New Microsoft mobile apps might be a security disaster

Last week, Microsoft released Outlook for iOS and offered a preview version of Outlook for Android. While this was generally heralded as a significant productivity win, it seems that there might be some security problems.

Like many, we were very interested in Microsoft's announcement last week that Outlook for iOS had been released and that a preview of Outlook for Android was also available. So interested that we downloaded the iPad version it almost instantly to play with it.

While the user interface and integration with various cloud storage services were significant steps forward on Apple's own Calendar and Mail apps, there were a few hassles such as the ability to view subscribed calendars. So we stopped using the application.

It now seems that some significant security issues have been identified by developer and IBM Champion René Winkelmeyer.  He says "Microsoft's Outlook app for iOS breaks your company security".

In his view, Outlook for iOS' ability to connect to file-sharing services such as Dropbox, Google Drive and OneDrive are a significant security issue.

Many mobile security and MDM solutions approach security by containerising applications. In other words, corporate applications run in a secure, sandboxed environment on the mobile device. However, the way Microsoft has linked Outlook for iOS to those cloud storage services circumvents those isolation methods.

He also points out that ActiveSync clients normally have a unique ID for data synchronization so administrators can distinguish between a user's devices. Outlook for iOS doesn’t work that way. If a user installs it to their iPad and iPhone, the same ID is shared across all devices used by that individual user.

In other words, if a user has an approved corporate device with Outlook for iOS, they can install Outlook for iOS on a non-approved device and it will connect to the ActiveSync server.

The final nail in the coffin is perhaps the most critical. When you add your user accounts to Outlook for iOS, those credentials are synchronized and stored on Microsoft's servers.

Read more: Australians will sacrifice privacy for a good app and worry too little about mobile viruses

Winkelmeyer confirmed this by reviewing communication logs on the servers he uses.

It's worth noting that Microsoft didn’t develop Outlook for iOS from scratch. It's actually a rebranded version of an app called Accompli, that Microsoft purchased in late 2014.

It seems that, in the zeal to release Outlook for iOS, they neglected to look at Accompli's privacy policy that states " “We provide a service that indexes and accelerates delivery of your email to your device. That means that our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device. Similarly, the service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device. If you decide to sign up to use the service, you will need to create an account.

That requires that you provide the email address(es) that you want to access with our service. Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain".

We have asked Microsoft for comment on this significant issue but they have not responded.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityMicrosoft mobile appsOutlook iOSfile-sharingcloud storage

More about AppleCSODropboxEnex TestLabGoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts