Outlook for iOS branded a 'security nightmare'

[steven36]

It knows what you did last ... well, all the time actually

MICROSOFT'S NEW VERSION of Outlook for iOS and Android was released to rave reviews yesterday, but it now looks like it's on a one-way ticket to Borksville, calling at Securitygeddon and Hackesberg.

The app, based on Acompli, which was purchased by the company last year, has been described as superior to the Gmail and Apple stock apps, but a post from security blogger Rene Winkelmeyer points to a whole bunch of problems that make it an absolute mare.

First of all, Winkelmeyer claims to have proof that Microsoft is storing user credentials. After setting up a test account, including activating push notifications, he described what he found as "breathtaking".

"A frequent scanning from an AWS IP to my mail account means Microsoft stores my personal credentials and server data (luckily I’ve used my private test account and not my company account) somewhere in the cloud!

"They haven’t asked me. They just scan. So they have, in theory, full access to my PIM data."

He goes on to point out that Acompli's privacy policy makes explicit that this is indeed the case.

It states: "Those messages, calendar events and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device.

"If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app."

Tinfoil hats on, everyone! The blog post adds that file sharing between cloud services can be encapsulated in the words 'security nightmare', as there is no way of controlling what services have access to what files once connected.

Finally, Activesync, which manages push email in Microsoft-land, does not differentiate between two devices; it would see installation on an iPhone and an iPad as the same single installation. Gah!

Winkelmeyer is uncompromising in his advice. "The only advice I can give you at this stage is block the app from accessing your company's mail servers and inform your users that they shouldn’t use the app."

We've reached out to Microsoft for comment on this story, which overshadows the successful launch of the Android tablet versions of the rest of the Office suite.

It forms part of a strategy which yesterday saw the company invest in Cyanogen in the hope of creating a Microsoft-friendly Android fork.

Source