Microsoft launched the "Outlook for iOS and Android" app yesterday, which was in fact a rebranding of an existing app called Acompli that Microsoft purchased in early December 2014. However, according to IBM developer René Winkelmeyer, the app presents some major security issues for the companies that intend to use it, and access should be immediately denied to enterprise users.
By far the biggest security issue that the developer found is that Microsoft itself has access to the users' email credentials, including both the username and the password:
“What I saw was breathtaking. A frequent scanning from an AWS IP to my mail account. Means Microsoft stores my personal credentials and server data (luckily I've used my private test account and not my company account) somewhere in the cloud! They haven't asked me. They just scan. So they have in theory full access to my PIM data," said Winkelmeyer in a blog post.
"Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password."
The second major security issue concerns Microsoft's servers acting as some sort of "man-in-the-middle" servers by intercepting a company's private emails as they pass from one user to another.
“Those messages, calendar events, and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device. If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app."
Microsoft and Acompli promote this indexing service as making email delivery slightly faster, but that comes with a rather significant privacy and security cost for the companies utilizing Microsoft's new app. This email interception could be especially worrisome for companies that don't want their data easily shared with certain U.S. government agencies. Those agencies may not have proper jurisdiction over that data when it's held by Microsoft's enterprise customers in other countries. However, they could get access more easily to Microsoft's copies of the data. The Outlook for iOS and Android app also collects all calendar and contact data.
The third security issue, which Winkelmeyer described as a "data security nightmare," is that Microsoft has built-in connectors to OneDrive, Dropbox and Google Drive, which allow an enterprise user to easily share confidential company data with others, or worse, to access files that could be infected with malware, for example. Winkelmeyer's point is that this feature can easily bypass a company's security policies, such as app containerization.
Some of these security issues seem to be older Acompli issues, and given that Microsoft has merely rebranded the app as Outlook, it's possible the company didn't take a hard enough look at the app before re-launching it.
At the same time, Microsoft may have already been aware of the issues but decided to keep the service as is, because indexing of other companies' private email is something Microsoft may want to do. It remains to be seen how Microsoft will react to this discovery, and that reaction should tell us more about the company's intentions regarding these security issues.