Sunday , August 20 2017

Exchange Email Security Can Be Bypassed, Easily

the-transmission-security-of-e-mail-13
For several years we as Android enthusiasts have been pushing for Android to be accepted by the enterprise community. When we get a work phone, or use our own phone for work, it would be nice to have a choice of the phone we could use. It would be nice if we could use our favourite mobile OS, Android. Finally Android is starting to make some inroads into business, mostly with BYOD (bring your own device), with the advent of extra security not only within the Android base but also those introduced by manufacturers (eg. Samsung with Knox).

Recently I’ve obtained an email address through an organisation I’m part of but was unable to use the email on my phone because I didn’t want the Email app to become a device administrator. Yes, I know that’s crazy of me and I should be using security on my device but it is my choice and this way it makes it easier in day to day use for me. After not using the email for a couple of months I noticed a very simple way to circumvent the security requirements of exchange email access. It was as simple as installing an Xposed module.

The module, Exchange Bypass For Xposed, bypasses the AOSP Email app from becoming a device administrator on your phone/tablet. This prevents the email app “from setting up any security restrictions on your device including pin/password/remote wipe, etc.”

The module is extremely easy to use as well, making it a possible nightmare for a company’s IT administrator. I have tested it myself on a Nexus 5, a Nexus 4, a Nexus 7 and a OnePlus One, all running AOSP roms and it worked on all of them. At this stage it is thought to only work on the AOSP Email app but the developer is working on getting it working on other email apps, including Boxer. To install the user has to complete the following steps:

  • Remove the email account they currently have setup in the AOSP Email app (delete data in device settings may be required)
  • Reboot device
  • Install Xposed framework installer
  • Install module from here or search for Exchange Security Bypass for Nexus Devices and other AOSP based ROMs
  • Enable the module in Xposed
  • Reboot device
  • Enter email account and server settings into AOSP Email app
  • Tap “OK” when the app says it needs to remotely control some security features of their Android device (it won’t actually do this though)
  • Done. Exchange email security has been bypassed

Whether this will have ramifications with Android adoption in the enterprise industry is unknown at this stage but considering the very small percentage of Android users that obtain root access on their device and then the small percentage of that who actually use Xposed I doubt it will have much impact. In saying that, the media and non-enlightened people seem to always blow issues such as these out of proportion tarring all Android users with the same brush.

Users who decide to bypass the security requirements of their employers/email providers should be aware of any risks that may come with it, including repercussions from their employer should they ever find out. IT administrators should also be aware of this and work together with Android users to obtain an outcome that will suit both the user and the employer.

Are you likely to do this so you can use an exchange email account on your device? Do you see any problems with doing it?

 
Source: Shantanu Vs The World.

Scott Plowman   Associate Editor

Scott is our modding guru - he has his finger on the pulse of all things ‘moddable’, pointing us towards all the cutting edge mods hacks that are available. When he’s not gymming it up, or scanning the heck out of Nexus devices, you'll find him on the Ausdroid Podcast.

Outside of Ausdroid, Scott's a health care professional and lecturer at a well known Victorian university.

Join the Ausdroid Conversation

15 Comments on "Exchange Email Security Can Be Bypassed, Easily"

avatar
Sort by:   newest | oldest | most voted
Member

Android for work.

Solves everything.

Matthew Waggoner
Valued Guest
Matthew Waggoner
I have a Moto X developer edition, I was told that Airwatch is not compatible with motorola devices, it only works with LG, Samsung, HTC, and iPhone. I purchased an s5, not a fan of this phone. really miss my Moto X, i realize this may be slower, but I felt that having stock android vs all the other fluff helped my phone operate rather well. Bottom line is there a way for me to bypass this to get back to receiving my emails without having to login through website? If I rooted my moto x, is there a way… Read more »
Jeffrey Black
Valued Guest
Jeffrey Black
Companies should have control over their own phones. This means a company should be able to lock down all aspects of their phone, including requiring it to have a pin, prohibiting various apps from running (they are giving you a phone to work, not to play games), locking and/or wiping the device, tracking it, prevent setting up a Google account and so on. This also protects them from employees trying to keep the phone and use it for personal reasons if they leave. If you want to do as you please with a phone, you should get your own phone.… Read more »
Member

No need for such a complicated setup – and it’s completely useless for those who don’t have root.

Install Nine – apply the security at the App level. Problem fixed.

Lurch
Valued Guest
Lurch

I really need to log into Disqus more often. But Yes. I switched to Nine a while back and love it.

Derrick Amundsen
Valued Guest
Derrick Amundsen

THANK YOU THANK YOU THANK YOU!!! This worked WONDERFULLY.

Privateer.
Valued Guest
Privateer.

I don’t root my phones anyway, but if the choice is between having the Exchange account be a device administrator and not having work email on my phone, I’ll enjoy a work email free phone. My employer requires Airwatch MDM to be installed in order to add an Exchange account to the device, and I don’t particularly want to give that kind of control over/access to a device that also has personal use.

Paul Smedley
Valued Guest
Paul Smedley

Where I work, it’s a requirement to install maas360 as a device admin before the exchange server will even talk to the device. Same requirement exists for iOS

Senectus
Valued Guest
Senectus

If you used Knox then the worse a errant admin could do is wipe the knox session…
Knox behaves like a virtual Device operating inside a sandbox on the device…

James Hector
Valued Guest
James Hector

I think the tone of this article is a reason why people who manage enterprise systems are hesitant to offer BYOD. Having security on your device is as much protection for you as it is for the enterprise.

Andrew Palozzo
Valued Guest

I’ve done this since the day we migrated to exchange. I prefer to have content on my lock screen, having a pin is just annoying for me.

There are some good alternative for those without root though, you can download other email apps from the play-store that only have a pin on the app and not the entire device.

Lurch
Valued Guest
Lurch

From a sys-admin point of view, if there was a way of detecting that a BYOD device had some thing like this done to it, I’d probably disable your account in a heart-beat. You may not like the system taking some control over your device, but I doubt the sys admin would like you putting the security of the organisation at risk either.

And its reasons like this that more and more companies are starting *only* allow iOS and Windows Phone.
*Shrug*

Jeffrey Black
Valued Guest
Jeffrey Black

Then, from a user’s point of view, don’t try and gain access or control to property that you do not own.

Either don’t enforce the security restrictions, don’t expect me to have email on my phone or be able to check it very often, or provide me with a phone which you can keep control over.

It is companies trying to gain access or control to things they don’t own which results in workarounds like this.

Lurch
Valued Guest
Lurch

I really need to log into Disqus more often. But yes, I do agree. If YOU want access to emails on YOUR phone – these are the conditions.
If *I* want/need you to have access to your email 24/7, then *I* should be supplying you with a phone that has these conditions applied.

Nick Fletcher
Valued Guest
Nick Fletcher

Yeah, this article seems a bit short sighted – no one wants to be the guy who’s phone got “hacked” and private work emails or files got out because they didn’t have a PIN or encryption

wpDiscuz

Check Also

Leaked images suggest the Kirin 970-powered Huawei Mate 10 will include an under-display fingerprint sensor

Huawei have signalled their intention to focus on the mid-range and high end devices in …