The new Microsoft Outlook app for iOS may be the one of the best email apps to come out in a while – but according to IT security professionals, it also presents myriad privacy issues.
Last week, Microsoft announced it was releasing a new Outlook app for iOS, giving users the chance to quickly prioritize and triage their emails. (The Android version is still in preview mode).
Born from Microsoft’s acquisition of email startup Acompli in December 2014, the company basically just rebranded Acompli’s product as Outlook. Still, much of the press around the new app has been positive, and given the Redmond, Wash.-based company acquired Acompli so recently, the turnaround time was pretty quick.
It might have been too quick, according to René Winkelmeyer, head of development at Midpoints, a German company providing consulting services for IBM solutions. On Jan. 29, he published a blog post outlining privacy issues with the new Outlook app for iOS, saying Microsoft has been taking people’s username and password credentials and storing them in the cloud.
That was the practice for the Acompli app, but it continued when Microsoft rebranded the app as Outlook – and that wasn’t made clear to customers, Winkelmeyer said. He first noticed the issue when he downloaded the app and signed in with a test account, and was surprised to find the app was trying to send him push notifications, meaning the app’s server was trying to reach his company’s mail server.
Essentially, the app’s approach means that company employees who use Outlook and previously had their credentials stored securely behind the company firewall, will now have those credentials stored on a third-party cloud, he noted.
“What I saw was breathtaking. A frequent scanning from an [Amazon Web Services] IP to my mail account. Means Microsoft stores my personal credentials and server data (luckily I’ve used my private test account and not my company account) somewhere in the cloud! They haven’t asked me. They just scan. So they have in theory full access to my [personal information management] data,” Winkelmeyer wrote in his blog post.
Worse still, there’s no ability to integrate mobile device management (MDM) solutions with the new Outlook, meaning enterprise organizations can’t use containerization to protect any data flowing into that app, he added.
“I really wouldn’t have expected that. You don’t expect something like this from IBM, from Microsoft, from Apple, from the IT giants – you don’t expect something like that,” said Winkelmeyer in an interview.
He noted that some people, including commentators on his blog post, don’t believe this is a real issue because both Microsoft and Acompli have provided security around their app. However, what this boils down to is a matter of trust, he said.
“People hear Microsoft and Outlook, and that means, trust it,” he said. “Everybody trusts Microsoft Outlook, that’s fine, they run it at home and they run it at the company, everything is fine. And nobody would ever think about their data … is stored in an uncontrollable cloud environment.”
He added even though the data may be encrypted, it is still in the cloud – and even if there is no data leakage, it is beyond a company’s firewall.
Microsoft’s decision to collect Outlook users’ credentials has raised the ire of organizations like CMS Consulting Inc., a Toronto-based company that actually helps other businesses deploy Microsoft infrastructure solutions. While the company uses Outlook, and a few of its employees downloaded the app when it was released, they have since uninstalled it and changed their passwords.
That’s because they noticed Microsoft did not explain it would be storing their credentials, said Brian Bourne, CMS Consulting’s CEO, in an interview.
“The bar you’re held to when you claim you have Outlook for mobile, when you’re Microsoft, is different,” Bourne said. “It should behave like Outlook. That’s their whole sales pitch … It should work just like the desktop, if that’s what they’re saying, and it should only pass credentials between the app and my mail server.”
Even though CMS Consulting is a Microsoft Gold Certified Partner, Bourne said he was disappointed with Microsoft’s decision to collect its customers’ data without their consent. He added in his mind, this violates Canada’s Personal Information and Electronic Documents Act, given that Microsoft has not asked for user consent to collect their credentials.
However, Bourne said he believes this is more of a privacy issue than a security issue, framing the distinction around whether users are told Microsoft is collecting their data. Whether they trust Microsoft to store it securely is a different story.
“How well they secure it is unknown to me, and whether I choose to trust their security or not should be my choice. Notice is required, because then I can make an educated choice of do I trust them, do I trust how they’ve built this,” he said.
For its part, Microsoft has responded to its users in a blog post, saying it will be adding MDM capabilities “soon.” A spokesperson responding to a user comment also said that if the app doesn’t meet an organization’s corporate security policies, IT administrators can use ActiveSync to block the app.