Security also found another issue with the "Pincode" feature of the Outlook.com app stating that although the application asks you to create a pincode to protect your email, it actually only protects the Graphical User Interface and does not encrypt any of the data. Although many tech-savvy users will realise this is likely the case, a survey of less tech minded users made by the company found that many though it would protect their emails.
At the moment Outlook.com app users best option is to either update to the latest version of the Android operating system if possible or await a fix from Microsoft, though in relation to the "Pincode" issue, they have stated that "users of the app should not expect encryption of transmitted or stored messages".
Source: Include Security