Skype for Business mobile app security

Skype for Business Client Security

This article covers data encryption information on Skype for Business Mobile Apps.

Username/Password

App Data (Conversations, Contact List, Meetings)

Diagnostic logs

Android

We store credentials information in Android Accounts. We also encrypt credentials before saving them into Accounts. We use “AES/CBC/PKCS5Padding” algorithm for encryption.

We store  in an encrypted SQL database using a library called sqlcipher.  We use their default algorithm of 256-bit AES in CBC mode. The data at rest is always encrypted in the database file and is only unencrypted in transit inside of the app’s volatile memory and call stacks.  We also encrypt voicemail files using the same method as the user’s name and password encryption (they are not stored in the DB).  Voicemails are temporarily unencrypted on disk to allow playback.

This information is not encrypted.

iOS

We DO NOT encrypt the username/password in the keychain.  The keychain is encrypted, however, on its own.

We are already using NSFileProtectionCompleteUntilFirstUserAuthentication data protection flag on all files in the app storage. This means that files in the app storage would be encrypted until user unlocks the device for the very first time after the device reboot.

This information is not encrypted.

Windows Phone

Windows Phone uses the DPAPI (Data Protection API) in Windows to secure passwords. I believe the encryption scheme used is AES. Windows doesn’t give us an option to configure the key size (or scheme), so it’s whatever DPAPI gives. It will use the device TPM to secure keys which are specific to the user and device. Note that DPAPI keys are not specific to the app.

WP App Data is protected with DPAPI, like the creds. Depending on how much detail we want, some of the index information for the App Data is protected by (non-DPAPI) AES encryption to avoid salting, so we can look up without decrypting, and that key is in turn protected with DPAPI. Cached data can be read by any process from the same phone, assuming it can reach our data folder. Windows encryption does not protect from sandbox breach, only external access attempts.

This information is not encrypted.

Note: Please refer to this public documentation for device pin enforcement available on each of the above Mobile platforms

 

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×