Outlook Android app's security called into question by researchers

Messages and attachments are not as well protected as Microsoft would have users believe, says Include Security

Microsoft's Outlook email application for Android smartphones and tablets contains a security flaw that could expose users' private information, security researchers have warned.

Researchers from Include Security have issued the warning after experimenting with reverse engineering mobile phone apps including Outlook.

They discovered that in many cases, data was stored in such a way that it wouldn't be difficult for someone to gain access to potentially confidential documents if the device were to fall into the wrong hands.

"In the course of our research we found that the on-device email storage doesn't really make any effort to ensure confidentiality of messages and attachments within the phone filesystem itself," read a blog post by Include Security, which pointed out that the Outlook app appears to be an outsourced project.

"This app is described as being created by Seven Networks in conjunction or in association with Microsoft."

The Outlook Android app gives the impression that it encrypts email message attachments, thus securing them from prying eyes, but the researchers claim that this isn't actually the case.

"The email attachments are stored in a file system area that is accessible to any application or to third parties who have physical access to the phone," said Paolo Soto of Include Security.

"The emails themselves are stored on the app-specific filesystem, and the 'Pincode' feature of the Outlook.com app only protects the Graphical User Interface, it does nothing to ensure the confidentiality of messages on the filesystem of the mobile device," he continued.

"We feel users should be aware of cases like this as they often expect that their phone's emails are 'protected' when using mobile messaging applications," Soto added.

Include Security recommends that Outlook Android users should use full disk encryption in order to protect their device and the SD filecard systems in order to prevent third parties from gaining access to the information.

Security expert Graham Cluley told Computing that a lack of encryption is unlikely to be restricted to Outlook for Android and that all security-conscious email users should be push for developers to properly protect data.

"I suspect that many email clients (on both desktop and mobile platforms) fail to properly encrypt email attachments and messages, so I expect this isn't just a problem with the Outlook app for Android," he said.

"Clearly, if security is important to you, there needs to be more pressure put on developers to better secure information - rather than allowing arguments of ease-of-use and functionality to always win," Cluley added.

Microsoft has declined to comment on the report, but online privacy statement insists the firm is "committed to protecting the security of your personal information".