viaForensics, which runs the appWatchdog web page, checked whether an app encrypted passwords, user names, or actual email content before storing it on the phone. A full pass meant that all three were stored in encrypted form. An app received a warning if the user name was left in plain text but password and content were encrypted. If either the password or content was stored in plain text, the app failed.
App perp walk
Only one app -- ironically, the iPhone version of Google's Gmail app -- passed. Microsoft's (MSFT) Windows Live Messenger on the iPhone got a warning. Everything else failed. Android Mail was at the bottom of the list, as it stored everything in plain text. Here's the list of all the tested apps:
- Hushmail on Android and iPad
- Google Gmail on Android and iPhone
- Android Mail for Hotmail and Mirosoft (MSFT) Exchange
- Yahoo Mail on Android and iPhone
- iPhone Mail for Gmail and Microsoft Exchange
- Windows Live Messenter on iPhone for Hotmail
- HTC Mail on Android for Microsoft Exchange
Weaknesses in email apps for Exchange, a widely used email system in corporations, are a particular problem. As Hoog told me:
We contacted the number 2 security guy at a Fortune 500 and got his take on it. He said it was absolutely nuts. If an internal guy did this, they'd fire him immediatelyGiven how many people use the same user name and password for multiple systems, such information can represent a far broader security problem than just email access.
So far, I have received responses from Google and Hush Communications (Hushmail vendor). Here is Google's comment:
We dispute the claim that this data is insecurely stored on Android devices. The data is not accessible by default unless the phone has been rooted to gain full privileges, which Android actively protects against and would result in similar exposure for any platform.And here is the one from Hush:
Hushmail Mobile is a simple browser-based application that runs within the browser on any mobile device that can display basic HTML. As a result, it is subject to the security issues of the browser in which it runs; particularly that information displayed in the browser may remain in the phone's flash memory for an indeterminate period of time. Thus, it is important for our customers to recognize that if someone else gets access to their phone, it may be possible for them to recover information from private emails that they have viewed on the phone. In the future, we hope to provide device-specific applications that will not rely directly on the browser, and thus avoid retaining sensitive information in phone memory.Neither answer is particularly satisfactory, given how easy it can be to lose a phone. Google's answer in particular is disingenuous. Android's protection against root privileges refers to running apps in sandboxes; iOS does the same. But someone with physical possession of the phone can easily find the instructions and software necessary to jailbreak the device. For example, here's a video of how to jailbreak the Droid 2 running Android 2.2:
And here's a video of how to jailbreak iOS 4.2.1:
It is also conceivable that malware or Web exploits could jailbreak a phone and allow remote access to email data.
All this raises the question of whether smartphone and tablet email systems are generally secure enough to satisfy corporate needs. This is one area in which RIM's (RIMM) BlackBerry has excelled. However, consumers have become the new gatekeepers and increasingly choose the hardware, so the issue doesn't generally appear until it's too late. What large companies need are new versions of the apps that take the necessary fundamental precautions.
- Google, in Regulatory Crosshairs, Tells Enforcers to Talk to the Hand
- Apple's Winning Tablet Insight: Consumers Are Corporate Gatekeepers
- Gawker Hacking Stirs Password Panic at LinkedIn, Yahoo and Others
- What Business Needs to Learn From the Gawker and WikiLeak Attacks
- Apple and Google Mobile Security Pits Get Deeper
- FTC Teaches Twitter that Regulators Have Sharp Teeth