If you have an account with Microsoft's popular free email service Outlook.com, and using Outlook app for Android, then there is a bad news for you.





Microsoft's Android app for Outlook.com, provides users to access their Outlook emails on their Android devices, fails to provide security and encryption.





LOOPHOLES DISCOVERED

Researchers from 'Include Security' firm claims to have found multiple vulnerabilities in Microsoft's Outlook app for Android, that leaves users' email data vulnerable to hackers and other malicious third party apps. Researchers from '' firm claims to have found multiple vulnerabilities in Microsoft's Outlook app for Android, that leaves users' email data vulnerable to hackers and other malicious third party apps.

By default, Email attachments are stored into easily accessible folders on the Android filesystem

Email Database ( Body, Subject ) is stored locally in an unencrypted manner

) is stored locally in an unencrypted manner App's 'Pin Code' feature doesn't protect or encrypt email data.

EMAIL ATTACHMENTS ARE ACCESSIBLE TO ANY OTHER APPS

READ_EXTERNAL_STORAGE permission that allows them to read the data from device storage, even if the phone is not rooted.

"READ_EXTERNAL_STORAGE and INTERNET are some of the most common permissions granted by users to applications upon installation." Erik Cabetas, managing director of Include Security said. Include Security firm found the Outlook app for Android downloads the email attachments automatically to '/sdcard/attachments' folder on the file system, which could be accessed by any malicious application or person with the physical access to the user's device. "Phones nowadays come with preinstalled apps on them that could grab those emails." he added.



UNENCRYPTED EMAIL DATABASE Today almost every applications available at Google Play Store generally ask forpermission that allows them to read the data from device storage, even if the phone is not rooted.firm found the Outlook app for Android downloads the email attachments automatically to 'folder on the file system, which could be accessed by any malicious application or person with the physical access to the user's device. "he added.

/data/data/com.outlook.Z7/" location, which could be accessed only if the device is rooted and for non-rooted Android devices, Android Debug Bridge (adb) tool can extract it.

"We've found that many messaging applications (stored email or IM/chat apps) store their messages in a way that make it easy for rogue apps or 3rd parties with physical access to the mobile device to obtain access to the messages." he said. In this folder, the app stores a database file called 'email.db', which keeps a backup of your every email, but in an unencrypted form i.e. once an attacker able to grab this file, he can access all of your emails and sensitive data in plain text using sqlite3 utility.









PINCODE CAN'T PROTECT YOU

Microsoft implemented a unique protection mechanism in its Outlook app that nobody else provides, is its PINCODE feature (application lock), which intents to add an extra protection in case your device gets in the wrong hands.



But unfortunately this feature also fails to protect users' data from the above listed two flaws, because it only locks the Graphical User Interface of the app, and does nothing to ensure the confidentiality of messages and attachments, which are themselves stored on the filesystem of the mobile device. Outlook app maintains a local backup database of your emails on the device file system at "" location, which could be accessed only if the device is rooted and for non-rooted Android devices, Android Debug Bridge (adb) tool can extract it.In this folder, the app stores a database file called '', which keeps a backup of your every email, but in an unencrypted form i.e. once an attacker able to grab this file, he can access all of your emails and sensitive data in plain text using sqlite3 utility.As shown in the above image, they able to access the email.db file and connect to the unencrypted database file to read the email content and the resultant file which is shown as below:Earlier we reported, windows malware are now capable of hacking Android devices connect to it and can extract any file from the Android file system, even if the device is non-rooted.Microsoft implemented a unique protection mechanism in its Outlook app that nobody else provides, is its PINCODE feature (), which intents to add an extra protection in case your device gets in the wrong hands.But unfortunately this feature also fails to protect users' data from the above listed two flaws, because it only locks the Graphical User Interface of the app, and does nothing to ensure the confidentiality of messages and attachments, which are themselves stored on the filesystem of the mobile device.

"If a device is stolen or compromised, a 3rd party may try to obtain access to locally cached messages (in this case emails and attachments)," said Erik Cabetas, managing director of Include Security in the blog post.

MICROSOFT REFUSES TO PATCH IT

The only place where Microsoft lacked is Encryption. Researchers contacted Microsoft's Security Response Center in December 2013 about the security weakness in the Outlook app, but Microsoft refuses to patch the vulnerabilities and their reply was, "...users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made," Microsoft said.



Erik from Include Security suggests that Outlook for Android could use SQLcipher to encrypt the SQLite database, because this would be useful for older devices that do not support full disk encryption.



SURVEILLANCE COMPATIBLE

In response to the mass surveillance conducted by the US National Security Agency (NSA) where every service is switching towards deploying encryption across the Internet, one of the Internet's big giant, Microsoft failed.



