A free application for Android smartphones that gives users access to Microsoft Outlook has a significant privacy issue: researchers from Include Security have found that the on-device email storage doesn't ensure confidentiality of messages and attachments within the phone’s filing system, making content vulnerable to snoopers that have physical access to the device.
The problem, of course, is that users have an expectation of privacy, considering they are prompted to enter a PIN to "protect" the application – the presumption is that this would also protect the confidentiality of their messages. This is a big problem for consumers, but a critical one for business users who may be using their personal devices to mail back and forth about sensitive company information.
“At the very least app vendors can warn a user and suggest that they encrypt the file system as the application provides no assurance of confidentiality,” wrote Include Security’s Paolo Soto, in a blog. “Or take it to the next level and proactively check to see if file systems are encrypted.”
Instead, the messages are placed in a “world-readable” within the SD Card partition by default. This would place downloaded email attachments in a storage area accessible to any user or application that can access the SDcard – even if the phone was not rooted. An unauthorized party would simply use ADB shell or a rogue application to find the attachments and extract them.
The app was created by Seven Networks in association with Microsoft and as such, Microsoft told Soto it disagreed that the concern was a direct responsibility of its software, and that users should have no expectation that their mobile mail would be encrypted. The app developers themselves bear the responsibility, Microsoft argued, highlighting the ongoing concerns that users should have about secure mobile app development.
And to that point, after reverse-engineering a number of apps, Include Security researchers noticed a trend of messaging apps that did not take any steps to ensure confidentiality of their locally stored messages.
“We feel a key security and privacy attribute of any mobile messaging application is the ability to maintain the confidentiality of data stored on the device the app runs on,” Soto said. “If a device is stolen or compromised, a third party may try to obtain access to locally cached messages (in this case emails and attachments). We've found that many messaging applications (stored email or IM/chat apps) store their messages in a way that makes it easy for rogue apps or third parties with physical access to the mobile device to obtain access to the messages.”
To protect themselves, users can make sure that USB debugging is turned off, and that full encryption is installed on the the Android and SDcard file systems. Users could change the email attachments download directory, in settings.