Outlook for iOS and Email Security

February 02, 2015 by Gabe | [mmd] |

I had completely forgotten that one of the reasons I avoided Acompli (the iOS app that Microsoft re-branded as Outlook) was how they managed email remotely.

Here's a recent Register article that describes the issue.

Rene Winkelmeyer breaks down the entire thing and is the source for the Register article:

What I saw was breathtaking. A frequent scanning from an AWS IP to my mail account. Means Microsoft stores my personal credentials and server data (luckily I’ve used my private test account and not my company account) somewhere in the cloud! They haven’t asked me. They just scan. So they have in theory full access to my PIM data.

Here's Rene's update which elaborates a bit more:

The post wasn’t a shout-out about Microsoft Exchange. All services/servers that are using ActiveSync as their protocol are affected. That includes IBM Notes Traveler and loads of other server implementations. For the sake of simplicity I’m referring in this post as “ActiveSync servers” to them.

It depends on where you work, but I think it would be a violation of the security policy of many companies to allow employees to route email to a third party server. I also think it is probably against many policies to share login credentials with a third party. I have no idea if this might count as "disclosure" of confidential information but I certainly don't want to find out the hard way.

Microsoft is a big company with a lot to lose if they blow it. But they've blown it before and I'm not sure they learn their lessons quickly.

It's probably worth checking with your legal and IT security groups but be prepared to be eviscerated.