The new Microsoft Outlook app for iOS may be the one of the best email apps to come out in a while – but according to IT security professionals, it also presents myriad privacy issues.

Last week, Microsoft announced it was releasing a new Outlook app for iOS, giving users the chance to quickly prioritize and triage their emails. (The Android version is still in preview mode).

Born from Microsoft’s acquisition of email startup Acompli in December 2014, the company basically just rebranded Acompli’s product as Outlook. Still, much of the press around the new app has been positive, and given the Redmond, Wash.-based company acquired Acompli so recently, the turnaround time was pretty quick.

It might have been too quick, according to René Winkelmeyer, head of development at Midpoints, a German company providing consulting services for IBM solutions. On Jan. 29, he published a blog post outlining privacy issues with the new Outlook app for iOS, saying Microsoft has been taking people’s username and password credentials and storing them in the cloud.

That was the practice for the Acompli app, but it continued when Microsoft rebranded the app as Outlook – and that wasn’t made clear to customers, Winkelmeyer said. He first noticed the issue when he downloaded the app and signed in with a test account, and was surprised to find the app was trying to send him push notifications, meaning the app’s server was trying to reach his company’s mail server.

Essentially, the app’s approach means that company employees who use Outlook and previously had their credentials stored securely behind the company firewall, will now have those credentials stored on a third-party cloud, he noted.

“What I saw was breathtaking. A frequent scanning from an [Amazon Web Services] IP to my mail account. Means Microsoft stores my personal credentials and server data (luckily I’ve used my private test account and not my company account) somewhere in the cloud! They haven’t asked me. They just scan. So they have in theory full access to my [personal information management] data,” Winkelmeyer wrote in his blog post.

Worse still, there’s no ability to integrate mobile device management (MDM) solutions with the new Outlook, meaning enterprise organizations can’t use containerization to protect any data flowing into that app, he added.

“I really wouldn’t have expected that. You don’t expect something like this from IBM, from Microsoft, from Apple, from the IT giants – you don’t expect something like that,” said Winkelmeyer in an interview.

He noted that some people, including commentators on his blog post, don’t believe this is a real issue because both Microsoft and Acompli have provided security around their app. However, what this boils down to is a matter of trust, he said.

“People hear Microsoft and Outlook, and that means, trust it,” he said. “Everybody trusts Microsoft Outlook, that’s fine, they run it at home and they run it at the company, everything is fine. And nobody would ever think about their data … is stored in an uncontrollable cloud environment.”

He added even though the data may be encrypted, it is still in the cloud – and even if there is no data leakage, it is beyond a company’s firewall.

Microsoft’s decision to collect Outlook users’ credentials has raised the ire of organizations like CMS Consulting Inc., a Toronto-based company that actually helps other businesses deploy Microsoft infrastructure solutions. While the company uses Outlook, and a few of its employees downloaded the app when it was released, they have since uninstalled it and changed their passwords.

That’s because they noticed Microsoft did not explain it would be storing their credentials, said Brian Bourne, CMS Consulting’s CEO, in an interview.

“The bar you’re held to when you claim you have Outlook for mobile, when you’re Microsoft, is different,” Bourne said. “It should behave like Outlook. That’s their whole sales pitch … It should work just like the desktop, if that’s what they’re saying, and it should only pass credentials between the app and my mail server.”

Even though CMS Consulting is a Microsoft Gold Certified Partner, Bourne said he was disappointed with Microsoft’s decision to collect its customers’ data without their consent. He added in his mind, this violates Canada’s Personal Information and Electronic Documents Act, given that Microsoft has not asked for user consent to collect their credentials.

However, Bourne said he believes this is more of a privacy issue than a security issue, framing the distinction around whether users are told Microsoft is collecting their data. Whether they trust Microsoft to store it securely is a different story.

“How well they secure it is unknown to me, and whether I choose to trust their security or not should be my choice. Notice is required, because then I can make an educated choice of do I trust them, do I trust how they’ve built this,” he said.

For its part, Microsoft has responded to its users in a blog post, saying it will be adding MDM capabilities “soon.” A spokesperson responding to a user comment also said that if the app doesn’t meet an organization’s corporate security policies, IT administrators can use ActiveSync to block the app.

Share on LinkedIn Share with Google+
More Articles

  • Guest

    Load of shit. When you install and setup each of the mail accounts you have it states that you are allowing the Outlook app access. It’s up front and lets you know what is going on.

    • matgeek

      You are not stating that you allow Microsoft to access your mail directly from their servers — without you using the Outlook App.

      This is beyond irresponsible from a major IT company… In todays atmosphere of privacy concerns, no one makes these kinds of decisions willy nilly, which means MS INTENDED to snoop on your mail from the outset.

      If you think that’s a “Load of shit” — you’re bloody insane.

  • BrianB

    There’s a pretty huge difference between allowing an app access to mail and contact information stored on your device versus the app storing those credentials in cloud based servers (in this case servers in AWS) and having those servers access your corporate network on your behalf. Its rather obvious that a mail app needs access to mail on the device. Its not obvious that your credentials and email will be handed off and used on your behalf. This fails the tests of notice and consent as defined by PIPEDA. I recommend a read of the guidlines for Online Consent at https://www.priv.gc.ca/information/guide/2014/gl_oc_201405_e.asp

  • Effilya De

    well if you’re stupid enough to use an iPhone for important business then you get what you paid for.

    • matgeek

      No… If you’re stupid enough to use Microsoft products for important business, then you get what you paid for.

  • Mat Pancha

    I’m slightly confused here…

    I just double checked this, and upon entering your credentials for a (Google) email account you are explicitly shown that Outlook wants to “view and manage your email, email address, calendars, files and contacts”. You can either cancel or accept.

    With a yahoo account, no permissions are requested.

    I do not have an exchange or outlook.com account, has anyone else checked this?

    Also – on installation of the Outlook app, I was asked to allow (or not) push notifications.

    On the one hand, I understand the concern on transparency of the backend workings – on the other hand, no one would have understood it.

    Its a good product, I encourage my staff to use it (but we’re also on Google so I have another layer of protection).

  • BrianB

    Clearly there’s a great deal of confusion between an app asking for permission to access specific contents on the phone and an app passing those credentials off to server infrastructure to act on your behalf.