Deleting data from the remote location does not seem to work

Jan 30, 2015 13:49 GMT  ·  By

A software developer has analyzed the way the newly released Microsoft Outlook for iOS functions and discovered that it does not align to the best security practices, presenting a serious risk if used for company email communication.

The potential danger lurks regardless of the email server used for managing the messages and it may lead to leaking business information.

Business email credentials are stored in the cloud

Head developer René Winkelmeyer at Germany-based midpoints GmbH highlighted various weak points, the worst of them being that Microsoft stores email account credentials in its cloud for providing push notifications.

These alerts are generally delivered via a remote server not associated with the company, meaning that the service must have access to the email content in order to accomplish the feat.

Winkelmeyer ran a few tests on his iOS device and found that push notifications were coming in for his company email even with the app removed from the list of active devices.

This means that a central service employs his email account credentials to monitor the ActiveSync account and check for new content such as emails or business agenda available.

He noticed “frequent scanning from an AWS IP to my mail account. Means Microsoft stores my personal credentials and server data […] somewhere in the cloud,” Winkelmeyer wrote in a blog post on Thursday.

On December 1, 2014, Microsoft purchased Acompli, a provider of mobile email apps, their product being rebranded into the Outlook app for iOS.

According to a privacy policy on Acompli’s website, last updated this Wednesday, the “service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device.”

More than this, “the service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device.”

All this data may be stored temporarily on their servers, the policy says, adding that with some email accounts, those that do not use OAuth, the access credentials, along with the server URL and server domain, are required and stored on their infrastructure.

One user ID to rule over all devices, sharing via cloud storage services

Apart from this security failure found by Winkelmeyer, he also refers to the possibility to connect the app with cloud storage services such as OneDrive, Dropbox and Google Drive.

The threat posed by this would be that a user could link their personal cloud storage to the Outlook app used for business and would be able to share files between the two services, thus exposing the company to unnecessary risks.

Another “security nightmare” shown by the developer is that Outlook iOS app uses a single ID on all user devices, preventing proper device management practices.

Basically, if the client is installed on multiple mobile terminals, it would appear as if only one is used. The risk is that some of them may be for personal usage and administrators cannot rely on device approval policies to maintain security levels for company data.

Harald Gaerttner, IBM Domino admin, said in a comment to Winkelmeyer post that trying to delete the data stored on the device and the remote server resulted in failure and he could still access the account based on the username and password, suggesting that the information is cached in a different location.

Outlook for iOS (5 Images)

Microsoft Outlook for iOS
Email credentials are stored on Microsoft serversContent can be shared with cloud storage services
+2more