Worried about security and privacy in Outlook for iOS and Android? Here's your chance to debate the issues
February 2, 2015
Last Friday I posted an article outlining the reasons why I thought some of the concerns expressed about some security and functionality weaknesses in the rebranded Outlook for iOS and Android apps (late Acompli) were an overreaction. Cue a heap of tweets and other feedback directed my way, some of which questioned whether I was serious. Well, I was. I still think that some of the opinions posted on the Internet are way over the top. I also doubt the independence of some of the authors. By comparison, the piece written by Paul Cunningham contains a more reasonable and measured assessment of Outlook for iOS and Android.
As I noted on Friday, the current apps are just rebranded versions of what was previously available from Acompli. It is kind of interesting to see all the fuss and bother now that never appeared when Acompli was independent, but that just goes to show that so much more is expected when software is promoted to play in the big leagues. Right now, the Outlook for iOS and Android apps are no more than a generally available beta to show where Microsoft is going in the mobile email client space, which is why the Outlook for Devices apps are being kept around for now. Lots of work has to be done to upgrade Outlook for iOS and Android before the apps can be regarded as suitable for many large-scale enterprises. As I said in a tweet, use the apps if you like, or block them if you don’t. Blocking is easy and should take no longer than a few minutes to accomplish.
Someone in Microsoft’s marketing team seems to have woken up to the fact that rushing a rebranded app into the marketplace and hyping them as the way forward might not have been such a good idea. The charm offensive to counter the opinions expressed about security and functionality and to reassure customers that elements like security and privacy are important to Microsoft is in full flow, which brings me to a post by Javier Soltero, ex-CEO of Acompli and now leading the development effort for the Outlook apps at Microsoft. Writing in the Exchange IT Pro group of the Office 365 Yammer network, he said:
“As a follow up to yesterday's launch of Outlook for iOS and Android, the team and I wanted to give you a deeper look into Outlook from an IT point of view. We know you're interested in hearing more about the app's architecture, security, and administrative controls, so I've provided more detail below.
We know you likely have additional questions about this and the future of Outlook, so we will host a live chat with the Outlook product team to continue the conversation. Please join us for a YamJam in the Exchange IT Pro Group on February 4, 2015 from 9:00am-10:00am PST, (UTC -8). You can add it to your calendar here: http://bit.ly/1EURu8C”
Apart from hosting a YamJam (how I continue to hate that term!), Javier also provided a document containing background to the announcement and information about the current implementation. The document is available on Yammer, but for those who aren’t part of the Office 365 network, I reproduce it below.
Issues that will probably be discussed include:
Security and privacy – how does Microsoft protect user credentials provided to the Outlook apps that are used to download information to AWS servers for processing.
Functionality – when will the Outlook apps support the features like contacts, access to the corporate directory (GAL), and the ability to control access to Dropbox and OneDrive?
Access policies – when will the Outlook apps support all of the Exchange ActiveSync policy settings? How can these apps be controlled by other Mobile Device Management systems?
Integration with Exchange – when Outlook for apps connects to an Exchange server (on-premises or Exchange Online), when will it be able to expose the functionality of the server, like rights management protection?
If you are interested in helping Microsoft create enterprise-ready versions of the Outlook apps maybe you should sign up for the Office 365 Network and contribute to the gathering on February 4. Or just keep on complaining, but then don’t be surprised when your comments are ignored.
Follow Tony @12Knocksinna
----====----
Document provided by Javier Soltero of Microsoft
Architecture of the app
You want a fast and feature rich email experience on your phone. We built Outlook to provide this with a rich native app as the front end, powered by a secure and scalable cloud service on the backend. Outlook's cloud service allows us to build great experiences for you. Our focused inbox feature’s intelligence is controlled in this cloud. This cloud allows us to provide 1-click unsubscribe features from mailing lists, improve search speed and effectiveness and enable you to forward and send large files without first downloading them to your phone. This app front end and cloud backend will enable us to provide even more capability to you going forward.
Outlook is designed to make it easy to access your email, calendar, people & files across all your accounts, including personal ones. We want to provide this to end users, while still enabling IT to control the accounts they own. Having a cloud-backed service makes it easy for us to expand support for new services and capabilities that enhance your Outlook experience. It also allows us to move faster to improve performance and stability, we can keep our application light on local code and rely on the cloud for the heavy lifting.
Passwords and security
Outlook uses Oauth for the accounts that support it (Outlook.com, OneDrive, Dropbox, Box, Gmail). For those not familiar, this provides us a way to access those cloud services without ever touching your password. For accounts that don’t support Oauth (Exchange ActiveSync, Yahoo, iCloud), we have to handle this differently. When a user logs into Exchange and Office 365, we encrypt their password with a unique key that is specific to that user’s device and stored securely on it. The encrypted password is then passed along to Outlook’s cloud service and used to connect the accounts. Any time our service needs to present that password, it needs to have cooperation from the device in order to decrypt it using the key .This architecture means that in order to gain access to your password, you would have to have access to both our cloud service and have physical access to the unlocked device. This applies to both us as well as anyone who would attempt to gain access from the outside.
As we continue to innovate on both our app and our service we will leverage alternative mechanisms such as OAuth as soon as they are available.
Data storage.
As mentioned above, we store a subset of email, calendar information and files in a cloud service to facilitate fast, secure delivery down to the device. Because the app is based on Microsoft's recent acquisition of Acompli, today that cloud service runs on Amazon Web Services. We are making great progress in moving to Azure and integrating with the full Office 365 cloud fabric. We plan to have that move completed later this year, which will enable it to be covered by the Office 365 Trust Center. The information in Outlook cloud service is currently stored in the United States. As we move from our current platform to Azure, we will align to the principles of the Office 365 Trust Center with a regionalized data center strategy. In Office 365 a customer’s country or region, which the customer’s administrator inputs during the initial setup of the services, determines the primary storage location for that customer’s data.
ActiveSync policies and mobile device management
Outlook for iOS & Android has partial support for Exchange ActiveSync policies today. The Remote Wipe command is supported; which removes corporate email data from any devices the user has connected to the service. This is a selective wipe, not a device wipe: corporate email, calendar, contacts and files are removed, but a user’s personal email accounts and information stay intact. It will also remove any data stored in Outlook’s cloud components. Other Exchange ActiveSync policies are in development and will be available on Outlook soon. These are at the top of the Outlook priority list:
PIN lock – enforce PIN at the device or application level
Maximum failed password attempts – wipe device or app after a set number of failed password attempts
Activity time-out – if user has not loaded the app a pre-determined period of time, the app will prompt the user for PIN.
We will also be adding mobile device management integration, including support for Intune and the built-in mobile device management features of Office 365 we announced last year.
Blocking the app
Each organization has different policies regarding security and device management. If the current version of Outlook doesn’t meet your needs, you can block the app using Exchange ActiveSync device management policies. The Outlook app is identified in Exchange ActiveSync management screens with the Device Family 'outlook-iOS-Android/1.0'. See Controlling Device Access in TechNet for specific steps.
Office 365 and Exchange Server 2013 customers can continue using the OWA for iPhone/iPad/Android apps – these apps are rich in enterprise features and we are leaving them in market while we work on adding similar capabilities to Outlook.
Yesterday was just the beginning of the Outlook journey. We will be iterating quickly to bring new features to the app, shipping new versions every few weeks with new end user features and IT controls. Your feedback will help us shape the future of Outlook. I hope you can join us for the YamJam next week --we look forward to a great discussion then.
Read more about:
Alphabet Inc.About the Author
You May Also Like