MS Teams data not encrypted on Android

6 points by XiS ↗ HN
Am I missing something, or is MS Teams data NOT encrypted at rest on Android?

This morning I received yet another Teams update on my Android phone. Starting Teams after an update sometimes takes ages, as was the case today. I was presented by a loading screen with a message like "Encrypting your data" (I don't remember the exact phrasing).

Because I was annoyed by the wait, I decided to have a quick look around in the Teams data folder to verify this claim. Not before long I stumbled upon a db file databases/SkypeTeams.db and decided to have a look at it. To my surprise this isn't an SQLCipher db or anything, its a plain SQLite db containing all my (unencryped) messages (https://upload.disroot.org/r/5Uh2dP_c#d3OZUXXQQwHoIgLTD1gM6F9sVnVg8GWdZerWlfY1Xn8=).

Granted, you need root to access these files. But isn't it a bit disingenuous to display messages about encrypting data and making statements like "Teams enforces team-wide and organization-wide two-factor authentication, single sign-on through Active Directory, and encryption of data in transit and at rest." on your security compliance page (https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview).

4 comments

[ 1732 ms ] story [ 3834 ms ] thread
It's possible all of those promises are about encrypting data at rest on their servers, not on your client device.

The loading message about encrypting your data may have been prepping it for transit, not encrypting on your device's storage.

Keep in mind that the most basic security measure on your Android device is to enable encryption for all of your storage across applications, so your data should be encrypted at rest on your end already.

Yes, maybe you're right and I might be expecting too much from these statements made about encrypted data. But for some reason it feels like selling a home safe with no locks saying it's secure because your front door has a lock.
It's more like telling you that your safe does not need another safe on it when they pack it into their armored truck.

OK, that analogy is getting painful, so let me rephrase it: if your Android phone encrypts the data at rest, why would Teams encrypt it again? That would be a performance penalty with no additional security.

Most people who use Teams on their phones, are doing it as part of their jobs, and the teams client and instance is provided by their employer - as such the phone typically has to align to a certain set of security requirements, including storage encryption and PIN/password locks.