The source site is a bit sketchy, but it appears to be verified. I can understand storing unecrypted data on the shared storage space for throwaway social apps, but for Outlook, this is inexcusable. Microsoft’s response is to suggest people use full-device encryption (something I would also suggest, as lockscreen PINs/codes are not difficult to overcome – but it’s not without it’s drawbacks). Using Android’s built-in secure app storage space is also an option, but let’s not common sense get in the way of middle-management. This is either incompetence or devious handicapping, neither of which bodes well.
“We’ve found the following two behaviors of the app:
- The email Attachments are stored in a file system area that is accessible to any application or to 3rd parties who have physical access to the phone.
- The emails themselves are stored on the app-specific filesystem, and the “Pincode” feature of the Outlook.com app only protects the Graphical User Interface, it does nothing to ensure the confidentiality of messages on the filesystem of the mobile device.
We feel users should be aware of cases like this as they often expect that their phone’s emails are “protected” when using mobile messaging applications.”