Passa ai contenuti principali

Microsoft Outlook App for Android Devices Stores Emails Unencrypted on File System [ENG]




If you have an account with Microsoft's popular free email service Outlook.com, and using Outlook app for Android, then there is a bad news for you.

Microsoft's Android app for Outlook.com, provides users to access their Outlook emails on their Android devices, fails to provide security and encryption.



LOOPHOLES DISCOVERED

Researchers from 'Include Security' firm claims to have found multiple vulnerabilities in Microsoft's Outlook app for Android, that leaves users' email data vulnerable to hackers and other malicious third party apps.

By default, Email attachments are stored into easily accessible folders on the Android filesystem
Email Database (Body, Subject) is stored locally in an unencrypted manner
App's 'Pin Code' feature doesn't protect or encrypt email data.
EMAIL ATTACHMENTS ARE ACCESSIBLE TO ANY OTHER APPS

Today almost every applications available at Google Play Store generally ask for READ_EXTERNAL_STORAGE permission that allows them to read the data from device storage, even if the phone is not rooted.

"READ_EXTERNAL_STORAGE and INTERNET are some of the most common permissions granted by users to applications upon installation." Erik Cabetas, managing director of Include Security said.
Include Security firm found the Outlook app for Android downloads the email attachments automatically to '/sdcard/attachments' folder on the file system, which could be accessed by any malicious application or person with the physical access to the user's device. "Phones nowadays come with preinstalled apps on them that could grab those emails." he added.


UNENCRYPTED EMAIL DATABASE
Outlook app maintains a local backup database of your emails on the device file system at "/data/data/com.outlook.Z7/" location, which could be accessed only if the device is rooted and for non-rooted Android devices, Android Debug Bridge (adb) tool can extract it.

“We've found that many messaging applications (stored email or IM/chat apps) store their messages in a way that make it easy for rogue apps or 3rd parties with physical access to the mobile device to obtain access to the messages.” he said.
In this folder, the app stores a database file called 'email.db', which keeps a backup of your every email, but in an unencrypted form i.e. once an attacker able to grab this file, he can access all of your emails and sensitive data in plain text using sqlite3 utility.


As shown in the above image, they able to access the email.db file and connect to the unencrypted database file to read the email content and the resultant file which is shown as below:



Earlier we reported, windows malware are now capable of hacking Android devices connect to it and can extract any file from the Android file system, even if the device is non-rooted.


PINCODE CAN'T PROTECT YOU

Microsoft implemented a unique protection mechanism in its Outlook app that nobody else provides, is its PINCODE feature (application lock), which intents to add an extra protection in case your device gets in the wrong hands.


But unfortunately this feature also fails to protect users' data from the above listed two flaws, because it only locks the Graphical User Interface of the app, and does nothing to ensure the confidentiality of messages and attachments, which are themselves stored on the filesystem of the mobile device.

“If a device is stolen or compromised, a 3rd party may try to obtain access to locally cached messages (in this case emails and attachments),” said Erik Cabetas, managing director of Include Security in the blog post.
MICROSOFT REFUSES TO PATCH IT

The only place where Microsoft lacked is Encryption. Researchers contacted Microsoft's Security Response Center in December 2013 about the security weakness in the Outlook app, but Microsoft refuses to patch the vulnerabilities and their reply was, "...users should not assume data is encrypted by default in any application or operating system unless an explicit promise to that effect has been made," Microsoft said.


Erik from Include Security suggests that Outlook for Android could use SQLcipher to encrypt the SQLite database, because this would be useful for older devices that do not support full disk encryption.


SURVEILLANCE COMPATIBLE
In response to the mass surveillance conducted by the US National Security Agency (NSA) where every service is switching towards deploying encryption across the Internet, one of the Internet’s big giant, Microsoft failed.


Today we feel the need of highly secured Networks and Encrypted Devices to safeguard our privacy from Cyber Criminals and our own Government as well. So, Encryption becomes more important today than any other time in our history. Encryption of our online messages, encryption of our emails, encryption of our voice call, encryption of our every personal data and communication.


Android users are highly recommended to use full disk encryption for Android and SD card file systems, and turn off the USB debugging mode from Developer Options Settings.


Yesterday, in a separate news we reported about a critical zero-day vulnerability (CVE-2014-1770) in 'Internet Explorer 8' that Microsoft had kept hidden from all of us, since October 2013.


UPDATE

"Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s online privacy policy for more information." Microsoft said in a statement to The Hacker News.


Source

Commenti

Post popolari in questo blog

8 batterie a bottone da una a 12V

Simpaticissimo e utilissimo hack. Kipkay colpisce ancora! Questa volta con le batterie a 12V!! Dimostra semplicemente che dento le batterie a 12V troviamo ben 8 batterie a bottone del tipo di quelle per orologi o piccoli strumenti elettronici! Ecco il video dimostrativo!

Snow Leopard su PC

P er cominciare Buon Natale e Felice Anno nuovo dallo staff di Hackheads! Mantenendo le premesse scritte qui e qui , proseguo nel post. Questo nuovo post lo volevo dedicare a tutti quelli che non hanno nessuna volgia di installarsi il 10.5 sul proprio pc per poi seguire gli aggiornamenti al 10.6.2 e installarselo direttamente! Come prima cosa scaricare il relativo torrent che trovate su un qualsiasi motore torrent cercando Hazard 10.6.2 ! Si tratta della nuova distro universale (sia AMD che Intel) di Hazard! Vediamo che componenti contiene già integrati nel dvd: Driver: AHCIPortInjector AppleACPIPS2Nub AppleATIATA AppleIntelGMA950 Fixed AppleIntelGMAX3100FB Fixed AppleIntelIntegratedFramebuffer Fixed AppleIntelPIIXATA AppleNForceATA ApplePS2Controller AppleVIAATA ATAPortInjector AttansicL1eEthernet Disabler EvOreboot Fakesmc Intel82566MM IOAHCIBlockStorageInjector IOATAFamily Fixed IOPCIFamily Fixed JMicronATA Fixed LegacyJMB36xSATA nForceLAN NullCPUPowerMa

Link Guide per Mediacom SMARTPAD 810C

Link Utilissimi per Mediacom SMARTPAD 810C 

Disclaimer

LE PAGINE DI QUESTO SITO NON COSTITUISCONO SERVIZIO DI CONSULENZA FINANZIARIA NÉ SOLLECITAZIONE AL PUBBLICO RISPARMIO. POICHÉ LE INDICAZIONI RIPORTATE VENGONO FORNITE COME SEMPLICI SPUNTI DI RIFLESSIONE, SI DECLINA QUALSIASI TIPO DI RESPONSABILITÀ.
Si declina qualsiasi forma di responsabilità sull’affidabilità e la precisione di pubblicità, informazioni, Prodotti e dati distribuiti, contenuti o proposti sotto forma di links offerti sul sito.
L’utilizzo dei dati e delle informazioni come supporto di scelte di operazioni di investimento è a completo rischio dell’utente.
Esiste un grado di rischio molto elevato nei prodotti finanziari citati. I risultati passati non sono indicativi di rendimenti futuri. hackheads e tutti gli individui affiliati a questo sito non si assumono alcuna responsabilità per i tuoi risultati di trading e investimento. Gli indicatori, le strategie, gli articoli e tutte le altre caratteristiche sono solo a scopo didattico e non devono essere interpretati come consigli di investimento. Le informazioni per l'osservazione delle informazioni sono ottenute da fonti ritenute affidabili, ma non ne garantiamo la completezza o l'accuratezza, né garantiamo alcun risultato dall'uso delle informazioni. Il tuo utilizzo delle informazioni è interamente a tuo rischio ed è tua esclusiva responsabilità valutare l'accuratezza, la completezza e l'utilità. È necessario valutare il rischio di qualsiasi negoziazione e prendere le proprie decisioni indipendenti in merito a qualsiasi situazione qui menzionata.