Security

Microsoft Outlook app security problems for iOS and Android

Peter Peters

February 2015

Introduction

Microsoft recently released a new Outlook app for iOS and Android. The app was developed by a third party that was subsequently acquired by Microsoft. Its functionality is in conflict with the policy of the University of Twente and a threat to the integrity of the data on the Exchange servers.

This only concerns the new Microsoft 'Outlook voor iOS' and 'Outlook for Android' apps. This therefore does not apply to the default mail apps on these platforms, the old OWA app from Microsoft or for OWA via the browser. These ways of reading emails and maintaining the agenda do not lead to any problems.

Login details

The app asks for login information for the university's Exchange server. It is normal for an email app. The app uses this to log on to Exchange and directly retrieve emails and appointments. In this case, however, the login data is forwarded to a Microsoft server. This server then uses the information to log on to the Exchange server to retrieve emails and appointments.

Storage of emails

The remote server creates a copy of the retrieved emails and appointments. The data is indexed and then forwarded to the app. The server remains constantly logged on to the Exchange server in order to retrieve new email messages and appointments, to index them and to forward them to the app.

Considerations

The provision of account information to a third party represents a threat to the security of the Exchange servers. Because the same data provides access to much more than emails alone, it also represents a threat to the confidentiality and integrity of data in other environments at the university.

In addition, the university has opted not to store emails from staff in the cloud. The app acts contrary to this decision by doing so.

Action plan

The IT Security Manager, following consultation with the MT of ICTS, has decided to take steps to prevent the use of this app in combination with the university's servers.

These steps are as follows:

1.

Information about the measures through the ICTS website. Ready

2.

Information to the ICT contacts. Ready

3.

Informing users of the app, including the steps to be taken to remove the data from the remote servers. In progress

4.

Blocking access to Exchange for these servers and in that way for the app. To follow

Recommendation to end users

If you have used this app for access to the university's Exchange server, do not immediately remove the app. Microsoft's server will still store the emails and appointments. The server will also continue to log on to the Exchange server and retrieve new emails and appointments. If you change your password, the server will keep trying to log in with the old password. This may result in the account being blocked due to a large number of incorrect login attempts. If you want to stop using the app, first remove every account that you have set up. That removes all data from the app and from the remote server. The app can then be removed from your telephone or tablet.

Change the password of your ICT account. Because it has become known to a third party, it is no longer as confidential as desired.