Microsoft Outlook App for Android Devices Stores Emails Unencrypted on File System

If you have an account with Microsoft’s popular free email service Outlook.com, and using Outlook app for Android, then there is a bad news for you.

Microsoft’s Android app for Outlook.com, provides users to access their Outlook emails on their Android devices, fails to provide security and encryption.

LOOPHOLES DISCOVERED
Researchers from ‘Include Security’ firm claims to have found multiple vulnerabilities in Microsoft’s Outlook app for Android, that leaves users’ email data vulnerable to hackers and other malicious third party apps.

• By default, Email attachments are stored into easily accessible folders on the Android filesystem
• Email Database (Body, Subject) is stored locally in an unencrypted manner
• App’s ‘Pin Code’ feature doesn’t protect or encrypt email data.

EMAIL ATTACHMENTS ARE ACCESSIBLE TO ANY OTHER APPS

Today almost every applications available at Google Play Store generally ask for _READ_EXTERNAL_STORAGE _permission that allows them to read the data from device storage, even if the phone is not rooted.

> "READ_EXTERNAL_STORAGE and INTERNET are some of the most common permissions granted by users to applications upon installation." Erik Cabetas, managing director of Include Security said.

Include Security firm found the Outlook app for Android downloads the email attachments automatically to '/sdcard/attachments’ folder on the file system, which could be accessed by any malicious application or person with the physical access to the user’s device. "Phones nowadays come with preinstalled apps on them that could grab those emails." he added.

UNENCRYPTED EMAIL DATABASE

Outlook app maintains a local backup database of your emails on the device file system at “/data/data/com.outlook.Z7/” location, which could be accessed only if the device is rooted and for non-rooted Android devices, Android Debug Bridge (adb) tool can extract it.

> “We’ve found that many messaging applications (stored email or IM/chat apps) store their messages in a way that make it easy for rogue apps or 3rd parties with physical access to the mobile device to obtain access to the messages.” he said.

In this folder, the app stores a database file called ‘email.db’, which keeps a backup of your every email, but in an unencrypted form i.e. once an attacker able to grab this file, he can access all of your emails and sensitive data in plain text using sqlite3 utility.

As shown in the above image, they able to access the email.db file and connect to the unencrypted database file to read the email content and the resultant file which is shown as below:

Earlier we reported, windows malware are now capable of hacking Android devices connect to it and can extract any file from the Android file system, even if the device is non-rooted.

PINCODE CAN’T PROTECT YOU
Microsoft implemented a unique protection mechanism in its Outlook app that nobody else provides, is its PINCODE feature (application lock), which intents to add an extra protection in case your device gets in the wrong hands.

But unfortunately this feature also fails to protect users’ data from the above listed two flaws, because it only locks the Graphical User Interface of the app, and does nothing to ensure the confidentiality of messages and attachments, which are themselves stored on the filesystem of the mobile device.

> “If a device is stolen or compromised, a 3rd party may try to obtain access to locally cached messages (in this case emails and attachments),” said Erik Cabetas, managing director of Include Security in the blog post.

MICROSOFT REFUSES TO PATCH IT
The only place where Microsoft lacked is Encryption. Researchers contacted Microsoft’s Security Response Center in December 2013 about the security weakness in the Outlook app, but Microsoft refuses to patch the vulnerabilities and their reply was, “…users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made,” Microsoft said.

Erik from Include Security suggests that Outlook for Android could use SQLcipher to encrypt the SQLite database, because this would be useful for older devices that do not support full disk encryption.

SURVEILLANCE COMPATIBLE

In response to the mass surveillance conducted by the US National Security Agency (NSA) where every service is switching towards deploying encryption across the Internet, one of the Internet’s big giant, Microsoft failed.

Today we feel the need of highly secured Networks and Encrypted Devices to safeguard our privacy from Cyber Criminals and our own Government as well. So, Encryption becomes more important today than any other time in our history. Encryption of our online messages, encryption of our emails, encryption of our voice call, encryption of our every personal data and communication.

Android users are highly recommended to use full disk encryption for Android and SD card file systems, and turn off the USB debugging mode from Developer Options Settings.

Yesterday, in a separate news we reported about a critical zero-day vulnerability (CVE-2014-1770) in ‘Internet Explorer 8’ that Microsoft had kept hidden from all of us, since October 2013.

UPDATE
“Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s online privacy policy for more information.” Microsoft said in a statement to The Hacker News.