It seems that Microsoft might be developing a habit of releasing good news to be followed by the nasty fine print. It happened with Windows 10 and seems to be happening now with its shiny Outlook app for iOS and Android. Though still in preview version, the app has been discovered to have some glaring security practices would be a security and privacy nightmare, especially for companies whose employees might take a liking to the app. And while there’s still time to address these issue, it might not be a very good first step for Microsoft.
To be fair, it might not totally be Microsoft’s fault. The Outlook app is seemingly just a rebranded version of the Acompli email app that Microsoft recently acquired. As such, it has inherited not just the features but also the warts of the app, its services, and its policies, which are turning out to be quite questionable. That, of course, doesn’t excuse Microsoft for not addressing these issues before the preview release.
The first glaring security practice is that the Microsoft apparently stores a user’s email credentials on the cloud somewhere so that it can routinely scan your email accounts even if the apps themselves are disabled. That seems to be the system for almost all account types you add into the Outlook app except for Gmail, which requires OAuth authentication. This behavior has been first discovered on the iOS app, but it is probably the same for the Android version.
Regardless of your view of how futile the assumption is privacy is the moment you give someone else your credentials, such security policies and systems are still unacceptable. At the very least, Microsoft should at least warn users about such implementation details, in addition to hiding those under piles of legalese. Even if Outlook is still in preview and in its infancy, it should not be an excuse for Microsoft to critical information or safeguards.
VIA: Tom’s Hardware