Microsoft have recently released a new “Outlook” email app on the iOS and Android mobile platforms. This app is a rebrand of the recently-purchased Acompli.
The user interface apparently is quite effective, mixing calendar and priority mail and allowing fast response to messages.
Unfortunately, at this stage in the app’s existence it takes some security shortcuts that are not ideal. All your email is copied into “the cloud” (this is a techno-marketing phrase that simply means “someone else’s computer” – and of course we should assume that “the cloud” will always be in a hostile legal environment, where government agencies from multiple countries will have free access to all your data). Worse, if you are accessing an Exchange service (i.e. University mail) your username and password are also stored in the cloud in order to make this work. The app doesn’t make this clear to users, and for some people that could represent a real problem.
More directly, this cloud-based login also actively violates the security policies that the University sets on Exchange email access. In order to protect University-owned data, devices that connect to Exchange are required to have local security policies like active screen locking, and to respond to remote wipe requests when they are reported stolen/missing. The current Outlook app does not apply these policies to the devices that use it, and although remote wipe might correctly remove data copied into the cloud, it doesn’t remove anything from the missing device. Worse, if you have multiple devices using this app, we can no longer wipe just the missing one; this app services them all from the same connection, and therefore a wipe affects all of them at the same time.
There has been a lot of press about this Outlook app recently – from the usability point of view it’s all positive, and from the security point of view it is all negative. Hopefully Microsoft will be able to put in some new development resources to help address these problems soon.
In the meantime, ISO recommend that you do NOT use this app with University email services.