Security consulting firm Include Security has determined that Microsoft's Outlook.com app for Android provides weak security for user data.
Specifically, Include Security says that Outlook.com defaults to placing attachments in a folder on the SDCard which is readable on any other program with READ_EXTERNAL_STORAGE permission. Android 4.4 added the ability of apps to have private folders on the SDCard, but for users of earlier Android versions, these attachments are not secure.
Another claim relates to the Outlook.com "pincode" feature. The app allows the user to set a pincode, i.e., a password, which a user might reasonably assume encrypts the email. The pincode does not do this; all it does is control access to the app. The feature is not enabled by default.
When the user goes into the app's Settings menu to enable the pincode, the first message they encounter, illustrated below, says that the setting will "[p]rotect this application," which is a fair representation of what it does: the pincode controls user access to the app.
If users click the box to turn on the pincode they are brought to a second screen, included below, which asks them to set the pincode itself. This screen says that the setting will "protect your email," which it does not do, other than by controlling access to the program. If the phone has USB debugging enabled then anyone could access the SD card storage through the USB interface. If the user can open the phone and remove the SD card, then it's a lot easier still.
Include Security mentions up top that there are other apps with problems like this, and indeed we recently reported on how the mail app in iOS 7 does not encrypt attachments stored on the device. Apple is aware of that problem but has not announced a fix yet.
We asked Microsoft for a reaction to the report and a spokesperson provided this response:
Include provides advice to both developers and users to avoid problems like this. Like Microsoft, they note that Android supports full device encryption.