Encryption Woes with Android Email Apps

Tuesday, May 27, 2014 @ 06:05 PM gHale


Outlook and other email and mobile messaging Android apps store your emails and messages on the device’s SD card, unencrypted, and accessible to any third-party app that has permission to access the card’s contents.

Couple that with the (widely given) permission to access the Internet, and confidential conversations could end up stolen and stored on remote servers.

RELATED STORIES
Apps Take Photos with No One Knowing
iPhone Hack Attack Spreading
Siri Allows iPhone Break-in
Galaxy S5 Fingerprint Scanner Hacked

“We feel a key security and privacy attribute of any mobile messaging application is the ability to maintain the confidentiality of data stored on the device the app runs on. If a device is stolen or compromised, a 3rd party may try to obtain access to locally cached messages,” researchers from New York-based consultancy Include Security said on a blog.

“We’ve found that many messaging applications (stored email or IM/chat apps) store their messages in a way that makes it easy for rogue apps or 3rd parties with physical access to the mobile device to obtain access to the messages.”

While there are different apps that do this, the researchers have singled out Outlook for Android in order to explain the problem, probably because tens of millions of users downloaded the app.

In regard to Outlook for Android, they found “email attachments are stored in a file system area that is accessible to any application or to third parties who have physical access to the phone”, and that “the emails themselves are stored on the app-specific filesystem, and the ‘Pincode’ feature of the Outlook.com app only protects the Graphical User Interface.”

They disclosed part of their research in order to increase user awareness, they said, as Microsoft has repeatedly said “…users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made.”

Apart from using Android’s Full Disk Encryption feature to encrypt all data (app data, downloaded files, and so on), users can change the folder where email attachments end up downloaded (go to Settings > General > Attachments Settings > Attachment Folder), and make it one that’s not located on the SD card.

For more technical details about their research, as well as for their recommendations for mobile app developers regarding how to solve this problem, click on the blog posting.



Leave a Reply

You must be logged in to post a comment.