Pierluigi Paganini February 03, 2015

A researcher has discovered a series of security issues in the newborn iOS Outlook app that allows Microsoft to access user emails and credentials.

Security researcher and Head of Development at midpoints GmbH and IBM Champion René Winkelmeyer has published a blog post to warn about security issues in the newborn iOS Outlook app. According to the expert, the iOS Outlook app recently presented by Microsoft, allows the company to access corporate emails and server credentials without user’s knowledge.

Winkelmeyer was analyzing how the iOS Outlook app mechanism deals with push notifications and notes when he has discovered that Microsoft could get and store user’s mail account credentials and server data archived in the cloud without notifying users.

When the expert setup the app noticed that it asks users if they want to receive push notifications, so Winkelmeyer decided to test why the app was requesting to receive notification from remote server. Below the test he ran:

• I stopped the app (removed it from the list of active devices).
• I sent myself from another account a test mail.
• I immediately received a push notification about new mail.

The expert speculated that Microsoft is using a central service that manage his credentials and to monitor his ActiveSync account, so he decided to make a second test:

• I put all my devices in airplane mode. So there could be no communication.
• I opened the access_log of my Apache server (which sits in front of my Traveler server).
• There it was!

54.148.96.196 – – [29/Jan/2015:16:19:50 +0100] “POST /traveler/Microsoft-Server-ActiveSync?User=mysupermail%40winkelmeyer.com&DeviceId=123123123123&DeviceType=Outlook&Cmd=Sync HTTP/1.1″ 200 25 “-” “Outlook-iOS-Android/1.0″

This is the proof that Microsoft stores user credentials and server data in its cloud, without notifying it to the final user. They just scan. So they have in theory full access to my PIM data.

“They just scan. So they have in theory full access to my PIM data.” added Winkelmeyer.

The expert noticed also that the iOS Outlook app has always the same ID even if the app is installed by the user on multiple devices, a circumstance that will prevent administrators from distinguish which device is used for the access. Also the iOS Outlook app’s built-in connectors to OneDrive, Dropbox and Google Drive are data security nightmare.

“It gets even more worse. Each ActiveSync client normally has a unique ID for data synchronization. That allows administrators to distinguish a users devices. Microsofts Outlook iOS apps doesn’t work that way. The app shares the same ID across all devices of a user. And it seems like one device!” states the post.

The last element of concern related to the iOS Outlook app are built-in connectors to most popular cloud storage services, including Dropbox, Google Drive and OneDrive, that dramatically enlarge the surface of exposure of the mobile users.

“The app has built-in connectors to OneDrive, Dropbox and Google Drive. That means a user can setup his personal account within the app and share all mail attachments using those services. Or use files from those services within his company mail account. That’s a data security nightmare.” continues Winkelmeyer.

René Winkelmeyer explained that the exposure could not be mitigated by the use of containerized solution like the Apple built-in separation of managed and unmanaged apps. because the communication is app-internal and users cannot control it.

In a post update issued, the expert highlighted that Microsoft has bought Acompli company and just “re-branded” their iOS Outllok app inheriting its problems.

These security issues come into the new iOS Outlook app after Microsoft bought mobile email app from Acompli less than two months ago and they have updated their privacy policy (updated on January 28, 2015) that says:

“We provide a service that indexes and accelerates delivery of your email to your device. That means that our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device.Similarly, the service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device. Those messages, calendar events, and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device. If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app.”

”If you decide to sign up to use the service, you will need to create an account. That requires that you provide the email address(es) that you want to access with our service. Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password.”

Winkelmeyer recommends all administrators to tell employees not to use the iOS Outlook app and block it from accessing their companies’ mail servers,  until Microsoft will not fix the embarrassing issue.

Pierluigi Paganini

(Security Affairs – iOS Outlook,mobile)