Specifically, Include Security says that Outlook.com defaults to placing attachments in a folder on the SDCard which is readable on any other program with READ_EXTERNAL_STORAGE permission. Android 4.4 added the ability of apps to have private folders on the SDCard, but for users of earlier Android versions, these attachments are not secure.
Another claim relates to the Outlook.com "pincode" feature. The app allows the user to set a pincode, i.e., a password, which a user might reasonably assume encrypts the email. The pincode does not do this; all it does is control access to the app. The feature is not enabled by default.
When the user goes into the app's Settings menu to enable the pincode, the first message they encounter, illustrated below, says that the setting will "[p]rotect this application," which is a fair representation of what it does: the pincode controls user access to the app.
If users click the box to turn on the pincode they are brought to a second screen, included below, which asks them to set the pincode itself. This screen says that the setting will "protect your email," which it does not do, other than by controlling access to the program. If the phone has USB debugging enabled then anyone could access the SD card storage through the USB interface. If the user can open the phone and remove the SD card, then it's a lot easier still.
We asked Microsoft for a reaction to the report and a spokesperson provided this response: