Microsoft’s Outlook.com app for smartphones running Google’s Android operating system (OS) is exposing users’ data, security firm researchers have warned.
The app stores email attachments in the file system area of Android, making them accessible to any rogue app or third party that has access to the phone, according to Include Security.
“This app is described as being created by Seven Networks in conjunction or in association with Microsoft (ie it looks as if it was outsourced),” the company said in a blog post.
Researchers at the security firm found the on-device email storage has nothing to ensure confidentiality of messages and attachments.
Because the emails themselves are stored on the app-specific file system, the PIN code feature of the Outlook.com app protects only the graphical user interface, they said.
This means that the PIN code feature of the Outlook.com app does nothing to ensure the confidentiality of messages on the filesystem of the mobile device.
“We feel users should be aware of cases like this as they often expect their phone’s emails are “protected” when using mobile messaging applications,” they said.
According to the security firm, Microsoft disagreed that its concern was a direct responsibility of its software.
The software company has since issued a statement saying Microsoft is committed to protecting the security of personal information.
“We use a variety of security technologies and procedures to help protect your personal information from unauthorised access, use or disclosure,” Microsoft said.
The company also noted that, for people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data.
“Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data,” Microsoft said.
But in the light of similar problems with Apple’s iOS deemed a concern by privacy advocates, Include Security decided to publish its findings.
“We feel a key security and privacy attribute of any mobile messaging application is the ability to maintain the confidentiality of data stored on the device the app runs on,” the security firm said.
Include Security recommended that the USB debugging feature under developer options of the phone settings should be turned off.
The firm also recommends using Full Disk Encryption for Android and SDcard file systems to prevent a third party from getting access to any data in plain text.
The filesystem issue affects only users on versions of Android prior to version 4.4 (KitKat), as the latest version of the Google mobile OS has forced apps to have private folders on the built-in storage area of the device.
However, the security firm noted that the risk is very high for many users, as a large percentage of Android devices are still not running (or not able to run) the latest version of the Android OS.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK