My security thoughts on Outlook for iOS and Android

You’ve probably heard all about the new Outlook for iOS and Android that was recently released to the public. The app is a rebrand of Microsoft’s earlier acquisition of Accompli.

People have been writing a lot about this app but I just can’t refrain from making a post about this due to one of the obvious and one not so obvious problem with this app. Coming from the security side if things I just have to. Even more so since I’m working for a company that is creates security products targeting mobile e-mail.

No S/MIME support
For those of you unfamiliar with the S/MIME term it’s the Microsoft Exchange way of sending and reading encrypted e-mails. As long as the app does not support this, it’s simply not enterprise grade. While I like some of the aspects of the app, this alone makes it a no go for me. While I understand that many do not use encrypted e-mails on a standard basis it’s still half a client without the support.

Credential storing middleware
When I heard about this I thought it was a joke. I actually believed that someone wanted to be all anti-Microsoft and was straight out lying. Turns out it was true. When you configure your corporate, not your personal, e-mail account the app sends your corporate credentials not only to your Exchange server but also to AWS (will be Azure later this year) where it is stored. As if this wasn’t enough, a service from AWS then impersonates you and your device and connects to your company’s Exchange server. There it reads your e-mails and stores them. Office365 users should also take note that it doesn’t matter where your tenant is located since the AWS service is in the USA, so if you chose a location in Europe, perhaps out of security concerns this is bad news for you.

There simply is no excuse for this. There is no argument that holds from a security perspective. Storing your corporate domain credentials on their servers is wrong. Some will say the credentials won’t be used maliciously; What would you call it if I read your e-mail? What if someone hacks that service? Does your company allow you to give someone else the credentials you use to access corporate data?

Uninstalled and now blocked in PointSharp Mobile Gateway for Exchange.

On the 47th ( episode of #TheUCArchitects podcast Steve Goodman (@stevegoodman is right on the spot when he says that the app was released by a startup (Accompli) it was great. Looking at the app now that it’s released by a huge enterprise demands higher standards (to be fair, Steve said it needs more polish). Furthermore Steve talks about some of the security issues I’ve mentioned here, he also talks about a lot of the apps shortcomings (GAL support, Contacts, etc.). Thanks for reading, now go listen to the podcast.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s