Outlook.com on Android exposes user data, researchers claim

Outlook.com on Android exposes user data, researchers claim

Summary: Microsoft's app for Android users to access their free email service gives the impression that it encrypts email, but doesn't actually do it.

TOPICS: Security, Mobile OS

Security consulting firm Include Security has determined that Microsoft's Outlook.com app for Android provides weak security for user data.

Specifically, Include Security says that Outlook.com defaults to placing attachments in a folder on the SDCard which is readable on any other program with READ_EXTERNAL_STORAGE permission. Android 4.4 added the ability of apps to have private folders on the SDCard, but for users of earlier Android versions, these attachments are not secure.

Another claim relates to the Outlook.com "pincode" feature. The app allows the user to set a pincode, i.e., a password, which a user might reasonably assume encrypts the email. The pincode does not do this; all it does is control access to the app. The feature is not enabled by default.

When the user goes into the app's Settings menu to enable the pincode, the first message they encounter, illustrated below, says that the setting will "[p]rotect this application," which is a fair representation of what it does: the pincode controls user access to the app.


If users click the box to turn on the pincode they are brought to a second screen, included below, which asks them to set the pincode itself. This screen says that the setting will "protect your email," which it does not do, other than by controlling access to the program. If the phone has USB debugging enabled then anyone could access the SD card storage through the USB interface. If the user can open the phone and remove the SD card, then it's a lot easier still.


Include Security mentions up top that there are other apps with problems like this, and indeed we recently reported on how the mail app in iOS 7 does not encrypt attachments stored on the device. Apple is aware of that problem but has not announced a fix yet.

We asked Microsoft for a reaction to the report and a spokesperson provided this response:

"Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers' data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft's online privacy policy for more information."

Include provides advice to both developers and users to avoid problems like this. Like Microsoft, they note that Android supports full device encryption.

Topics: Security, Mobile OS

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The danger is assumptions

    "which a user might reasonably assume encrypts the email"

    Yes, it could make you assume that it provides encryption, but does not implicitly state that it does.
    Assumptions are very dangerous in IT. Always research and find out the full facts if you are not sure.
    NEVER assume.......
    • You can't expect that of consumers

      For an IT person to make that assumption, yes, but when it says "To protect your email..." I think they make a mistake and give a false impression.
      • I agree it could be misleading

        But I also think that people should take some personal responsibility in ensuring that things are as secure as they deem fit.
        People have a tendency in today's age of wanting everything done for them. Then a lethargy sets in, and when they get stung, blame everyone else.
        • Twaddle.

          If a company can't make a secure product, and describe it accurately (and not on page 22 of a 33 page user agreement), then they shouldn't be in business.

          And that goes for them all, not just Microsoft.

          They complain about being sued - if they were sued more often, maybe they'd learn to make a decent product.
          • Sued more often

            I'm sure they all would be sued more often if class action suits weren't prohibited in their EULA. After all, most individuals cannot afford to pit themselves against the army of lawyers that spring forth from large corporations and by forcing each claimant into arbitration instead of a class action they have effectively guaranteed that they will never be held responsible for the damages their failed products have caused.
    • Assume

      Assume makes an ass out of U and me...
  • I wouldn't worry too much ...

    ... the "researchers " are the only people who use Outlook on Android.
  • Didn't even know this app existed

    Configured my Outlook.com account in Android Mail program and I'm happy to see all my mail in one place (outlook,hotmail,gmail, etc) and have all their calendar sync in one calendar app.
  • Nitpicking

    Only people who assume anything encryption related are researchers and propeller heads. The bulk of people who buy their PCs at Staples or Sears here in the States don't even have a clue what the benefits are of simply "locking" an application.

    Research news, for the sake of news - FUD
    Tired Tech
  • i used it

    When I was on Android I used the app but always figured attachments weren't protected - it's Android after all.

    On WinPhone now so no more worries there :)

    The article even points out though that Android does support encrypting the drive just that its off by default. It should be on by default so that users who say put a pin code on the phone and then assume the data is safe aren't also being fooled.
  • Strained Logic

    So when people attach their Android phone via USB to a PC, do they also assume "Trust" means a Diffie–Hellman key exchange?
    Tired Tech
  • Bhahaha...Andorid is full of security holes

    Only fools will use Google platform.
    • No. Seriously.

      Android's not my favorite platform but still, you post clearly falls into the MAJOR TROLLING category.
      Some discernment please.
      • He is a troll.

        Now, if only we could get rid of him and 5735guy...

        The forums would be a lot nicer...
    • Hint

      You obviously did not read the article.

      Here's a hint for next time: Just read the Summary and you will get some details about the article.
      This article's Summary is below.

      "Summary: Microsoft's app for Android users to access their free email service gives the impression that it encrypts email, but doesn't actually do it."
  • So Microsoft assumes Android will be secure?

    So instead of Microsoft building a App that has better security. It basically gives Android that responsibility through sandboxing the app? At least that is the way I read it. I myself don't trust apps as much as I do software. I find many apps not even being updated for a while. That's why I still access some sites through a browser rather than a app. In mobile apps are certainly more convenient but I am not sure how many of them focus much on security?
  • Microsoft is a malware....

    Nothing new about that.
  • Microsoft has an obligation to ensure user security in its products

    To shift the blame to Android for Microsoft's failure to include security in the product it makes for use on that platform is irresponsible. Protecting user identity data is an obligation of any software manufacturer. There should be strong measures of accountability in place...though in the case of Mighty Microsoft, I doubt a fine or suit in any amount would effect change in the attitude of the corporation.