EU Parliament, Universities Warned Against Using Microsoft's Mobile Outlook App

The EU Parliament as well as the Delft University in Netherlands and the University of Wisconsin have been warned about security risks with the new Microsoft Outlook app for mobile by their IT departments, who have recommended that they uninstall the app and change the passwords.

Many in the EU Parliament, as well as in universities throughout the world, use Outlook, whether on the desktop or mobile. The security concerns exist only for the mobile app so far. This appears to be because it's not a Microsoft-built app; it was Accompli, which Microsoft acquired back in December. Microsoft then renamed the Acompli app to "Outlook for iOS and Android" but kept all of its functionality (including the intrusive privacy policies) intact.

Soon after Microsoft relaunched Acompli as Outlook for mobile, a developer from IBM found three major security issues with it.

The main issue is that even if a company has its own email servers, the email data first goes through Acompli's (now Microsoft's) servers, where it's copied, indexed and saved for later use. This was described as a "feature" in Acompli's privacy policy that allows email to be delivered slightly faster the next time it is accessed. Microsoft currently doesn't have such a service for its desktop Outlook, so this only happens when the mobile app is used.

Another security issue is that both the username and password would also be saved and accessed by Acompli, which is why the IT departments of the EU Parliament asked for a password change. Acompli and Microsoft now know the login credentials of the people who have been using the mobile Outlook app. The app also collects other sensitive information, such as contacts and calendar data.

The third security issue is that the Oulook app also allows users to bypass a company's or organization's default security policies, which include limiting access to certain types of files or prohibiting employees from sharing confidential data with others outside of the organization. Employees can bypass the default restrictions by using the mobile Outlook's built-in connectors to OneDrive, Dropbox, Google drive and other cloud services.

Microsoft hasn't reacted so far to the uncovering of these security issues, but now that the European Union Parliament can't safely use its Outlook app, and more universities are starting to block it as well, the company is likely to respond soon.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • damianrobertjones
    WHICH damn platform is this for?

    I stopped reading after the first few paragraphs due to that VITAL info
  • therealduckofdeath
    WHICH damn platform is this for?

    I stopped reading after the first few paragraphs due to that VITAL info
    I think it's the same issue on all mobile platforms where you install it as an app.
  • falchard
    Probably not Windows Phone since Microsoft has it built in.
  • jharvison81
    " Microsoft then renamed the Acompli app to "Outlook for iOS and Android""

    End of second paragraph.