Security consulting firm Include Security has reported a serious flaw in the Microsoft’s Outlook.com App for Android. As per its latest blog, it says that the Outlook.com App may provide potential hackers a pretty easy target due to to its weak security architecture. It is apparently very easy to hack into a Android smart phone’s SD card as the App doesnt encrypt the user data saved on the SD card.
Include Security which carried out the security analysis of Outlook.com in November of 2013 alongwith a whole host of popular Apps through reverse engineering process. During the analysis it found out that Outlook.com is one of the most vulnerable Apps on Android smart phones and tablets. Include Security has listed many vulnerabilities in Outlook.com App, with the chief among those being the Outlook.com’s storage behaviour.
The email attachments are stored in a file system area that is accessible to any application or to 3rd parties who have physical access to the phone. This means that if you loose your smart phone or lend it to your friend/colleague your data is as good as stolen.
Another feature which the Outlook.com App has is Pincode system. As per Outlook.com, the pincode system is to give additional protection to your data. But Include Security says that the Pincode system is just a hogwash as it only protest the Graphic User Interface (GUI). This means that a pro hacker or a engineer who knows a bit of software engineering could easily unlock the GUI and get into the user data unknown to the victim.
Include Security gives following guidelines to users to protect their data :
We recommend the setting Settings => Developer Options => USB debugging be turned OFF. We further recommend using Full Disk Encryption for Android and SDcard file systems. This would prevent a 3rd party from getting access to any data in plain-text, from a messaging app or other apps that may choose to store private data on the SDCard.
Users may change the email attachments download directory, via Settings->general->Attachments Settings->Attachment Folder. It is advised not to set the download directory for attachments to be /sdcard/external_sd, as this will place email attachments on the removable SDCard (if one is in place).
Resource : Include Security Blog