A security research firm has exposed the Outlook.com Android mobile app does not do anything to ensure confidentiality of messages and attachments within the phone filesystem itself.
The application we’re discussing here is Outlook.com free email service’s mobile client offered by Microsoft. This app is described as being created by Seven Networks in conjunction or in association with Microsoft (i.e. looks like it was outsourced.) The app allows users to access their Outlook.com email on Android devices. In the course of our research we found that the on-device email storage doesn’t really make any effort to ensure confidentiality of messages and attachments within the phone filesystem itself. After notifying Microsoft (vendor notification timeline is found at the end of this post) they disagreed that our concern was a direct responsibility of their software, in light of similar problems with iOS being deemed a concern by privacy advocates we thought it’d be a good idea to share what we see with the Outlook.com app.
Here are the issues they found with the app,
We’ve found the following two behaviors of the app:
- The email attachments are stored in a file system area that is accessible to any application or to 3rd parties who have physical access to the phone.
- The emails themselves are stored on the app-specific filesystem, and the “Pincode” feature of the Outlook.com app only protects the Graphical User Interface, it does nothing to ensure the confidentiality of messages on the filesystem of the mobile device.
We feel users should be aware of cases like this as they often expect that their phone’s emails are “protected” when using mobile messaging applications.
Read more at Include Security.