Outlook.com Android app exposing user data

A Security firm has stated that Microsoft’s very own Outlook.com app, which is available on the Android Play Store, is exposing users' data.

The firm in question, Include Security says that e-mail attachments that the Outlook.com app stores in the file system area of the Android OS leaves them accessible to “any application or to 3rd parties who have physical access to the phone."

The firm also said that “The emails themselves are stored on the app-specific filesystem, and the 'Pincode' feature of the Outlook.com app only protects the Graphical User Interface, it does nothing to ensure the confidentiality of messages on the filesystem of the mobile device”

This filesystem issue only impacts users on versions of Android prior to version 4.4 (KitKat) as the latest version of the Google mobile OS has forced apps to have private folders on the built-in storage area of the device. The risk is very high for many users though, as a large percentage of Android devices are still not running (or not able to run) the latest version of the Android OS.

Zdnet, who have also reported the story received a response from Microsoft on the issues:

“Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers' data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft's online privacy policy for more information.”

Include Security also found another issue with the "Pincode" feature of the Outlook.com app stating that although the application asks you to create a pincode to protect your email, it actually only protects the Graphical User Interface and does not encrypt any of the data. Although many tech-savvy users will realise this is likely the case, a survey of less tech minded users made by the company found that many though it would protect their emails.

At the moment Outlook.com app users best option is to either update to the latest version of the Android operating system if possible or await a fix from Microsoft, though in relation to the "Pincode" issue, they have stated that "users of the app should not expect encryption of transmitted or stored messages".

Source: Include Security

Report a problem with article
Next Article

Samsung Galaxy Tab S to feature an OLED screen, leak suggests

Previous Article

MetroTalk, third-party Google Voice app for Windows Phone, is dead

34 Comments - Add comment