A high-severity issue in the Android client shows how an authenticated, network-only read path can turn a collaboration app into a confidentiality risk.