New Microsoft mobile apps might be a security disaster

Last week, Microsoft released Outlook for iOS and offered a preview version of Outlook for Android. While this was generally heralded as a significant productivity win, it seems that there might be some security problems.

Like many, we were very interested in Microsoft's announcement last week that Outlook for iOS had been released and that a preview of Outlook for Android was also available. So interested that we downloaded the iPad version it almost instantly to play with it.

While the user interface and integration with various cloud storage services were significant steps forward on Apple's own Calendar and Mail apps, there were a few hassles such as the ability to view subscribed calendars. So we stopped using the application.

It now seems that some significant security issues have been identified by developer and IBM Champion René Winkelmeyer.  He says "Microsoft's Outlook app for iOS breaks your company security".

In his view, Outlook for iOS' ability to connect to file-sharing services such as Dropbox, Google Drive and OneDrive are a significant security issue.

Many mobile security and MDM solutions approach security by containerising applications. In other words, corporate applications run in a secure, sandboxed environment on the mobile device. However, the way Microsoft has linked Outlook for iOS to those cloud storage services circumvents those isolation methods.

He also points out that ActiveSync clients normally have a unique ID for data synchronization so administrators can distinguish between a user's devices. Outlook for iOS doesn’t work that way. If a user installs it to their iPad and iPhone, the same ID is shared across all devices used by that individual user.

In other words, if a user has an approved corporate device with Outlook for iOS, they can install Outlook for iOS on a non-approved device and it will connect to the ActiveSync server.

The final nail in the coffin is perhaps the most critical. When you add your user accounts to Outlook for iOS, those credentials are synchronized and stored on Microsoft's servers.

Winkelmeyer confirmed this by reviewing communication logs on the servers he uses.

It's worth noting that Microsoft didn’t develop Outlook for iOS from scratch. It's actually a rebranded version of an app called Accompli, that Microsoft purchased in late 2014.

It seems that, in the zeal to release Outlook for iOS, they neglected to look at Accompli's privacy policy that states " “We provide a service that indexes and accelerates delivery of your email to your device. That means that our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device. Similarly, the service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device. If you decide to sign up to use the service, you will need to create an account.

That requires that you provide the email address(es) that you want to access with our service. Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain".

We have asked Microsoft for comment on this significant issue but they have not responded.

This article is brought to you by Enex TestLab, content directors for CSO Australia.