Awhile back, I wrote a post (Shocked by an Android) singing the praises of Samsung for supporting RMS in their native Microsoft Exchange ActiveSync email client for Android. Today, however, I'm here to report on a security flaw we've discovered in that implementation of RMS.
With RMS, as with any client-server application, you're only as secure as the weakest link in the software applications on both the client side and the server side. Microsoft provides third parties with tools to create RMS-aware client applications, but it's up to those third parties to implement RMS in a fashion to protect your confidential information. Here's an explanation of the flaw we've uncovered in Samsung's implementation.
1. Caroline Bingley (user A) composes an e-mail message, applies rights-protections to it using either the built-in "Do Not Forward" option or a rights-policy template, and sends this email to Jane Bingley (user B).
2. Jane opens the e-mail message on her Samsung phone or tablet using the native Samsung Exchange ActiveSync client.
3. Jane clicks the message date (see red arrow, above) of the email message, which automatically generates a calendar invite with the message attached.
4. Jane adds several participants to the calendar invite and clicks Save.
5. Elizabeth Darcy (user C) opens her various email boxes (Outlook Exchange, Yahoo, Hotmail and Gmail) to find unencrypted calendar invites complete with the confidential message from Caroline's email.
The security breach was introduced at the point where Samsung allowed Jane to create a non-rights-protected calendar invite from the rights-protected email and included the message body in the calendar invite. What should the Samsung application do instead? In an ideal world, the behavior would be based on the rights granted in the email. If the recipient had forward rights, the recipient would be allowed to create a calendar invite, the calendar invite would retain the rights-protections and the message body would be retained. If the recipient did not have forward rights, the option to create a calendar invite from the rights-protected email would be disabled. However, we don't live in a perfect world, and since Microsoft doesn't support rights-protections on calendar invites, we can't expect Samsung to. Given that, there are two possible acceptable behaviors in this situation:
- The option to create a calendar invite from a rights-protected email message is disabled; or
- The user is allowed to create a calendar invite from a rights-protected email message, but the body of the email message is not included in the calendar invite.
We tested this with multiple versions of the Samsung Android implementation, including the latest version currently available to consumers, and found it to be an issue in all of them. We hope that Samsung will correct this in a future release. If we discover they have, we'll let you know.