Microsoft Outlook for iOS: Is Security a Problem?
UPDATE January 30th, 2015: A few more posts have been written about this same issue, discussing really the merits of the panic or not. Interesting reading.
So today, twitter went crazy announcing that Microsoft had released Microsoft Outlook for iOS which is a re-badged version of the Acompli mail client that they acquired. It was reported that the acquisition was worth more than $200 million, so it should be a great application being released.
I like most people downloaded the App to play with and have to say I like it. Works really well, I like the “PUSH” notifications but then again how does that work? Have you ever wondered that?
“PUSH” Notifications require a fairly complex back end system to work.
To understand this better, an application written for iOS needs to tell the operating system that it wants to get notifications for an App. The operating system contacts Apple’s Server and obtains a “device token” that is used to uniquely identify the device that the custom application is running on. The device token is what is used by the custom applications servers to send the push notifications.
The device token is passed along with the actual push notifications to Apple’s Servers, then of course Apple’s servers distribute the notifications to the devices, hopefully the one you’re on.
There are in fact a few providers that you can use to send notifications to a device, a very cool one is Urban Airship, of course whatever vendor you use, you still need to register everything with Apple and your Developer account to make it work. In a normal application like this notifications are triggered by a remote server that says “send notification to Liam” based on some logic.
So back to the Microsoft Outlook for iOS Application. Courtesy to Marc Anderson, who pointed me to this guy’s post today, who outlined a few security issues that he was seeing, where even when he removed the App he was still getting iOS notifications.
Thinking that through, that means that something in between the mail server and the device is still able to validate new emails coming in and sending notifications.
I also tested it but did NOT get the same things happening for me, I chose to use an Exchange 2013 Environment. As soon as I removed the App and sent test emails to myself I got NO notifications anymore.
I have been unable to reproduce the same issue, however that does not mean that this does not happen.
The thing that is very interesting though is the wording that is called out from the Acompli Privacy Statement.
“We provide a service that indexes and accelerates delivery of your email to your device. That means that our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device. Similarly, the service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device. Those messages, calendar events, and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device. If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app.”
So some very interesting wording, however we need read a little deeper. The most intriguing lines for me are found in the last section:
“If you decide to sign up to use the service, you will need to create an account. That requires that you provide the email address(es) that you want to access with our service. Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password.”
So before you go an uninstall it and go crazy, let’s just think about what it actually says. Deciding to use any device with a mobile application these privacy statements should be read and picked apart before choosing one. As with any application we use to access email, we need to do a better job on checking what we actually sign up before moving forward.
Now that does not change the issue being called out in the post, of the accounts being saved and used so maybe that is one for Microsoft to look at and address the issues.
Now for you paranoid Administrators, you can use the PowerShell in the last comment on that post which simply tells Exchange to block the app by validating the query string: “Outlook for iOS and Android“.
New-ActiveSyncDeviceAccessRule -AccessLevel Block -Characteristic DeviceModel -QueryString “Outlook for iOS and Android”