nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Privacy alert: Outlook for iOS does security STUPIDLY, says dev

Silver badge

It's madness I tell thee

This thing hoovers your email using AWS (not Azure) from your corporate email account. "Temporarily" stores it in the cloud and then trickles it down to your phone.

What could possibly go wrong?

11
0

This post has been deleted by its author

Silver badge

Re: It's madness I tell thee

There's nothing particularly new here.

Before BB10, BlackBerries bought as personal phones would be plumbed into RIM's BlackBerry Internet Services (BIS). This did something very similar; it would retrieve email from your email provider on your behalf, and send a push notification out to your phone when something turned up. It was reliable, saved a ton of battery power (your phone didn't have to do anything for itself), and it was very fast too.

Differences? Well, it was BlackBerry's own servers doing it (not someone else's), I don't recall there ever being any problem with BIS retaining credentials beyond my expectations, and BlackBerry seem not to want to trawl through all your stuff looking for advertising data (which I considered to be a very appealing aspect of that service).

1
0
Anonymous Coward

Sponsored by the NSA, perhaps?

Or is this just too obvious?

8
2

Re: Sponsored by the NSA, perhaps?

Yup. I suspected the same thing. NSA has been undermining encryption standards as long as they have been in existence.

2
0

Nice idea (the app itself) ruined by yet again piss poor implementation and over specification.

1
0
Silver badge

/agree

Yep the app was pretty nice and made email easier to read than the iOS mail native app imho. That said it will be quite some time before I put back it on my phone. Would have become my daily email client too. Microsoft's incompetence these days is breathtaking.

1
0
Silver badge

Re: /agree

I take it you've changed your password too? It's probably still floating around up there.

0
0

This post has been deleted by its author

Silver badge

::giggles::

The Nintendo generatiion writing software for the iFad generation.

What could possibly go wrong?

6
9

Well done Rene Winkelwyer

Thanks for publishing.

3
0
Bronze badge

Irrelevant when you use Office365

Since your creds are already in the cloud on O365, the point is moot. HOWEVER, for those with on-site Exchange servers, yeah, that's somewhat of a worry. Naughty MS, naughty.

5
3

Re: Irrelevant when you use Office365

Hmmmm...{muses} so do all the e-mails get sucked from O365 --> AWS --> iPhone/Android etc or does the app do a traditional "Exchangey" kind of connection direct to O365if it senses (via autodiscovery) an O365 hosted account?

And another thing!!! How can they expect us to buy in to Azure et al if they don't appear to use it themselves?

2
0
LDS
Silver badge

Re: Irrelevant when you use Office365

There's a big difference in storing the credential to access a service you offer (say O365 own mail), and to access someone else one.

In the former case, credential can be stored (hoepfully) in a far safer way (multiple hash, salt, etc.). In the latter, they have to be stored using reversible encryption, because of the need to submit them to the third party service... and that's a far bigger risk.

2
0

Re: Irrelevant when you use Office365

Yeah, no. If you use O365 you can bypass any MDM implementation with this app because it permits you to save to Dropbox instead of keeping corporate data in their dedicated cloud.

0
0
Anonymous Coward

Re: Irrelevant when you use Office365

You use O365, and want to keep corporate data within something you control?

Good luck with that.

2
0
Anonymous Coward

Re: Irrelevant when you use Office365

"Since your creds are already in the cloud on O365, the point is moot."

Not if you're doing O365 properly, using an onsite ADFS server. Your creds are not stored in the O365 cloud.

1
0
Anonymous Coward

Re: Irrelevant when you use Office365

"If you use O365 you can bypass any MDM implementation with this app because it permits you to save to Dropbox instead of keeping corporate data in their dedicated cloud."

Not an issue - O365 can use encryption to stop this. If you saved Rights Management controlled documents to DropBox then you would not be able to access them without the permission and decryption keys that permitted it. See http://products.office.com/en-us/business/microsoft-azure-rights-management

0
0
Gold badge

Man-in-the-middle servers?

I might be a bit uneducated on things, by why does the app need a separate server to fetch the email from your mail-server and then serve it to the phone?

My current (non Outlook/non exchange) setup has the app directly connect by IMAP to the mail-server and handles push notifications without polling. What is wrong with that solution?

5
0
LDS
Silver badge

Re: Man-in-the-middle servers?

It's they can't "index" your email otherwise. Face it - all these services are designed to "index" (aka read and classify information) from evey piece of your personal data. Why some web email services (GMail & C.) prompts you to read "all your accounts emails from a single inbox"? Exactly for the same reason - access all your emails. Accompli just moved this model to a local application by exploiting a "proxy" server reading all your email before delivering them to you. Useless - but hey! - it works [probably] on HTTP - which you know, it's the only protocol you should use (and the only protocol most actual developers look to know...), why use those outdate protocols like IMAP4 designed to read emails without any man in the middle?

PS: IMAP4 handles push notification if the IDLE command is supported by both parties, otherwise it has to poll.

4
1
Silver badge

Probably a combined problem

Ignoring the obvious possibility that they use the man-in-the-middle server to exploit the data of their users, there are other ways to explain this.

Modern app developers, and you can assume that most of them are new to programming, go by the design pattern they are used to. And those include using an external server accessed via HTTP/Websockets, instead of doing local computation. They have been taught that local computation is slow and battery draining, so they do remote computation which requires data communications... which is slow and battery draining. Nobody does Profiling to see which way would be better in that situation. Furthermore they have never been taught in the ethical aspects of their trade, so they don't understand why it's a bad idea to more external components than necessary.

Then some mobile operating systems don't support "raw" sockets so you could do IMAPs. Windows Phone, for example, didn't support it on early versions. Plus there may be a certain irrational believe that using raw sockets is somehow bad, and you should have a layer in between.

Now if you actually control that server in the middle, the concept may actually even make sense. Done right, you can avoid having to store e-mail on your mobile device, which means that it'll be secure against theft. A server is much easier to secure than a mobile device since you can literally guard it from physical access by your attackers, and you can reach a far higher level of FOSS on your server.

2
0
Anonymous Coward

Not fit for use….

The Android version is even worse. It completely ignores any Exchange sent policies, such as PIN.

Avoid like the proverbial plague

4
2

Re: Not fit for use….

I disagree, since Exchange 2010 (Even prior to SP1), this has worked with all our Android handsets flawlessly.

0
0
Silver badge

Re: Not fit for use….

The problem is the Outlook client, née Accompli. It was just given a lick of paint and plonked into the App Store, which is why it's not using Azure or Office 365 credentials. So much for Microsoft saying privacy comes first.

0
0

The Dash for cash

They want to compete with Google mail don't forget and nicking all mails sounds far better.

1
1
Silver badge

Who cares, it's all been back-doored by GCHQ/NSA anyway

2
4
Silver badge

Try Inbox Pro

iOS users could do worse than use the app called Inbox Pro, Outlook Edition. It's still pretty insecure, but at least it doesn't hoover up all your mail into the cloud.

0
2

Fate Acompli…?

Sorry. It's been "one of them days" already, an' it ain't even dinnertime…

2
0
Silver badge

Re: Fate Acompli…?

From the previous article at http://www.theregister.co.uk/2015/01/29/microsoft_outlook_comes_to_ios_and_android/

"former Acompli CEO Javier Soltero is now Outlook general manager at Microsoft."

2
0

Don't use this for work...

You shouldn't be putting your work password into anything not specifically authorised for work use, whether a device, app or website...

Also goes for LinkedIn stupid apps.

6
0
Anonymous Coward

Re: Don't use this for work...

I really wonder how many people actually understand this beyond hearing the words and assuming its another one of those edicts from which, through some contorted personal logic, they are excluded.

0
0
Anonymous Coward

A list of topics we don't want to see in this thread, because they've been done to death and totally discredited:

"If you've got nothing to hide, you've nothing to fear".

"Privacy is so last century, get over it".

"You're not a customer, you're the product".

"It's free, what do you expect".

"Our nation's security hinges on this. If we stop a single terrorist, it'll have been worth it".

"If these large corporations were really untrustworthy, surely they'd have been censured by now".

"Better Microsoft than ${other_company}".

9
0
Silver badge

"A list of topics we don't want to see in this thread, because they've been done to death and totally discredited:"

So why did you introduce them?

2
0

... and delete.... change password..... (again)

sigh......

0
0

Uninstall problem is due to Apple

Apple doesn't notify developers when an app is deleted and there is no explicit, positive & secure way of knowing if an app has been deleted. There is also zero trigger that tells the app that the user is deleting it, so it can't ask the user if cloud data should be deleted.

It's a fundamental iOS problem, not just for Accompli, but for everyone that stores data for users in a cloud back end. The net effect is that you never know if your app has been deleted or not, you can't tell if a user is deleting an app to re-install it and you don't really know what to do with user data when there is no communication with the app for a long time.

TL:DR, it's unfair to blame Accompi/MSFT for Apple's practices.

Also, it's unclear how Rene Winkelwyer expects 3rd party push to work without offline storing of user credentials. Blackberry does the same thing with BIS and no one is screaming about security in that context... Pretty much every push service (other than native IMAP push) requires some sort of buffer proxy to work properly, which in turn requires storing user credentials offline and they at least have to buffer the subject line + some preview text.

Seems like someone shouting fire who doesn't know much about either email transport or iOS limitations.

4
1
Silver badge
Thumb Up

Re: Uninstall problem is due to Apple

But, but, ... it's Microsoft! I was wondering what part of email push he didn't understand. I'm still trying to find something useful on a tablet that actually is secure (aside from Blackberry).

2
0
Silver badge

Re: Uninstall problem is due to Apple

The same is true for Android, Windows Phone, Windows and Mac.

You have to have a delete account menu option. Not too difficult.

1
0
Gold badge

I'm just amused

I'm just amused that, as much as Microsoft wants EVERYONE ELSE to use their cloud, that they are using AWS (Amazon Web Services) for their own product.

The poor security handling? That is just par for the course among some of these local/"cloud" hybrid services. Not that I condone it; far from it, I recommend not using "cloud" at all unless you know what it's doing with your information and especially security credentials. (To those who say this is OK and necessary -- no, it's obviously NOT necessary to keep your credentials when you've removed the app, or told it to delete your account.)

2
0

Surprise

For certain very small values of surprise.

2
0

Bullshit article

"Here's the critical policy extract"

Which describes how every mail server in the world works. Or maybe mail servers in Apple world work differently and Apple aficionados are not familiar with SMTP, POP and IMAP servers.

0
3
Anonymous Coward

Why would you EVER use Gmail as an email client?

Seriously, why would you EVER use Gmail as an email client for corporate use? There are similar security issues.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing