Microsoft risks enterprise credibility by pushing out insecure mobile Outlook

One thing about Microsoft: it may not be the greatest for usability or convenience, but it does understand enterprise requirements around compliance and protecting corporate data.

At least, I thought it did.

That confidence has been undermined by the release yesterday of new “Outlook” mobile apps for iOS and Android.

I read the cheery blog posts from Office PM Julia White and from new Outlook GM Javier Soltero. “Now, with Outlook, you really can manage your work and personal email on your phone and tablet – as efficiently as you do on your computer,” says White.

There is a snag though. The new Outlook apps are rebadged Acompli apps, Acompli being a company acquired by Microsoft in early December 2014. Acompli, when it thought about how to create user-friendly email apps that connected to multiple accounts, came up with a solution which, as I understand it, looks like this:

  1. User gives us credentials for accessing email account
  2. We store those credentials in our cloud servers – except they are not really our servers, they are virtual machines on Amazon Web Services (AWS)
  3. Our server app grabs your email and we push it down to the app

A reasonable approach? Well, it simplifies the mobile app and means that the server component does all the hard work of dealing with multiple accounts and mail formats; and of course everything is described as “secure”.

However, there are several issues with this from a security and compliance perspective:

  1. From the perspective of the email provider, the app accessing the email is on the server, not on the device, and the server app may push the emails to multiple devices. That means no per-device access control.
  2. Storing credentials anywhere in a third-party cloud is a big deal. In the case of Exchange, they are Active Directory credentials, which means that if they were compromised, the hacker would potentially get access not only to email, but to anything for which the user has permission on that Active Directory domain.
  3. If an organisation has a policy of running servers on its own premises, it is unlikely to want credentials and email cached on the AWS cloud.

The best source of information is this post A Deeper look at Outlook on iOS and Android, and specifically, the comments. Microsoft’s Jon Orton confirms the architecture described above, which is also described in the Acompli privacy policy:

Our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device. Similarly, the service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device. Those messages, calendar events, and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device. If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app … If you decide to sign up to use the service, you will need to create an account. That requires that you provide the email address(es) that you want to access with our service. Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password.

image

The only solution offered by Microsoft is to block the new apps using Exchange ActiveSync policy rules.

The new apps do not even respect Exchange ActiveSync policies – presumably hard to enforce given the architecture described above – though Microsoft’s AllenFilush says:

Outlook is wired up to work with Active Sync policies, but it currently only supports Remote Wipe (a selective wipe of the corporate data, not a device wipe). We will be adding full support for EAS policies like PIN lock soon.

However a user remarks:

Also, i have set up a test account, and performed a remote wipe, and nothing happened. I also removed the mobile device partnership later and still able to send and receive emails.

The inability to enforce a PIN lock means that if a device is stolen, the recipient might be able simply to turn on the device and read the corporate email.

The disappointment here is that Microsoft held to a higher standard for security and compliance than its competitors, more perhaps than some realise, with things like Bitlocker encryption built into Surface and Windows Phone devices.

Now the company seems willing to throw that reputation away for the sake of getting a consumer-friendly mobile app out of the door quickly. Worse still, it has been left to the community to identify and publicise the problems, leaving admins now racing to put the necessary blocks in place. If Microsoft was determined to do this, it should at least have forewarned administrators so that corporate data could be protected.

One thought on “Microsoft risks enterprise credibility by pushing out insecure mobile Outlook”

  1. Agree it’s a risk. OTOH, enterprises may feel some relief that MS will address those shortcomings over time, whereas the original purveyors likely wouldn’t have.

Comments are closed.