Monday, February 2, 2015

Outlook for Android and iOS

A lot of sites are now reporting the insecurity of the application Outlook which appeared januari 29th in the Apple AppStore. (Warning – Microsofts Outlook app for iOS breaks your company security) and (Microsoft Wants to Improve Your Mobile Email Experience with the New Outlook for iOS and Android) This is the same application (some rebranding has been done) as the Accompli app which is now purchased by Microsoft.

What is the problem with this app?
It is a good app. It looks very need, but to do what is does it needs a little something from you and it will store this information on the servers in the cloud (Now at AWS but soon Microsoft Azure)
What is this information it needs?.... That is your Username and Password.
What does it do with this information? .... It starts downloading your entire mailbox, and caches this in the cloud.
Why is this a problem? .... For a private person not so much.... You probably share all the information on Facebook, twitter etc anyway, and don't have secrets in your mail which other instances / agencies are interested in.... But for companies this might be a large issue. They usually have something setup which is referred to as a company security policy. This policy mostly states the following items:

  • Device must have a pincode or password
  • Device must be encrypted
  • In case of lost the device must be wiped
  • etc.

All these things are not possible with the new App. From an App it is NOT possible to set device settings such as encryptions and passwords. A wipe is also not possible (In some cases the mailbox is reported to be removed)....

What to do now?
Block the application from entering your network. If possible do this on your firewall with an User-Agent filter.
Filter for the following user agents:

  • Outlook-iOS-Android
  • Outlook for iOS and Android

Exchange (Exchange 2010 and Higher)
You can also add an rule on your Exchange server which will block access to the mail environment.
New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Block
Block or Quarantine the Outlook for iOS and Android App in Exchange Server and Office 365

Microsoft is busy with this application, updating and modifying it. So it is important to keep an eye on the changes which will occur in this application.
I do think that the application has a lot of potential and is a way to go, but first some issues have to be resolved. But for now "Hands Off"