Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Researcher Calls Out Microsoft Over Outlook For iOS Security

The recently launched Microsoft Outlook for iOS can be a “security nightmare” for companies, a researcher warned on Thursday.

The recently launched Microsoft Outlook for iOS can be a “security nightmare” for companies, a researcher warned on Thursday.

Outlook for iOS is based on code from Acompli, the mobile email company acquired by Microsoft two months ago. The application was announced by Microsoft on Thursday, along with the preview version of Outlook for Android and several Office apps for Android.

René Winkelmeyer, head of development at Midpoints, has analyzed the iOS email app and discovered several security issues.

The most concerning, according to the expert, is that Microsoft stores email account credentials and other data belonging to users in the cloud.

“What I saw was breathtaking. A frequent scanning from an AWS IP to my mail account. Means Microsoft stores my personal credentials and server data (luckily I’ve used my private test account and not my company account) somewhere in the cloud!” Winkelmeyer wrote in a blog post. “They haven’t asked me. They just scan. So they have in theory full access to my PIM [Personal Information Management] data.”

Another issue that the researcher calls a “security nightmare” is the fact that the app shares the same ActiveSync ID across all of a user’s devices.

“That means: If a user installs the Outlook app on his iPhone and on his iPad it’s seen as one device. There’s no way to distinguish if it’s an iPad or an iPhone. Nada. Niente. Using device approval on Traveler won’t help. It connects as ‘one device’ – and you cannot control that,” Winkelmeyer said.

The expert believes file sharing features could also prove problematic for an organization whose employees are using the app. Outlook for iOS allows users to utilize services such as OneDrive and Dropbox to share email attachments. Files stored in OneDrive and Dropbox accounts can also be attached to emails.

“It doesn’t matter if you’re using a containerized solution like the Apple built-in separation of managed and unmanaged apps. The same applies to every other container. The communication is app-internal and you cannot control that,” the researcher noted.

Acompli’s privacy policy, updated just one day before Microsoft announced Outlook for iOS, shows that the service is designed to retrieve and temporarily store email messages, calendar data, contacts and attachments on the company’s servers before securely delivering them to the user’s device.

“Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password,” the privacy policy reads.

Winkelmeyer believes these issues pose a serious risk, which is why he is advising administrators to block the application from accessing the company’s mail server and advise employees not to use it.

“The privacy and security of our customers are important to us. The app’s privacy and security capabilities, along with the controls available to IT administrators, meet our established thresholds and we continuously work to ensure they meet our gold standard,” a Microsoft spokesperson told SecurityWeek. “If customers have concerns, they can follow the Controlling Device Access TechNet guidance to block the app and continue using the OWA for iPhone, iPad, and Android apps.” 

*Updated with statement from Microsoft

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...