back to article Privacy alert: Outlook for iOS does security STUPIDLY, says dev

Big Blue boffin Rene Winkelmeyer has taken aim at Microsoft's iOS Outlook app, launched overnight, claiming it stores credentials in the cloud potentially even after delete requests, and does not observe known good security practices. The spray against the House That Bill Built followed an examination into the way the app …

  1. Anonymous Coward
    Anonymous Coward

    It's madness I tell thee

    This thing hoovers your email using AWS (not Azure) from your corporate email account. "Temporarily" stores it in the cloud and then trickles it down to your phone.

    What could possibly go wrong?

    1. This post has been deleted by its author

    2. bazza Silver badge

      Re: It's madness I tell thee

      There's nothing particularly new here.

      Before BB10, BlackBerries bought as personal phones would be plumbed into RIM's BlackBerry Internet Services (BIS). This did something very similar; it would retrieve email from your email provider on your behalf, and send a push notification out to your phone when something turned up. It was reliable, saved a ton of battery power (your phone didn't have to do anything for itself), and it was very fast too.

      Differences? Well, it was BlackBerry's own servers doing it (not someone else's), I don't recall there ever being any problem with BIS retaining credentials beyond my expectations, and BlackBerry seem not to want to trawl through all your stuff looking for advertising data (which I considered to be a very appealing aspect of that service).

  2. Anonymous Coward
    Anonymous Coward

    Sponsored by the NSA, perhaps?

    Or is this just too obvious?

    1. NoneSuch Silver badge

      Re: Sponsored by the NSA, perhaps?

      Yup. I suspected the same thing. NSA has been undermining encryption standards as long as they have been in existence.

  3. depicus

    Nice idea (the app itself) ruined by yet again piss poor implementation and over specification.

    1. asdf

      /agree

      Yep the app was pretty nice and made email easier to read than the iOS mail native app imho. That said it will be quite some time before I put back it on my phone. Would have become my daily email client too. Microsoft's incompetence these days is breathtaking.

      1. Dan 55 Silver badge

        Re: /agree

        I take it you've changed your password too? It's probably still floating around up there.

        1. This post has been deleted by its author

  4. jake Silver badge

    ::giggles::

    The Nintendo generatiion writing software for the iFad generation.

    What could possibly go wrong?

  5. Alan_Peery

    Well done Rene Winkelwyer

    Thanks for publishing.

  6. anothercynic Silver badge

    Irrelevant when you use Office365

    Since your creds are already in the cloud on O365, the point is moot. HOWEVER, for those with on-site Exchange servers, yeah, that's somewhat of a worry. Naughty MS, naughty.

    1. Christopher Lane

      Re: Irrelevant when you use Office365

      Hmmmm...{muses} so do all the e-mails get sucked from O365 --> AWS --> iPhone/Android etc or does the app do a traditional "Exchangey" kind of connection direct to O365if it senses (via autodiscovery) an O365 hosted account?

      And another thing!!! How can they expect us to buy in to Azure et al if they don't appear to use it themselves?

    2. Anonymous Coward
      Anonymous Coward

      Re: Irrelevant when you use Office365

      There's a big difference in storing the credential to access a service you offer (say O365 own mail), and to access someone else one.

      In the former case, credential can be stored (hoepfully) in a far safer way (multiple hash, salt, etc.). In the latter, they have to be stored using reversible encryption, because of the need to submit them to the third party service... and that's a far bigger risk.

    3. dieselbug

      Re: Irrelevant when you use Office365

      Yeah, no. If you use O365 you can bypass any MDM implementation with this app because it permits you to save to Dropbox instead of keeping corporate data in their dedicated cloud.

      1. Anonymous Coward
        Anonymous Coward

        Re: Irrelevant when you use Office365

        You use O365, and want to keep corporate data within something you control?

        Good luck with that.

      2. Anonymous Coward
        Anonymous Coward

        Re: Irrelevant when you use Office365

        "If you use O365 you can bypass any MDM implementation with this app because it permits you to save to Dropbox instead of keeping corporate data in their dedicated cloud."

        Not an issue - O365 can use encryption to stop this. If you saved Rights Management controlled documents to DropBox then you would not be able to access them without the permission and decryption keys that permitted it. See http://products.office.com/en-us/business/microsoft-azure-rights-management

    4. Anonymous Coward
      Anonymous Coward

      Re: Irrelevant when you use Office365

      "Since your creds are already in the cloud on O365, the point is moot."

      Not if you're doing O365 properly, using an onsite ADFS server. Your creds are not stored in the O365 cloud.

  7. BristolBachelor Gold badge

    Man-in-the-middle servers?

    I might be a bit uneducated on things, by why does the app need a separate server to fetch the email from your mail-server and then serve it to the phone?

    My current (non Outlook/non exchange) setup has the app directly connect by IMAP to the mail-server and handles push notifications without polling. What is wrong with that solution?

    1. Anonymous Coward
      Anonymous Coward

      Re: Man-in-the-middle servers?

      It's they can't "index" your email otherwise. Face it - all these services are designed to "index" (aka read and classify information) from evey piece of your personal data. Why some web email services (GMail & C.) prompts you to read "all your accounts emails from a single inbox"? Exactly for the same reason - access all your emails. Accompli just moved this model to a local application by exploiting a "proxy" server reading all your email before delivering them to you. Useless - but hey! - it works [probably] on HTTP - which you know, it's the only protocol you should use (and the only protocol most actual developers look to know...), why use those outdate protocols like IMAP4 designed to read emails without any man in the middle?

      PS: IMAP4 handles push notification if the IDLE command is supported by both parties, otherwise it has to poll.

    2. Christian Berger

      Probably a combined problem

      Ignoring the obvious possibility that they use the man-in-the-middle server to exploit the data of their users, there are other ways to explain this.

      Modern app developers, and you can assume that most of them are new to programming, go by the design pattern they are used to. And those include using an external server accessed via HTTP/Websockets, instead of doing local computation. They have been taught that local computation is slow and battery draining, so they do remote computation which requires data communications... which is slow and battery draining. Nobody does Profiling to see which way would be better in that situation. Furthermore they have never been taught in the ethical aspects of their trade, so they don't understand why it's a bad idea to more external components than necessary.

      Then some mobile operating systems don't support "raw" sockets so you could do IMAPs. Windows Phone, for example, didn't support it on early versions. Plus there may be a certain irrational believe that using raw sockets is somehow bad, and you should have a layer in between.

      Now if you actually control that server in the middle, the concept may actually even make sense. Done right, you can avoid having to store e-mail on your mobile device, which means that it'll be secure against theft. A server is much easier to secure than a mobile device since you can literally guard it from physical access by your attackers, and you can reach a far higher level of FOSS on your server.

  8. Anonymous Coward
    Anonymous Coward

    Not fit for use….

    The Android version is even worse. It completely ignores any Exchange sent policies, such as PIN.

    Avoid like the proverbial plague

    1. Adam JC

      Re: Not fit for use….

      I disagree, since Exchange 2010 (Even prior to SP1), this has worked with all our Android handsets flawlessly.

      1. Dan 55 Silver badge

        Re: Not fit for use….

        The problem is the Outlook client, née Accompli. It was just given a lick of paint and plonked into the App Store, which is why it's not using Azure or Office 365 credentials. So much for Microsoft saying privacy comes first.

  9. Alan Denman

    The Dash for cash

    They want to compete with Google mail don't forget and nicking all mails sounds far better.

  10. Anonymous Coward
    Anonymous Coward

    Who cares, it's all been back-doored by GCHQ/NSA anyway

  11. Buzzword

    Try Inbox Pro

    iOS users could do worse than use the app called Inbox Pro, Outlook Edition. It's still pretty insecure, but at least it doesn't hoover up all your mail into the cloud.

  12. Sarah Balfour

    Fate Acompli…?

    Sorry. It's been "one of them days" already, an' it ain't even dinnertime…

    1. Doctor Syntax Silver badge

      Re: Fate Acompli…?

      From the previous article at http://www.theregister.co.uk/2015/01/29/microsoft_outlook_comes_to_ios_and_android/

      "former Acompli CEO Javier Soltero is now Outlook general manager at Microsoft."

  13. Ben Liddicott

    Don't use this for work...

    You shouldn't be putting your work password into anything not specifically authorised for work use, whether a device, app or website...

    Also goes for LinkedIn stupid apps.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't use this for work...

      I really wonder how many people actually understand this beyond hearing the words and assuming its another one of those edicts from which, through some contorted personal logic, they are excluded.

  14. Anonymous Coward
    Anonymous Coward

    A list of topics we don't want to see in this thread, because they've been done to death and totally discredited:

    "If you've got nothing to hide, you've nothing to fear".

    "Privacy is so last century, get over it".

    "You're not a customer, you're the product".

    "It's free, what do you expect".

    "Our nation's security hinges on this. If we stop a single terrorist, it'll have been worth it".

    "If these large corporations were really untrustworthy, surely they'd have been censured by now".

    "Better Microsoft than ${other_company}".

    1. Doctor Syntax Silver badge

      "A list of topics we don't want to see in this thread, because they've been done to death and totally discredited:"

      So why did you introduce them?

  15. Arsey-grump

    ... and delete.... change password..... (again)

    sigh......

  16. ckm5

    Uninstall problem is due to Apple

    Apple doesn't notify developers when an app is deleted and there is no explicit, positive & secure way of knowing if an app has been deleted. There is also zero trigger that tells the app that the user is deleting it, so it can't ask the user if cloud data should be deleted.

    It's a fundamental iOS problem, not just for Accompli, but for everyone that stores data for users in a cloud back end. The net effect is that you never know if your app has been deleted or not, you can't tell if a user is deleting an app to re-install it and you don't really know what to do with user data when there is no communication with the app for a long time.

    TL:DR, it's unfair to blame Accompi/MSFT for Apple's practices.

    Also, it's unclear how Rene Winkelwyer expects 3rd party push to work without offline storing of user credentials. Blackberry does the same thing with BIS and no one is screaming about security in that context... Pretty much every push service (other than native IMAP push) requires some sort of buffer proxy to work properly, which in turn requires storing user credentials offline and they at least have to buffer the subject line + some preview text.

    Seems like someone shouting fire who doesn't know much about either email transport or iOS limitations.

    1. Anonymous Coward
      Thumb Up

      Re: Uninstall problem is due to Apple

      But, but, ... it's Microsoft! I was wondering what part of email push he didn't understand. I'm still trying to find something useful on a tablet that actually is secure (aside from Blackberry).

    2. Dan 55 Silver badge

      Re: Uninstall problem is due to Apple

      The same is true for Android, Windows Phone, Windows and Mac.

      You have to have a delete account menu option. Not too difficult.

  17. Henry Wertz 1 Gold badge

    I'm just amused

    I'm just amused that, as much as Microsoft wants EVERYONE ELSE to use their cloud, that they are using AWS (Amazon Web Services) for their own product.

    The poor security handling? That is just par for the course among some of these local/"cloud" hybrid services. Not that I condone it; far from it, I recommend not using "cloud" at all unless you know what it's doing with your information and especially security credentials. (To those who say this is OK and necessary -- no, it's obviously NOT necessary to keep your credentials when you've removed the app, or told it to delete your account.)

  18. Adrian Midgley 1

    Surprise

    For certain very small values of surprise.

  19. Sirius Lee

    Bullshit article

    "Here's the critical policy extract"

    Which describes how every mail server in the world works. Or maybe mail servers in Apple world work differently and Apple aficionados are not familiar with SMTP, POP and IMAP servers.

  20. Anonymous Coward
    Anonymous Coward

    Why would you EVER use Gmail as an email client?

    Seriously, why would you EVER use Gmail as an email client for corporate use? There are similar security issues.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like