Just days after Microsoft released an iOS/Android version of Outlook, an IBM developer has warned users to stay clear of it due to a trio of security lapses and design flaws.
Outlook for iOS and Android is actually an acquisition, not a new, ground-up app. Microsoft acquired a company called Acompli, maker of a mobile business app,just two months ago and quickly rebranded the app as Outlook for Android and iOS.
However, Microsoft probably should have put the app through its QA process, because some security issues have been called to light by IBM developer René Winkelmeyer. He is advising businesses to stop using the app immediately. What's notable here is that Winkelmeyer isn't calling out bugs, he's calling out functions and design decisions that he believes constitute security weaknesses.
The first issue he points out is that the app has built-in connectors to OneDrive, Dropbox, and Google Drive. That means a user can connect their personal cloud storage account within the app and either share or save business mail attachments on those services or attach their personal files to emails sent on the corporate account, both of which can cause data security nightmares.
"It doesn’t matter if you’re using a containerized solution like the Apple built-in separation of managed and unmanaged apps. The same applies to every other container. The communication is app-internal and you cannot control that," Winkelmeyer wrote.
Second, Outlook for iOS uses the same ID across all of a user's devices, while ActiveSync for the client normally has a unique ID for each device for data synchronization. That allows administrators to distinguish multiple devices from each user. So with Outlook for iOS, ActiveSync can't tell the user's iPhone from iPad, for example, because they are indistinguishable. Again, a security and lock-down nightmare.
Finally, Winkelmeyer notes that Outlook for iOS will get and store your mail account credentials in the cloud. He noticed this because Outlook wanted to send him push notifications, which are normally triggered by a remote server. By looking at server logs, Winkelmeyer found that his mail account was being scanned by an Amazon Web Service IP address without his permission.
His conclusion: "The only advice I can give you at this stage is: block the app from accessing your companies mail servers. And inform your users that they shouldn't use the app."
Winkelmeyer has since written an update after the storm kicked up by his initial post, noting that there are some workarounds, but adding that they really aren't worth the headache. An MDM solution won't really help, nor will OAuth, which isn't even available from Microsoft.
By all accounts, Microsoft needs to take this app back to the labs and rework it thoroughly.