Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Researcher Calls Out Microsoft Over Outlook For iOS Security

The recently launched Microsoft Outlook for iOS can be a “security nightmare” for companies, a researcher warned on Thursday.

The recently launched Microsoft Outlook for iOS can be a “security nightmare” for companies, a researcher warned on Thursday.

Outlook for iOS is based on code from Acompli, the mobile email company acquired by Microsoft two months ago. The application was announced by Microsoft on Thursday, along with the preview version of Outlook for Android and several Office apps for Android.

René Winkelmeyer, head of development at Midpoints, has analyzed the iOS email app and discovered several security issues.

The most concerning, according to the expert, is that Microsoft stores email account credentials and other data belonging to users in the cloud.

“What I saw was breathtaking. A frequent scanning from an AWS IP to my mail account. Means Microsoft stores my personal credentials and server data (luckily I’ve used my private test account and not my company account) somewhere in the cloud!” Winkelmeyer wrote in a blog post. “They haven’t asked me. They just scan. So they have in theory full access to my PIM [Personal Information Management] data.”

Another issue that the researcher calls a “security nightmare” is the fact that the app shares the same ActiveSync ID across all of a user’s devices.

“That means: If a user installs the Outlook app on his iPhone and on his iPad it’s seen as one device. There’s no way to distinguish if it’s an iPad or an iPhone. Nada. Niente. Using device approval on Traveler won’t help. It connects as ‘one device’ – and you cannot control that,” Winkelmeyer said.

The expert believes file sharing features could also prove problematic for an organization whose employees are using the app. Outlook for iOS allows users to utilize services such as OneDrive and Dropbox to share email attachments. Files stored in OneDrive and Dropbox accounts can also be attached to emails.

Advertisement. Scroll to continue reading.

“It doesn’t matter if you’re using a containerized solution like the Apple built-in separation of managed and unmanaged apps. The same applies to every other container. The communication is app-internal and you cannot control that,” the researcher noted.

Acompli’s privacy policy, updated just one day before Microsoft announced Outlook for iOS, shows that the service is designed to retrieve and temporarily store email messages, calendar data, contacts and attachments on the company’s servers before securely delivering them to the user’s device.

“Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password,” the privacy policy reads.

Winkelmeyer believes these issues pose a serious risk, which is why he is advising administrators to block the application from accessing the company’s mail server and advise employees not to use it.

“The privacy and security of our customers are important to us. The app’s privacy and security capabilities, along with the controls available to IT administrators, meet our established thresholds and we continuously work to ensure they meet our gold standard,” a Microsoft spokesperson told SecurityWeek. “If customers have concerns, they can follow the Controlling Device Access TechNet guidance to block the app and continue using the OWA for iPhone, iPad, and Android apps.” 

*Updated with statement from Microsoft

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.