New Microsoft mobile apps might be a security disaster
- 06 February, 2015 07:34
Last week, Microsoft released Outlook for iOS and offered a preview version of Outlook for Android. While this was generally heralded as a significant productivity win, it seems that there might be some security problems.
Like many, we were very interested in Microsoft's announcement last week that Outlook for iOS had been released and that a preview of Outlook for Android was also available. So interested that we downloaded the iPad version it almost instantly to play with it.
While the user interface and integration with various cloud storage services were significant steps forward on Apple's own Calendar and Mail apps, there were a few hassles such as the ability to view subscribed calendars. So we stopped using the application.
It now seems that some significant security issues have been identified by developer and IBM Champion René Winkelmeyer. He says "Microsoft's Outlook app for iOS breaks your company security".
In his view, Outlook for iOS' ability to connect to file-sharing services such as Dropbox, Google Drive and OneDrive are a significant security issue.
Many mobile security and MDM solutions approach security by containerising applications. In other words, corporate applications run in a secure, sandboxed environment on the mobile device. However, the way Microsoft has linked Outlook for iOS to those cloud storage services circumvents those isolation methods.
He also points out that ActiveSync clients normally have a unique ID for data synchronization so administrators can distinguish between a user's devices. Outlook for iOS doesn’t work that way. If a user installs it to their iPad and iPhone, the same ID is shared across all devices used by that individual user.
In other words, if a user has an approved corporate device with Outlook for iOS, they can install Outlook for iOS on a non-approved device and it will connect to the ActiveSync server.
The final nail in the coffin is perhaps the most critical. When you add your user accounts to Outlook for iOS, those credentials are synchronized and stored on Microsoft's servers.
Winkelmeyer confirmed this by reviewing communication logs on the servers he uses.
It's worth noting that Microsoft didn’t develop Outlook for iOS from scratch. It's actually a rebranded version of an app called Accompli, that Microsoft purchased in late 2014.
That requires that you provide the email address(es) that you want to access with our service. Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain".
We have asked Microsoft for comment on this significant issue but they have not responded.
This article is brought to you by Enex TestLab, content directors for CSO Australia.