Security Experts:

Researcher Calls Out Microsoft Over Outlook For iOS Security

The recently launched Microsoft Outlook for iOS can be a “security nightmare” for companies, a researcher warned on Thursday.

Outlook for iOS is based on code from Acompli, the mobile email company acquired by Microsoft two months ago. The application was announced by Microsoft on Thursday, along with the preview version of Outlook for Android and several Office apps for Android.

René Winkelmeyer, head of development at Midpoints, has analyzed the iOS email app and discovered several security issues.

The most concerning, according to the expert, is that Microsoft stores email account credentials and other data belonging to users in the cloud.

“What I saw was breathtaking. A frequent scanning from an AWS IP to my mail account. Means Microsoft stores my personal credentials and server data (luckily I’ve used my private test account and not my company account) somewhere in the cloud!” Winkelmeyer wrote in a blog post. “They haven’t asked me. They just scan. So they have in theory full access to my PIM [Personal Information Management] data.”

Another issue that the researcher calls a “security nightmare” is the fact that the app shares the same ActiveSync ID across all of a user’s devices.

“That means: If a user installs the Outlook app on his iPhone and on his iPad it’s seen as one device. There’s no way to distinguish if it’s an iPad or an iPhone. Nada. Niente. Using device approval on Traveler won’t help. It connects as ‘one device’ – and you cannot control that,” Winkelmeyer said.

The expert believes file sharing features could also prove problematic for an organization whose employees are using the app. Outlook for iOS allows users to utilize services such as OneDrive and Dropbox to share email attachments. Files stored in OneDrive and Dropbox accounts can also be attached to emails.

“It doesn’t matter if you’re using a containerized solution like the Apple built-in separation of managed and unmanaged apps. The same applies to every other container. The communication is app-internal and you cannot control that,” the researcher noted.

Acompli’s privacy policy, updated just one day before Microsoft announced Outlook for iOS, shows that the service is designed to retrieve and temporarily store email messages, calendar data, contacts and attachments on the company’s servers before securely delivering them to the user’s device.

“Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password,” the privacy policy reads.

Winkelmeyer believes these issues pose a serious risk, which is why he is advising administrators to block the application from accessing the company’s mail server and advise employees not to use it.

“The privacy and security of our customers are important to us. The app’s privacy and security capabilities, along with the controls available to IT administrators, meet our established thresholds and we continuously work to ensure they meet our gold standard,” a Microsoft spokesperson told SecurityWeek. “If customers have concerns, they can follow the Controlling Device Access TechNet guidance to block the app and continue using the OWA for iPhone, iPad, and Android apps.” 

*Updated with statement from Microsoft

view counter