Reverse engineering apps is an interesting field of work. On one hand, it can be used by software engineers to determine how an app works so they can copy it. On the other, the method can be used by those with malicious intent to track down weaknesses that can then be exploited. But there's also a third hand. Reverse engineering can also be used to highlight security problems with a view to not only alerting those affected, but also addressing the problem.
The team found that the app -- which was produced by Seven Networks rather than Microsoft itself -- stores emails and attachments in the Android file system without encryption or security. This fact could be exploited by maliciously coded third party apps which would be able to read the unencrypted subject lines and body text of email, as well as accessing attached files. Email attachments being saved automatically to the /sdcard/attachments folder by default means that they can be accessed by anyone with physical access to the Android device, as well as any specially coded app.
Even if PIN protection is in place, a backup email database is stored in an easily accessible location in the file system, completely unencrypted. The researchers found that the PIN feature merely blocks access to the app's GUI, leaving emails and attachments just as vulnerable as ever to any slightly determined malicious user or app. It is possible for Android Debug Bridge to read the data on all devices, but the processes is even easier on those that have been rooted. Once the database file has been accessed, its contents can be very easily extracted and read.
Include Security says "We feel a key security and privacy attribute of any mobile messaging application is the ability to maintain the confidentiality of data stored on the device the app runs on". The security team recommends that Android users ensure that USB debugging feature of their device is disabled (Settings > Developer Options > USB debugging) as well as considering implementing full disk encryption. It is also recommended that user change the folder that is used to store email attachments.
It is worth noting that Include Security alerted Microsoft to the security issues back at the beginning of December. The response was that "users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made". The same statement was issued last week when the researchers contacted the company again.
How do you feel about this? Is it reasonable for a user to expect that their private data would be kept secure by default?
We have reached out to Microsoft for the company's reaction to the findings, and we'll update the post when we receive a response.