IBM Developer discovers Outlook for iOS Outlook app lacks proper security

iOS Outlook app allows Microsoft to see all mail account and server credentials without the users knowledge.

The same day that Microsoft released its new Outlook app for iOS, René Winkelmeyer ,a developer for IBM warned that it breaks corporate security in multiple ways.

The Head of Development at midpoints GmbH and IBM Champion , René Winkelmeyer, has discovered some security issues that Microsoft will get and store your mail account credentials and server data in the cloud (without notifying you) if you use the new iOS Outlook app.

He discovered these details while analyzing how the iOS Outlook app mechanism deals with push notifications and notes, that Microsoft has potential access to the personal information management data. He elaborates this in detail here.

Another security complication of the iOS Outlook app is that even though the app is installed by the user on multiple devices, it will have the same ID on all of them, which will prevent administrators from distinguish one user’s device from another. Also the iOS Outlook app’s built-in connectors to OneDrive, Dropbox and Google Drive are a data security nightmare.

René Winkelmeyer noted on the built-in connectors in the iOS Outlook app:

“That means a user can setup his personal account within the app and share all mail attachments using those services. Or use files from those services within his company mail account”

These security issues come into the new iOS Outlook app after Microsoft bought mobile email app firm Accompli less than two months ago and they have updated their privacy policy (updated on January 28, 2015) that says:

We provide a service that indexes and accelerates delivery of your email to your device. That means that our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device.Similarly, the service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device. Those messages, calendar events, and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device. If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app.”

If you decide to sign up to use the service, you will need to create an account. That requires that you provide the email address(es) that you want to access with our service. Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password.”

For now René Winkelmeyer recommends all administrators to tell employees not to use the iOS Outlook app and block it from accessing their companies’ mail servers. Untill the security issues can be resolved.

LEAVE A REPLY

Please enter your comment!
Please enter your name here