Microsoft has released their iOS app “Outlook” today. And it will break your companies security for mobile PIM access in multiple ways! No matter if you’re a Microsoft Exchange or IBM Notes Traveler customer.

I cannot believe that Microsoft has done what they’ve done. Even as a non-Microsoft guy I would have expected that they obey the rules of common company security rules.

File sharing capabilities

The app has built-in connectors to OneDrive, Dropbox and Google Drive. That means a user can setup his personal account within the app and share all mail attachments using those services. Or use files from those services within his company mail account. That’s a data security nightmare.

It doesn’t matter if you’re using a containerized solution like the Apple built-in separation of managed and unmanaged apps. The same applies to every other container. The communication is app-internal and you cannot control that.

Shared Exchange ActiveSync ID and device type

It gets even more worse. Each ActiveSync client normally has a unique ID for data synchronization. That allows administrators to distinguish a users devices. Microsofts Outlook iOS apps doesn’t work that way. The app shares the same ID across all devices of a user. And it seems like one device!

That means: If a user installs the Outlook app on his iPhone and on his iPad it’s seen as one device. There’s no way to distinguish if it’s an iPad or an iPhone. Nada. Niente. Using device approval on Traveler won’t help. It connects as “one device” – and you cannot control that. That’s a security nightmare.

Microsoft has your credentials

Now to the worst part: Microsoft will get and store your mail account credentials in the cloud if you use the iOS Outlook app.

When I setup the app I’ve been asked if I want to receive push notifications. As a “regular” user I accepted (click, click, OK). As an iOS developer I was wondering why the app wants to send me push notifications. Push notifications are normally triggered by a remote server. So I ran a quick test:

I stopped the app (removed it from the list of active devices).

I sent myself from another account a test mail.

I immediately received a push notification about new mail.

That could not be true. Either Microsoft was doing some magic iOS stuff that I’m not aware of. Or they are using a central service, using my credentials, to monitor my ActiveSync account. So time for another test:

I put all my devices in airplane mode. So there could be no communication.

I opened the access_log of my Apache server (which sits in front of my Traveler server).

There it was!

54.148.96.196 – – [29/Jan/2015:16:19:50 +0100] “POST /traveler/Microsoft-Server-ActiveSync?User=mysupermail%40winkelmeyer.com&DeviceId=123123123123&DeviceType=Outlook&Cmd=Sync HTTP/1.1” 200 25 “-” “Outlook-iOS-Android/1.0”

What I saw was breathtaking. A frequent scanning from an AWS IP to my mail account. Means Microsoft stores my personal credentials and server data (luckily I’ve used my private test account and not my company account) somewhere in the cloud! They haven’t asked me. They just scan. So they have in theory full access to my PIM data.

Block them – NOW

The only advice I can give you at this stage is: block the app from accessing your companies mail servers. And inform your users that they shouldn’t use the app.

If you have a reverse proxy in front of your IBM Notes Traveler (or Exchange) server you can use a partial check on the HTTP User-Agent and block everything that contains “Outlook-iOS-Android”.

If you don’t have reverse proxy in front of IBM Notes Traveler you can use the Traveler settings to disallow this device type (i. e. using the notes.ini parameter “NTS_USER_AGENT_ALLOWED_REGEX”). You’ll find a detailed documentation how to handle this in the IBM Knowledge Center.

Or use our product midpoints traveler.rules which accomplishes the same (and more).

Update

It’s even worse (thanks @shadowBJ21 for pointing me to that). For those who don’t now: Microsoft has bought Acompli some time ago and “re-branded” their app to this new Outlook app.

https://www.acompli.com/privacy-policy/Last Updated: January 28, 2015

“We provide a service that indexes and accelerates delivery of your email to your device. That means that our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device.Similarly, the service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device. Those messages, calendar events, and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device. If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app.”

”If you decide to sign up to use the service, you will need to create an account. That requires that you provide the email address(es) that you want to access with our service. Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password.”

Update 2

Here’s a follow-up blog post.