IT could face a security nightmare with the new Outlook for iOS app due to some major issues and lack of MDM integration.
Security shortcomings for the new Outlook for iOS app have companies putting the brakes on the app before they’ve even fired up the engine.
The most glaring omission in the new Outlook applications for Apple iOS and Google Android is the lack of integration with mobile device management (MDM) platforms, which makes them a non-starter for many enterprises.
Yet issues with security, particularly with the Outlook for iOS app, appear to run even deeper. A blog post written by Rene Winkelmeyer, head of development with German consulting services and software development company Midpoints, outlined several major security concerns for the app.
The app connects to file-sharing services such as Dropbox, Google Drive and Microsoft OneDrive so any user can set up a personal account within the app and share mail attachments using those services, Winkelmeyer wrote in the blog post. The catch is that administrators can’t control in-app communication.
Containerization may help with controlling that communication, but only if a software development kit is implemented around an app like Outlook for iOS, Winkelmeyer said in an email.
“An option could be to force all device communication over [a virtual private network] via MDM and block from there, i.e. Dropbox access,” he said. “But that’ll mean big changes in the VPN infrastructure for lots of companies as all device traffic would be affected.”
Outlook for iOS also shares the same Exchange ActiveSync client ID across all of the user’s devices, meaning IT can’t distinguish whether someone is using their iPhone or iPad to access the app, Winkelmeyer wrote in the blog.
Lastly, and perhaps most problematically for IT, anyone who uses the app faces the reality that Microsoft could store that individual’s email credentials in the cloud. After sending a test email, Winkelmeyer discovered “a frequent scanning from an [Amazon Web Services] IP” to his email account and found Microsoft was storing his personal credentials and server data in the cloud.
“That may be fine for companies which already use Microsoft’s cloud,” he said in an email. “But for companies that have their ActiveSync server for their own reasons not in the cloud, it’s a big problem.”