Major Security Issues Already Found In Outlook For iOS And Android

Microsoft launched the "Outlook for iOS and Android" app yesterday, which was in fact a rebranding of an existing app called Acompli that Microsoft purchased in early December 2014. However, according to IBM developer René Winkelmeyer, the app presents some major security issues for the companies that intend to use it, and access should be immediately denied to enterprise users.

By far the biggest security issue that the developer found is that Microsoft itself has access to the users' email credentials, including both the username and the password:

“What I saw was breathtaking. A frequent scanning from an AWS IP to my mail account. Means Microsoft stores my personal credentials and server data (luckily I've used my private test account and not my company account) somewhere in the cloud! They haven't asked me. They just scan. So they have in theory full access to my PIM data," said Winkelmeyer in a blog post.

Only Gmail emails, which require OAuth authorization, don't give Microsoft your credentials, according to Acompli's own current Privacy Policy. However, Exchange emails do:

"Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password."

The second major security issue concerns Microsoft's servers acting as some sort of "man-in-the-middle" servers by intercepting a company's private emails as they pass from one user to another.

“Those messages, calendar events, and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device. If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app."

Microsoft and Acompli promote this indexing service as making email delivery slightly faster, but that comes with a rather significant privacy and security cost for the companies utilizing Microsoft's new app. This email interception could be especially worrisome for companies that don't want their data easily shared with certain U.S. government agencies. Those agencies may not have proper jurisdiction over that data when it's held by Microsoft's enterprise customers in other countries. However, they could get access more easily to Microsoft's copies of the data. The Outlook for iOS and Android app also collects all calendar and contact data.

The third security issue, which Winkelmeyer described as a "data security nightmare," is that Microsoft has built-in connectors to OneDrive, Dropbox and Google Drive, which allow an enterprise user to easily share confidential company data with others, or worse, to access files that could be infected with malware, for example. Winkelmeyer's point is that this feature can easily bypass a company's security policies, such as app containerization.

Some of these security issues seem to be older Acompli issues, and given that Microsoft has merely rebranded the app as Outlook, it's possible the company didn't take a hard enough look at the app before re-launching it.

At the same time, Microsoft may have already been aware of the issues but decided to keep the service as is, because indexing of other companies' private email is something Microsoft may want to do. It remains to be seen how Microsoft will react to this discovery, and that reaction should tell us more about the company's intentions regarding these security issues.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • GMDS44
    and here I was about to install the APP into my work android phone.
    I guess I will keep using gmail 5.1 for my exchange needs. It works just fine anyway.
    Reply
  • fleeb
    Isn't this a "Preview" version?
    Reply
  • wirefire99
    People who think ANY data is secure are fooling themselves. It is just about how easy it is got someone else got get it. This is overall pretty poor but if businesses continue to push for cloud based services, especially small businesses, they need to realize that their information, no longer belongs to them.
    Reply
  • crikey2
    Yes, stick with gmail - cause gmail definitely doesn't store your email and attachments on Google's servers :-p
    Reply
  • GMDS44
    15185257 said:
    Yes, stick with gmail - cause gmail definitely doesn't store your email and attachments on Google's servers :-p

    I trust Google more than Microsoft when it comes to this matter.
    Anyway, using an APP from the day it is realeased is just a bad IDEA overall. Wait a couple of months (yes months) before a decent/stable/secure version goes out.

    Reply
  • TileGuyJesse
    Not to mention the widget doesn't open. Oh wait, I just did.
    Reply
  • JorgTheElder
    I would not consider any of this a problem if the app warned you up front that is what is was doing. If I was using it with Office 365, I would have not problem with Microsoft storing my credentials. :)

    However that fact that it provisioned such a cloud-based user-agent on my behalf is terrible. Almost as terrible as the fact that they provide no interface to de-provisions your account. Delete the client from all your devices and the cloud-based agent will continue accessing your email account about once a minute for some unknown amount of time.

    I finally reset my password and deleted the device partnership to kill its access to my account.
    Reply
  • kep55
    And you were surprised that a Microsoft product had security flaws out the Wazoo?
    Reply
  • JorgTheElder
    15187681 said:
    And you were surprised that a Microsoft product had security flaws out the Wazoo?

    They are not really flaws, they are design decisions and it actually works the same way other products do. However, other products tell you how they are working, and let you make some intelligent decisions.

    I have no problem using the app as it is with an Office 365 account as I would not have an Office 365 account if I did not trust MS with my data. That said, the company I work for does not trust Microsoft with their data, and I think the app should have done a much better job letting me know what it intended to do with that data. It should also make it very easy for me to clean up the data when I am done with the service.

    For now, they get a pass because I used prerelease software without reading the documentation. I would be much angrier if it was a shipping product.
    Reply
  • mrmez
    I figured it out the other day. It's M$' new anti piracy strategy.

    Make everything so $h!t that nobody would even bother stealing it.
    Reply