Microsoft’s Outlook.com for Android is failing to adequately protect user’s data, according to a security firm which found the app doesn’t encrypt emails stored on the device.

The claim is made by research firm Include Security, which says that Outlook.com’s email messages are stored within an unencrypted folder on most Android device’s SD cards by default. Effectively, this means that, “Anyone can grab that and walk away,” says Erik Cabetas, managing director of Include Security.

Getting more specific, Include Security says the Outlook.com app stores attachments and emails in a special folder on the SD card that can be read by any program that has READ_EXTERNAL_STORAGE permissions (most apps, in other words). Although Android 4.4 is said to be secure, having added the ability to secure private folders on the SD card, earlier versions of Android are not protected.

“Any app on the phone can read that information on the SD card,” writes Cabetas. “They don’t need special permission. Phones nowadays come with preinstalled apps on them that could grab those emails.”

Include Security also makes a second claim relating to Outlook.com’s pincode feature. The app provides the option of setting a pin code, but Include Security says some users might assume this encrypts their emails – unfortunately it does no such thing, only controlling access to the app, not the data within.

There is a way to protect Outlook.com, although this requires users encrypting their SD card’s file system manually, something that most consumers probably don’t know how to do.

“Users need to be aware so they can encrypt the file system of the SC card. Android has native tools to do that,” Cabetas continues. “But it’s a [multi-click] setting and most don’t know how to do that.”

Include Security says it asked Microsoft about the problem, and was told the issue was with the device itself, outside the scope of Microsoft’s security model.

Since then Microsoft has put out a more general statement, which basically admits that no one’s email is encrypted and that it’s a case of “do it yourself if you know how to”:

“Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s online privacy policy for more information.”

Fair enough, but Include Security says Microsoft should make its customers realize that’s what they need to do.

“As part of the app installation, it should alert the user that ‘We store emails to your local file system. Would you like to encrypt it? Yes or no.” writes Cabetas. “Even if a software vendor doesn’t feel directly responsible for worrying about the local file system encryption, at least it should inform the user.”

photo credit: Swamibu via photopin cc