Outlook on iOS Has Security Issues for Enterprise

Outlook (nee Acompli) for iOS was initially well received, but that positive reception might have ended due to some security issues. IBM developer Rene Winkelmeyer has been digging into the new mobile app (via Betanews), and he found significant shortcomings in the app when it comes to enterprise security that may not bode well for Outlook, the de facto standard for corporate email.

Sharing is Caring

First up, there are options (which can't be disabled) to connect Outlook to Dropbox, Google Drive, and OneDrive. For most people this is convenient—in fact, this was one of the features that was greeted warmly by the blogosphere, including TMO.

For an organization with data that should be kept secure—due to either security practices or legal requirements—the option to hook corporate email to these storage services with personal accounts is a problem. All manner of data, customer information, attachments, and whatnot could be dispersed to any or all, taking it outside the control of the enterprise.

Turns Out I Don't Know What You Did Last Summer

Next is the issue of tracking devices. Outside of iOS, devices using Microsoft's ActiveSync technology each get their own ID so it's easy to track and maintain each device. However, Outlook on iOS cares not. If an employee has a company-issued iPhone and installs Outlook, but then installs Outlook on their personal iPad—and only uses that—there is no way to tell. Again, for personal use it's not a big deal, but this can cause headaches for IT departments that need to track who's using what, where.

Know Thy Data

Next up is what information is stored where. From the blog post:

Microsoft stores my personal credentials and server data (luckily I’ve used my private test account and not my company account) somewhere in the cloud! They haven’t asked me. They just scan. So they have in theory full access to my PIM data.

This means every incoming and outgoing message is passing through an intermediary server at Microsoft, even if it's from someone with the same email domain. If someone next to you at work sends you a message, it has to leave the internal network to go to Microsoft's servers before you receive it. This, again, violates many corporate security practices.

In an update to the original post, Rene Winkelmeyer lists some of his credentials to show he knows of what he speaks, and talks a bit more about ActiveSync and alternate solutions.

Not Everyone Need Worry

For those using Outlook for personal mail on a personal device, most of this won't be a big deal, but if you're using a company phone or support company phones, your excitement about Outlook should be tempered by the above issues since they can cause serious problems for an organization trying to manage mobile devices.

Image made with help from Shutterstock.