Security researchers have found a serious set of security holes in Microsoft’s Outlook.com Android application that allows for user data to be leaked.
Security researchers at Include Security identified the serious flaw in the mobile application back in November 2013 when reverse engineering apps. The application that has tens of millions of downloads was found to store user data on the SD card in plain text, allowing any third party or anyone to have access to the emails.
“In the course of our research we found that the on-device email storage doesn’t really make any effort to ensure confidentiality of messages and attachments within the phone filesystem itself,” Include Security Paolo Soto said in the report. “We’ve found that many messaging applications (stored email or instant message and chat apps) store their messages in a way that makes it easy for rogue apps or third parties with physical access to the mobile device to obtain access to the messages.”
The firm identified various security holes in a number of apps, but narrowed in on Outlook and identified several privacy failures.
Soto said that any third party application installed on the device that has READ_EXTERNAL_STORAGE permission can access the Outlook.com emails, attachments, and other locally cached files. Accessing the Outlook emails did not require the phone to be rooted or further permissions, just that the card itself be unencrypted. While third party applications can easily access the cards directory, an attacker could too gain access via a stolen phone. Simply use an ADB shell and navigate to the sdcard/attachments directory.
Emails inside the application are stored in the app-specific filesystem, and the “pincode” feature inside the Outlook.com application only protects the GUI, it does nothing to secure the messages within the filesystem throughout the device. The pincode feature is not activated by default on the app, but if activated the user is prompted to type a set pincode in every time they try to access, resume, or use the application in anyway. To surprise, this does not offer additional security or pin lock the directory.
If a third party wanted to access the data on the Outlook.com application, they could run a program and extract the database directly from the app. All the emails are stored in plaintext, and HTML meaning anyone could read it.
When researchers at Include Security reported the security leaks, Microsoft responded “…users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made.” Microsoft has not and will not appear to implement any form of extra security for the Outlook.com application.
It is highly recommended everyone encrypt their SD card to secure their Outlook.com data, along with other sensitive credentials stored on the SD card.