Outlook for iOS breaks company security, developer warns

One the same day that Microsoft released its new Outlook app for iOS, a developer has warned that it breaks corporate security in multiple ways.

René Winkelmeyer, Head of Development at midpoints GmbH and IBM Champion, says that Microsoft will get and store your mail account credentials and server data in the cloud if you use the iOS Outlook app, and it will do this without notifying you.

He discovered this while analyzing how the app deals with push notifications and says that, in theory, this means that Microsoft has access to its personal information management data. He went into more details on this in a follow-up post.

Another thing he has a problem with is that even though the app is installed by the user on multiple devices, it will have the same ID on all of them, and this will prevent administrators from distinguish one user’s device from another.

Lastly, he pointed out that the app’s built-in connectors to OneDrive, Dropbox and Google Drive are a data security nightmare.

“That means a user can setup his personal account within the app and share all mail attachments using those services. Or use files from those services within his company mail account,” he noted.

The new Outlook for iOS app comes less than two months after Microsoft bought mobile email app firm Accompli, and it seems that these security holes are a remnant of the company’s way of doing things.

In fact, the company’s privacy policy (updated on January 28, 2015) says that:

“We provide a service that indexes and accelerates delivery of your email to your device. That means that our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device.Similarly, the service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device. Those messages, calendar events, and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device. If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app.”

“If you decide to sign up to use the service, you will need to create an account. That requires that you provide the email address(es) that you want to access with our service. Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password.”

Winkelmeyer advises administrators to block the app from accessing their companies’ mail servers and tell employees not to use the app.