Want to Protect Your Emails? Don't Use these 11 Android and iPhone Email Apps

Last Updated Feb 2, 2011 10:32 AM EST

Want your email to be secure? Of course. But if you lose your smartphone or tablet, you might be out of luck, if it runs Google's (GOOG) Android or Apple (AAPL) iOS operating system. Some popular apps actually store emails, user names, or even passwords in plain text. Readily available free software and instructions can give access to the person who finds, steals, or buys the phone.

viaForensics, which runs the appWatchdog web page, checked whether an app encrypted passwords, user names, or actual email content before storing it on the phone. A full pass meant that all three were stored in encrypted form. An app received a warning if the user name was left in plain text but password and content were encrypted. If either the password or content was stored in plain text, the app failed.

App perp walk
Only one app -- ironically, the iPhone version of Google's Gmail app -- passed. Microsoft's (MSFT) Windows Live Messenger on the iPhone got a warning. Everything else failed. Android Mail was at the bottom of the list, as it stored everything in plain text. Here's the list of all the tested apps:
  • Hushmail on Android and iPad
  • Google Gmail on Android and iPhone
  • Android Mail for Hotmail and Mirosoft (MSFT) Exchange
  • Yahoo Mail on Android and iPhone
  • iPhone Mail for Gmail and Microsoft Exchange
  • Windows Live Messenter on iPhone for Hotmail
  • HTC Mail on Android for Microsoft Exchange
Some of the apps stored additional data in plain text, such as sender and receiver email addresses or subjects. Hushmail's system sets up a security question and answer, but then stores both in plain text in the Android version, according to Andrew Hoog, chief investigative officer for viaForensics.

Weaknesses in email apps for Exchange, a widely used email system in corporations, are a particular problem. As Hoog told me:
We contacted the number 2 security guy at a Fortune 500 and got his take on it. He said it was absolutely nuts. If an internal guy did this, they'd fire him immediately
Given how many people use the same user name and password for multiple systems, such information can represent a far broader security problem than just email access.

Vendors respond
So far, I have received responses from Google and Hush Communications (Hushmail vendor). Here is Google's comment:
We dispute the claim that this data is insecurely stored on Android devices. The data is not accessible by default unless the phone has been rooted to gain full privileges, which Android actively protects against and would result in similar exposure for any platform.
And here is the one from Hush:
Hushmail Mobile is a simple browser-based application that runs within the browser on any mobile device that can display basic HTML. As a result, it is subject to the security issues of the browser in which it runs; particularly that information displayed in the browser may remain in the phone's flash memory for an indeterminate period of time. Thus, it is important for our customers to recognize that if someone else gets access to their phone, it may be possible for them to recover information from private emails that they have viewed on the phone. In the future, we hope to provide device-specific applications that will not rely directly on the browser, and thus avoid retaining sensitive information in phone memory.
Neither answer is particularly satisfactory, given how easy it can be to lose a phone. Google's answer in particular is disingenuous. Android's protection against root privileges refers to running apps in sandboxes; iOS does the same. But someone with physical possession of the phone can easily find the instructions and software necessary to jailbreak the device. For example, here's a video of how to jailbreak the Droid 2 running Android 2.2:


And here's a video of how to jailbreak iOS 4.2.1:


It is also conceivable that malware or Web exploits could jailbreak a phone and allow remote access to email data.

All this raises the question of whether smartphone and tablet email systems are generally secure enough to satisfy corporate needs. This is one area in which RIM's (RIMM) BlackBerry has excelled. However, consumers have become the new gatekeepers and increasingly choose the hardware, so the issue doesn't generally appear until it's too late. What large companies need are new versions of the apps that take the necessary fundamental precautions.

Related: Image: morgueFile user dharder.
  • Erik Sherman On Twitter»

    Erik Sherman is a widely published writer and editor who also does select ghosting and corporate work. The views expressed in this column belong to Sherman and do not represent the views of CBS Interactive. Follow him on Twitter at @ErikSherman or on Facebook.

Comments

CBSN Live

pop-out
Live Video

Watch CBSN Live

Watch CBS News anytime, anywhere with the new 24/7 digital news network. Stream CBSN live or on demand for FREE on your TV, computer, tablet, or smartphone.