You've got Mail! But someone else is reading it in Outlook for Android Researchers have plucked privacy holes in Microsoft's Outlook Android app that expose user data when user security setting screws were not tightened. New York-based Include Security pointed out that Redmond's app, which has chalked up tens of millions of downloads, stored user data on the removable SD card that could be read …
...could access Outlook email attachments stored on the SD card for users who did not specifically encrypt card data or activate the private folders...
Unencrypted data on external FAT32 formatted mass storage can be easily accessed? The shock!
That said, the way Android partitions its internal memory into "internal" and some kind of fake "SD-card" storage is neither elegant nor helpful. It would be far better to have all internal memory "internal" and protected, and a real, physical SD card in the SD card slot, if mass storage is required.
Yes, I know, Google's own smartphones don't come with an SD card slot and some stupid apps insist on having SD card storage. But does that mean other maker's Android phones have to be crippled as well?
External SD cards formatted as FAT don't have to be encrypted, nevertheless the OS can still enforce access control on the files so only the app that stored the files can read them. Symbian managed it.
It won't help someone determined to get the files off (copy files off the card with a computer), but it will stop malware on the phone itself.
... enforce access control on the files so only the app that stored the files can read them.
It's a trade-off between usability and security. Implementing access control like that means, you can't easily swap data between applications. Sensible data should IMHO be stored exclusively in the protected internal memory. Unfortunately that is often too small, due to stupid partitioning.
But yes, there should be definitely better control about which resources are accessible on a per app basis in Android. The Permission Manager that comes with newer Huawei phones is a step in the right direction. You can at least block basic stuff like contacts, internet access and your location from specific apps. Unfortunately blocking access to the SD card is still missing. Also cyanogenmod contains a similar feature. Let's hope smartphone makers smart up on security sooner or later.
So they found many (I bet probably most) messaging/email apps had no on device / SD card encryption, but singled out Outlook, I assume because it makes good press to have a dig at Microsoft who some still see as the bad guys rather than any Android developer (those that aren't writing one of the millions of malware apps out there).
Besides that, to be honest I've never expected my emails to be encrypted on the device, or on the SD card, unless it states it offers that facility. It never has been the case in any other email application I've used, on devices or desktop, and that's both Windows and the holy Linux where everything is super secure of course. True, there are access rights that keep your mail folder from being read by other users, but if by some chance you ran a rogue app on your account, sure it has access to you mail.
If anything the fault here is with android by not sandboxing apps correctly (or at all) so they can't access other apps or their data. It shouldn't be up to the app developer to implement this.
New York-based Include Security pointed out that .........
Redmond's app
....., which has chalked up tens of millions of downloads, stored user data on the removable SD card that could be read by other applications.
but singled out Outlook, I assume because it makes good press to have a dig at Microsoft who some still see as the bad guys rather than any Android developer
Read the story BOD - its a redmon app developed by Microsoft -
nothing much going on in the redmond basement today?
No, Outlook is singled out because the whole idea of paying for stuff is that you are paying for someone to pay attention to the tedious bits that might be overlooked in a free product.
Also, this is a phone system well known for having a less than stellar privacy and security controls, so security should be uppermost in the mind of anyone designing a system for corporate use.
If MS had a track record to be proud of, it would look like a security gaffe, with their actual track record it looks like corporate slime. What can I say? Reputation is important.
Outlook is free.
Is it also riddled with Ads like its big PC Brother? I'm gonna go off a limb and, say yes.... The e-Mail client in CyanogenMod might have an Encryption System on it somewhere I'd need to check. I'm sure I at least saw a setting to encrypt the whole Phablet (on CM11). The ROM I'm using also has P-Droid built in to manage what Apps are allowed to get up to.
But, as Bod has stated a few comments ago. I doubt anyone had ever gone as far to add civilian-grade e-Mail (on PC or Phablet) to high military-grade encryption. I can't really say that I personally had. But, then its not as if I'm the kind of person that would reveal such personal info about myself in the confines of an open e-Mail anyhow.
So yeah just another Storm in a Tea Cup, me thinks.... Personally, the only thing I find shocking is that MicroSoft have released, something, even as trivial as Outlook, on Android at all.
Encrypt the media card is usually a function of the OS. However if you use Exchange ActiveSync, there is policy to enforce the media encryption. Whether Android app will respect the enforcement is another issue. There are many ways to bypass the security with root access or 3rd party apps. This can happen if you jailbreak your iPhone too but not as bad as Android.
The article contains no new information but it is a nice reminder to general Android and other users about what to be expected
"If anything the fault here is with android by not sandboxing apps correctly (or at all) so they can't access other apps or their data. It shouldn't be up to the app developer to implement this."
Android does - but manufacturers can disable this as it can cause issues when you have, say, two photo applications and only the one that originally wrote the file can access it.
Therefore the apps now have to write out in a specific way to allow data to be shared or share the data via intents.
"So they found many (I bet probably most) messaging/email apps had no on device / SD card encryption, but singled out Outlook, I assume because it makes good press to have a dig at Microsoft who some still see as the bad guys rather than any Android developer (those that aren't writing one of the millions of malware apps out there)."
Yeah, I'm surprised that the normal Google shills suspects haven't jumped all over this... maybe it's because even they realise that a security issue in how an app stores emails is nowhere near as bad as deliberately scanning your personal emails,
Yeah, I'm surprised that the normal Google shills suspects haven't jumped all over this... maybe it's because even they realise that a security issue in how an app stores emails is nowhere near as bad as deliberately scanning your personal emails,
I'm no fan of MicroSoft, but even I'll have to concede Ops made his point here. And, this is far more troublesome then what MicroSoft were purportedly getting up to in this thread. This little revelation is actually making me think about system-wide encryption for my Phablet for the first time now. Not sure how much I could reasonably expect though. It's not as if CyanogenMod Team didn't have anything to gain now that they've gone corporate. Though you'd hardly notice it. Given the lack of official Devices running it.
But, I have to say that Google scanning / reading my e-Mail is actually creeping me out now. thank goodness I keep my one true e-Mail address very private, and only use Hotmail for throw-away crap sign-ups, and Google as a median Spam- Daily Account. But, anything of any financial repercussions gets sent though my private ISP Mail account. Which is also largely spam free.
I'm looking now at Thunderbird 24.5 and it looks it doesn't encrypt mails on my system... so I guess if I have moved the mailboxes on an external drive (and maybe using FAT), or I use a portable edition, my mails will be available to everyone able to access the disk.
And how many mail servers encrypts mailboxes? What happen if an hard disk is changed, and is not fully wiped before being disposed?
Simple question: how many mail app[lication]s encrypt and protect mail and downloaded attachments by default? On any device?
That's probably like asking for a suite of Applications that do what GApps do on Android, but in this case for WinPho8.1, or iOS... Which is to say none....
There's an Outlook client for Android?! Since when?! And to think I've been doing it wrong using the "Accounts" Setting on CyanogenMod to access my Hotmail - Spam Account. Cause sometimes I get the One interesting Newsletter from there, and all without the intrusive Ads + clipped planes on both sides to host those lame Ads... Making surfing on Hotmail more of an otherwise enjoyable experience on my Phablet then on my PC. But, then this may well be a ruse to try and, get me off the PC knowing them. (i.e. MicroSoft).
All apps installed on a standard Android have all the "permissions" they can want since, if you want it, you have to accept everything. So any app at all can go read the storage area, extract any useful information and send it off to God knows who.
There is zero actual security on Android "smartphones", and I suspect that Iphone is not much better.
Smartphones. Riiight.
To be honest, I don't see why this is now suddenly such a major deal, given that Symbian OS/S60-based phones used to let you save all of your messages (SMS, MMS, e-mail, etc.) on a removable memory card, as did a bunch of NEC, and Sony Ericsson feature phones - and unless (in the case of selected Symbian devices), you opted to enable block-level FS encryption, they were all stored in clear text, along with attachments, and a metadata database...
I'm sorry. I couldn't read the article. I tried but I just couldn't stop looking at the headline in disbelief. Why in the name of all that's holy would you want Outlook on Android? All it would do is duplicate the functionality that comes with most Android phones via Google's apps. And if it's anywhere near as resource intensive out Outlook for Windows* it'll be an absolute nightmare to.
*Relative to the total resources of the phone, of course. Any phone app that requires a gig of RAM is going to be completely unusable. Microsoft may have some bad products, but none THAT bad...well except Vista....and ME.....and Bob...and Win8...You know what, forget I said anything.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
