Researchers find Outlook app stores corporate email data in the cloud, bypassing security policies
A number of organisations are banning the use of Microsoft’s new Outlook app for iOS and Android following the discovery that data and user credentials are being stored in the cloud, bypassing a number of security policies.
The European Parliament and several academic institutions are among those to block access to the app, which had been well received until the recent discoveries.
In order to deliver notifications to a device, email data passes through Microsoft servers as well as company servers, rendering any password or encryption measures useless.
Developer Rene Winkelmeyer discovered the flaw after finding he was still receiving notifications despite deactivating his device. He has urged all firms to block the app from accessing company mail servers until Microsoft rectifies the situation.
This is the course of action taken by the European Parliament, which reportedly told employees and members it had blocked the functionality of the application and recommended they delete it from their device and change their password.
The University of Wisconsin has also blocked the app, recommending they change their login credentials, and has suggested other universities are following suit
“In short, the app is using a login method involving a cloud service. This means login information may be stored in the cloud service, which is not overseen by the University of Wisconsin-Madison,” it said in a message to campus network users. “This clearly poses a security risk, and the following information will detail the steps UW-Madison is taking. Campus leaders, campus IT and those affected have been notified. It is also noteworthy that other universities are experiencing similar issues, and taking action.
“The application stores each user’s NetID and password in a cloud service. The UW-Madison has neither a contract with, nor a security assessment from, the service.
“Due to these issues, we are requesting that Exchange administrators block access to the Outlook app until a complete IT security review can be completed or Microsoft corrects the issue.”
There are other issues with the application too. It allows users to connect to their personal Dropbox, Google Drive and OneDrive accounts allowing them to share information with consumer cloud services and open up files on corporate networks, posing a range of security risks.
Additionally, multiple iOS devices cannot be distinguished due to an issue with ActiveSync, meaning administrators cannot see the difference between an iPhone and iPad.
Microsoft had not responded to requests for comment at the time of publication, but security experts have said the issue serves as a warning for IT administrators not to assume an application is compliant with their security policies.
“Businesses who use this application should make sure they have a process in place so that their mobile devices remain compliant with company security policies,” said Rob Miller, security consultant at MWR InfoSecurity. “There are a number of mobile device management (MDM) solutions that provide this functionality.
“More generally, businesses should be careful about making assumptions around the security features of a product. In the case of the Microsoft Outlook mobile app, Microsoft make no claims that the devices will follow their ActiveSync security policies when the app is installed. It is important that companies take the time to investigate the security of products before using them. This could be done either directly by raising questions with the app’s developers, or through third parties who can investigate the security of products.”
Do you know about Windows? Try our history quiz!