MS Teams data not encrypted on Android
This morning I received yet another Teams update on my Android phone. Starting Teams after an update sometimes takes ages, as was the case today. I was presented by a loading screen with a message like "Encrypting your data" (I don't remember the exact phrasing).
Because I was annoyed by the wait, I decided to have a quick look around in the Teams data folder to verify this claim. Not before long I stumbled upon a db file databases/SkypeTeams.db and decided to have a look at it. To my surprise this isn't an SQLCipher db or anything, its a plain SQLite db containing all my (unencryped) messages (https://upload.disroot.org/r/5Uh2dP_c#d3OZUXXQQwHoIgLTD1gM6F9sVnVg8GWdZerWlfY1Xn8=).
Granted, you need root to access these files. But isn't it a bit disingenuous to display messages about encrypting data and making statements like "Teams enforces team-wide and organization-wide two-factor authentication, single sign-on through Active Directory, and encryption of data in transit and at rest." on your security compliance page (https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview).
4 comments
[ 1732 ms ] story [ 3834 ms ] threadThe loading message about encrypting your data may have been prepping it for transit, not encrypting on your device's storage.
Keep in mind that the most basic security measure on your Android device is to enable encryption for all of your storage across applications, so your data should be encrypted at rest on your end already.
OK, that analogy is getting painful, so let me rephrase it: if your Android phone encrypts the data at rest, why would Teams encrypt it again? That would be a performance penalty with no additional security.