Outlook Android App stores emails in plain text on mobile

Researchers at Include Security discovered that the Outlook.com Android App leaves user email messages unprotected by default on the mobile SD cards.

A Microsoft Outlook client app for the Android platform lacks of encryption for the storage of email messages on the device’s SD cards. The unique protection mechanism implemented for the Outlook app is a PIN feature, but it is limited to the protection of the user interface and not the data stored on the file.

The Outlook.com mobile client app was developed by third-party app firm Seven Networks, researchers at Include Security discovered that it leaves email messages in the clear on the removable SD cards with obvious consequences for users’ privacy.

“Anyone can grab that and walk away,” said Erik Cabetas, managing director of Include Security.

Android users in order to protect their data have to set up their mobile devices to encrypt the file system, unfortunately the number of users that enable encryption by default is limited. The Outlook.com app doesn’t implement by default the data encryption.

“Users need to be aware so they can encrypt the file system of the SC card. Android has native tools to do that… but it’s a [multi-click] setting and most don’t know how to do that.” Cabetas added.

The PIN  feature is not enough to protect Outlook.com user data, an attacker could steal the SD card and access to files stored on the SD as explained by Cabetas:

“I could lock my phone with the PIN, but if someone gets the SD card, they still have all the data.”

The risks for user privacy is high, any other application installed on the mobile device could have free access to the plain text data stored on the SD card by the Outlook application.

“Any app on the phone can read that” information on the SD card. They don’t need special permission. Phones nowadays come with preinstalled apps on them that could grab those emails.”

Experts at Include Security reported the flaw to Microsoft’s Security Response Center, but the reply was not positive, Microsoft’s response was that this is an issue related to the device itself and outside of their responsibility, let me add that this is absurd.

“Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s online privacy policy for more information.” said a Microsoft spokesperson.

I’m not surprised by the discovery made by the Cabetas’s team, unfortunately similar situations are very common for mobile apps like evidenced by a recent study conducted by experts at the HP Fortify, following the results of the analysis that confirm my declaration:

• 86% of mobile apps lacked of sufficient security measures to protect private data (e.g. Address books, User data).
• 86% of mobile apps tested lacked binary hardening protection, these apps have resulted vulnerable to certain attacks, including buffer overflows, jailbreak detection and path disclosure.
• 75% of mobile apps did implement data encryption for storage operations, the application stored in clear text also personal data like passwords, personal documents and chat logs.
• 18% of mobile apps transmitted data over the network without using SSL encryption, but what is also concerning is that another 18% of apps used SSL incorrectly. In both cases resulted that private data was transmitted in the clear or anyway accessible by an attacker that share same network connection, the typical scenario of open Wifi present in public places

Cabetas suggested to Microsoft to at least advice users of the lack of encryption for data stored by the app on the device file system.

“As part of the app installation, it should alert the user that ‘We store emails to your local file system. Would you like to encrypt it? Yes or no.’ Even if a software vendor doesn’t feel directly responsible for worrying about the local file system encryption, at least it should inform the user.”

Alternatively, Outlook.com for Android could use third-party addons (such as SQLcipher) to encrypt the SQLite database in tandem with transmitting the attachments as opaque binary blobs to ensure that the attachments can only be read by the Outlook.com app (perhaps using the JOBB tool). These methods would be useful for older devices (such as devices that run Android 4.0 and earlier) that do not support full disk encryption. he added.

Let me suggest you to use full disk encryption for Android and SD card file systems, and disable the feature  USB debugging that could be abused by attackers and malware to gain the control of the device.

Pierluigi Paganini

(Security Affairs –  Mobile, Outlook)