If you have an account with Microsoft’s popular free email service Outlook.com, and are using Outlook app for Android, then there is bad news for you. The Microsoft Android app for Outlook.com, provides users access to their Outlook emails on their Android devices but fails to provide security and encryption.
LOOPHOLES DISCOVERED
Researchers from ‘Include Security’ firm claim to have found multiple vulnerabilities in Microsoft’s Outlook app for Android, that leaves users’ email data vulnerable to hackers and other malicious third party apps.
- By default, Email attachments are stored into easily accessible folders on the Android filesystem
- Email Database (Body, Subject) is stored locally in an unencrypted manner
- App’s ‘Pin Code’ feature doesn’t protect or encrypt email data.
EMAIL ATTACHMENTS ARE ACCESSIBLE TO ANY OTHER APPS
Researchers at Include Security found the Outlook app for Android downloads the email attachments automatically to ‘/sdcard/attachments’ folder on the file system, which could be accessed by any malicious application or person with the physical access to the user’s device. “Phones nowadays come with preinstalled apps on them that could grab those emails.” they added.
UNENCRYPTED EMAIL DATABASE
The Outlook app maintains a local backup database of your emails on the device file system at “/data/data/com.outlook.Z7/” location, which could be accessed only if the device is rooted and for non-rooted Android devices, Android Debug Bridge (adb) tool can extract it.
In this folder, the app stores a database file called ‘email.db‘, which keeps a backup of your every email, but in an unencrypted form i.e. once an attacker is able to grab this file, he can access all of your emails and sensitive data in plain text using sqlite3 utility.
PINCODE CAN’T PROTECT YOU
Microsoft implemented a unique protection mechanism in its Outlook app that nobody else provides. It is the PINCODE feature (application lock), which is intended to add an extra protection in case your device gets in the wrong hands.
But unfortunately this feature also fails to protect users’ data from the above listed two flaws, because it only locks the Graphical User Interface of the app, and does nothing to ensure the confidentiality of messages and attachments, which are themselves stored on the filesystem of the mobile device.
Microsoft’s Response
“Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s online privacy policy for more information.” Microsoft said in a statement to The Hacker News.
Credit to ‘The Hacker News‘ for this information.