Outlook Preview for move has some security misfeatures

It seems that Microsoft might be developing a habit of releasing good news to be followed by the nasty fine print. It happened with Windows 10 and seems to be happening now with its shiny Outlook app for iOS and Android. Though still in preview version, the app has been discovered to have some glaring security practices would be a security and privacy nightmare, especially for companies whose employees might take a liking to the app. And while there's still time to address these issue, it might not be a very good first step for Microsoft.

To be fair, it might not totally be Microsoft's fault. The Outlook app is seemingly just a rebranded version of the Acompli email app that Microsoft recently acquired. As such, it has inherited not just the features but also the warts of the app, its services, and its policies, which are turning out to be quite questionable. That, of course, doesn't excuse Microsoft for not addressing these issues before the preview release.

The first glaring security practice is that the Microsoft apparently stores a user's email credentials on the cloud somewhere so that it can routinely scan your email accounts even if the apps themselves are disabled. That seems to be the system for almost all account types you add into the Outlook app except for Gmail, which requires OAuth authentication. This behavior has been first discovered on the iOS app, but it is probably the same for the Android version.

The second "mistake" the app makes is one that it inherited from Acompli. As per the company's privacy policy, it temporarily stores the messages, calendars, contacts, and attachments that it fetches from your servers in the aid of faster indexing and retrieval. Aside from the possible breaches of privacy, this system would give governments access to private data even if the mail server or the user are outside of their jurisdiction.

Regardless of your view of how futile the assumption is privacy is the moment you give someone else your credentials, such security policies and systems are still unacceptable. At the very least, Microsoft should at least warn users about such implementation details, in addition to hiding those under piles of legalese. Even if Outlook is still in preview and in its infancy, it should not be an excuse for Microsoft to critical information or safeguards.

VIA: Tom's Hardware