Rene Winkelmeyer was the first to detail the worrying and undocumented way the Outlook apps store your email account logins.
Normal programs and apps keep your login details (server, name, password etc) encrypted on the computer or device. When needed the name/password is sent direct to the mail host to make a connection, send/receive data.
The Microsoft Outlook apps are different. Login details are saved to a different cloud server! They store your login details on a remote server (currently an Amazon server but that will change to the Microsoft cloud) which then checks your mail host for new messages! It’s incredible, after all Microsoft’s talk about security and privacy that they would casually do such a thing.
This security breach doesn’t look like being fixed. Among the promises for Outlook apps is “Moving Outlook’s cloud service from Amazon Web Service to Microsoft Azure”. So it seems that login credentials will continue to be saved in the cloud, just Microsoft cloud instead. That’s not an improvement, just a change of address and a cost saving for Microsoft.
There’s also trouble with the links to cloud file storage. Outlook iOS uses the same ActiveSync ID across all devices from the same user. There’s no way for an administrator to be sure which device is being used.
Outlook apps have links to cloud services like OneDrive and DropBox. That means corporate users can easily, within the one app, save company attachments to their personal cloud storage.
For more details read Rene Winkelmeyer blog post and his follow up.
All this shows that Microsoft really doesn’t understand or care about customer security or privacy … unless they are caught.
After these embarrassing disclosures the company is saying:
“Over the coming weeks and months, we will deliver additional security and management features that matter to IT as well as user-focused features to help you get even more done while on the go.”
Buzzzt … wrong answer. Security isn’t a bug fix or afterthought. It’s vital development that’s supposed to be done BEFORE going public, even in a preview. We’re not talking about obscure hacks, but fundamental security flaws in an enterprise level product.
The fact that Microsoft bought the Accompli app with these security issues isn’t an excuse. It was a reason why the company should have delayed the public preview until the app security was up to the supposed Microsoft standard.
