After buying Acompli late last year, Microsoft didn’t take long to rebrand the mobile email app as Outlook and launch Android and iOS versions. But it seems that in the rush to get the app out of the door, Microsoft failed to ensure that it was suitably secure.
In fact, IBM developer René Winkelmeyer suggests that enterprise users stop using the app immediately. He was shocked to discover a trio of security issues in the mobile version of Outlook. Perhaps the most worrying discovery is that users' personal credentials are stored in the cloud -- username and password included.
Winkelmeyer made the discovery after disabling the app and sending himself an email from a second text account. Despite having stopped the app, he received a push notification letting him know of the new email. Investigating further by looking at server logs, Winkelmeyer found that his mail account was being scanned by an AWS IP address without his permission.
Security concerns also surround the fact that Outlook has built-in connectors to OneDrive, Dropbox and Google Drive to allow for easy attachment of files stored in any of these cloud services. But it is also possible to share email attachments through these services -- something that will be greatly concerning for businesses. Malware, anyone?
Completing the trio of security concerns is the fact that the iOS Outlook app does not differentiate between multiple devices used by an individual. You might install the app on an iPhone, an iPad, and an iPad mini -- the same ID will be used each time.
The advice from Winkelmeyer at this stage is simple:
The only advice I can give you at this stage is: block the app from accessing your companies mail servers. And inform your users that they shouldn't use the app.
It is the sharing of user credentials that is particularly concerning, but the sheer number of issues that have been highlighted will make many people think twice about using the app -- Winkelmeyer does have some tips, however. What's interesting is that while the Android version of Outlook is listed as a preview, the same tag has not been applied to the iOS version.
Photo credit: gst / Shutterstock