Researchers find Outlook data exposed on Android app

Microsoft's Outlook.com application for Android devices is not providing adequate security for user data, according to a research firm which found that despite appearances, emails stored in the app are not encrypted.

Research firm Include Security found the on-device email storage does not properly ensure confidentiality of messages and attachments within the phone file system.

The researchers said the email attachments were stored in an area that was accessible to any application or third party with physical access to the phone.

Additionally, while the emails themselves were stored on the app-specific file system, the "pincode" feature of the app only protects the Graphical User Interface, and not the confidentiality of messages on the file system of the mobile device. 

"We feel users should be aware of cases like this as they often expect that their phone's emails are "protected" when using mobile messaging applications," the researchers said.

Include Security notified Microsoft of the issue, but the software giant 'disagreed' the concerns were a responsibility of their software, the researchers said.

"The key message in the response received that same day was "...users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made"," the researchers said.

The firm recommended users disable USB debugging in the developer options within the settings menu, and also use Full Disk Encryption for Android and SD card file systems to prevent a third party from getting access to any data in plain-text.

It also recommended users change the settings of the email attachments download directory to ensure attachments are not placed on the removable SD card, if one is in use.