Stephan’s Little Page

Outlook for Android/iOS Considered Harmful

The Problem

Contrary to popular believe, the Outlook app for Android and iOS was not developed by Microsoft. It was developed by a different company called Acompli, which was bought by Microsoft more than five years ago.

The app had negative headlines at the time because it was storing the user's e-mails and even passwords (in clear text!) on third-party servers. This is also reflected in Acompli's privacy policy.

Five years later, I did not heard about this issue for years. I was assuming that the issue has been addressed by Microsoft, because I could not imagine that any business customer would accept to store employee passwords on third-party servers.

However, I was wrong. I recently installed the Outlook app for Android and connected it with an Exchange 2019 instance. The Exchange admin told me that there were HTTP requests coming from Microsoft servers (identified by IP address) that authenticate with my name. Further analysis revealed that the requests were authenticated with HTTP Basic Auth with my AD password in clear text.

Risks

The whole point of hosting your own e-mail infrastructure rather than using cloud services is to prevent access by third parties. The processing of mails on third-party servers is unexpected and breaks this principle. It can also be a problem for compliance with regulations.

Storing the password in clear text is even worse. This password is typically the user's Active Directory password and thus allows access to even more systems than just e-mail.

Mitigation

In fact, Exchange allows a number of different authentication mechanisms. In addition to Kerberos and friends, which can be used in internal networks, there is basic authentication and modern authentication.

Modern authentication avoids the problem of storing passwords in clear text by using access tokens. However, despite modern authentication being the default for Office 365, basic authentication is still the default for local Exchange 2019 installations.