Security risk Microsoft Outlook App: Transfers credentials and mails to the cloud

Stop - Pixabay[German]At the beginning of the year 2023, I am once again bringing up a topic that I already addressed here on the blog in 2015 and in January 2021. It's about the Microsoft Outlook app, which is available for Android and iOS devices and, in my opinion, is widely used. In the corporate environment, however, those responsible are sailing in risky waters, because this app transfers login data and mails to the Microsoft Cloud, so that they can be analyzed there. In the EU Parliament, the use was prohibited and I had pointed out the issue again in 2021. The issue has now come to my attention again because Baden-Württemberg's data protection commissioner has subjected the app to an analysis. It also came out that the app transfers data to the cloud.


The Outlook app

Microsoft offers an Outlook app for smartphones running Android and iOS. The app can access on-premises Exchange mailboxes or Exchange Online to exchange mails. It is therefore obvious that owners of the above-mentioned Android and iOS devices install this app from the respective app stores and use it to manage their mails.

However, those responsible in the corporate environment run into security and data protection problems in the process. Because from this point of view, it would be important for on-premises solutions that such an app neither stores passwords in unknown locations, nor analyzes the emails, nor transmits login data in plain text.

My warning from 2015

In February 2015, I had described a security-related bombshell in the blog post Warning: Microsoft Outlook app breaks (company) security. Some users noticed, that Outlook for Android and iOS was nothing else that the previous Acompli app. Microsoft has acquired Acompli last December for 200 Million US $. Now they re-labeled the App to Microsoft Outlook and put it into Google Play Store and Apples iTunes store.

But the main caveat comes from René Winkelmeyer, who blogged about the app and expressed a security warning. The Acompli Microsoft Outlook app stores all your credentials for E-Mail accounts, your attachments, your calendar data and even more data within the cloud. Several German news magazines are reporting about this incident. The EU Parliament's IT had blocked the Outlook app from being used by members and staff of the EU Parliament for security reasons.

My warning from 2021

In January 2021, I revisited the issue in the German blog post Outlook App speichert Passwörter in der Cloud und analysiert Mails. I've warned using the Microsoft Outlook app, because the app continues to store passwords in the cloud and also seems to analyze mails. Blog readers had pointed this out to me at the time, because thay reconfirmed the behavior after tests.


Data protectionist analyzes the app

Recently I came across the tweet below, where a German blogger linked to a German document Az. P6200/282; P6510-1/2 titled Analyse: Verknüpfung IMAP-Konto mit Microsoft Outlook App Android / iOS.

Datenschleuder Microsoft Outlook-App

A data protection activist group called "Frag den Staat" who ask German government under the German Freedom of Information Act for secret documents have had published the document above.

The multi-page PDF document is an analysis by the Data Protection Commissioner (LfDI) of the German state of Baden-Württemberg.

The LfDI has analyzed the data sending behavior of Microsoft's Outlook smartphone app for Android and iOS. This is because this app can be operated with Microsoft 365 (formerly Office 365) as well as with any email services or self-operated servers (including Microsoft Exchange servers) via the widely used IMAP (for receiving and managing emails stored on servers) and SMTP (for sending emails) protocols.

It was noticed that when using any IMAP mail account, the app does not connect directly to the corresponding server but to Microsoft servers. The subsequent analysis of the app confirmed the negative impression. The summary of the above document states:

When using the Outlook mobile app (iOS, Android), Microsoft stores the access data to the email account (including the password) on its own servers, processes all incoming and outgoing emails on its own servers and thus has full insight into both content and all metadata. Microsoft thus gains sensitive insights into the communication behavior of the data subjects.

The data protection officer complains that this behavior is not presented transparently to the users. The document does briefly refer to a Microsoft privacy policy (I have not found the linked page). But the LfDI of Baden-Württemberg doubts that a simple mention in the privacy policy is sufficient to cover the data transfer per DSGVO. Most importantly, no legal basis on which these data are transferred to Microsoft is apparent. In addition, these transfers are also not technically necessary in most cases. The assessment of the LfDI is clear:

This procedure gives Microsoft full access to all e-mails received as well as those sent. Likewise, Microsoft has access to the plaintext passwords, which Page 6 of 9 according to the above analysis are also stored on the Microsoft server. From a technical point of view, this is not necessary.

In terms of security, this is a disaster for the responsible administrators and companies. In terms of data protection, the responsible parties are also in troubled water.

In short, anyone who uses the app in a corporate environment is committing a serious data protection violation under the GDPR. It is also not enough to obtain data protection consent from employees, since every mail received or sent contains personal data of third parties, which then finds its way onto Microsoft's servers. And anyone responsible in companies or public authorities who allows the app to be used is also "left with their pants down" in terms of security. This episode shows that Microsoft, in my opinion, doesn't really care about data protection.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Allgemein. Bookmark the permalink.

One Response to Security risk Microsoft Outlook App: Transfers credentials and mails to the cloud

  1. Sebby says:

    Yes, sadly not enough is made of this. Toss some blame at Apple, too, the privacy company, for this situation; their choice to control both the capabilities of the iOS software and the apps written for it by force, and the APNS ("Push") service that delivers notifications from "background" apps, means that it is all but inevitable that any client application is actually implemented as a front-end for some back-end server that performs the actual stateful work on behalf of the user, which obviously necessitates access to the credentials of that user. It's not just Outlook but any app that logs into a server that's not controlled by the app developer, where running in the background is a feature. It's horrible, and there's really no solution for it but using Apple's native ActiveSync support, or else Apple's APNS-based push for Mail with IMAP, but for which you need a server certificate from Apple's now-discontinued Server product. Use Outlook with awareness.

Leave a Reply

Your email address will not be published. Required fields are marked *