Microsoft’s Outlook.com app for smartphones running Google’s Android operating system (OS) is exposing users' data, security firm researchers have warned.
The app stores email attachments in the file system area of Android, making them accessible to any rogue app or third party that has access to the phone, according to Include Security.
Researchers at the security firm found the on-device email storage has nothing to ensure confidentiality of messages and attachments.
Because the emails themselves are stored on the app-specific file system, the PIN code feature of the Outlook.com app protects only the graphical user interface, they said.
This means that the PIN code feature of the Outlook.com app does nothing to ensure the confidentiality of messages on the filesystem of the mobile device.
Read more about Android security
- Cyber criminals continue to target Android smartphones
- App security: Decompiling Android APK files
- Securing Android for business
- Top 10 Android security tips
- New Android features explained: KitKat and security-enhanced Android
- Data suggests Android malware threat greatly overhyped
- Google Android could get EMM with Divide acquisition
- Android desktops may provide another alternative OS for enterprises
- Researchers warn of “huge” Android security flaw
"We feel users should be aware of cases like this as they often expect their phone's emails are "protected" when using mobile messaging applications," they said.
According to the security firm, Microsoft disagreed that its concern was a direct responsibility of its software.
The software company has since issued a statement saying Microsoft is committed to protecting the security of personal information.
“We use a variety of security technologies and procedures to help protect your personal information from unauthorised access, use or disclosure,” Microsoft said.
The company also noted that, for people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers' data.
“Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data,” Microsoft said.
But in the light of similar problems with Apple's iOS deemed a concern by privacy advocates, Include Security decided to publish its findings.
“We feel a key security and privacy attribute of any mobile messaging application is the ability to maintain the confidentiality of data stored on the device the app runs on,” the security firm said.
Include Security recommended that the USB debugging feature under developer options of the phone settings should be turned off.
The firm also recommends using Full Disk Encryption for Android and SDcard file systems to prevent a third party from getting access to any data in plain text.
The filesystem issue affects only users on versions of Android prior to version 4.4 (KitKat), as the latest version of the Google mobile OS has forced apps to have private folders on the built-in storage area of the device.
However, the security firm noted that the risk is very high for many users, as a large percentage of Android devices are still not running (or not able to run) the latest version of the Android OS.