Thanks everyone for the confirmation.
The process does not appear to have changed at all from what has been
described; still storing credentials and all the mail they can slurp. I
have never liked or used Outlook in any of it's various incarnations so
I've had little exposure to this.
I am somewhat surprised that this is not more well reported in
mainstream media. If any other app so blatantly stole your data and
shipped it off overseas, it would be all over the press as this should
be. But Microsoft, like a number of others, are big enough to get away
with this.
Cheers,
Graham
On 17/12/21 14:01, Philip Loenneker wrote:
Hi Graham,
I don't know if this is still the case, but the original "Outlook" app for
mobiles saved your credentials on a server and downloaded to there, then synced it down
to your device. I think they did that so they could do things like push notifications
when you get an email, which doesn't work if it runs locally and the app isn't allowed to
run in the background. That was before Microsoft bought the app, but I haven't looked at
it at all since then.
Where I was working at the time, we were justifiably concerned by this
"feature", advised everybody to not use it, and blocked it from working on the
corporate Internet service.
It is possible that it operates differently now, but from what you described,
it sounds like they still do the same thing.
This rather old blog post discusses some of the security concerns, but it's
from 2015 and may be completely irrelevant now.
https://4sysops.com/archives/is-microsofts-outlook-app-for-ios-and-android-insecure/
Regards,
Philip Loenneker| Senior Network Engineer
TasmaNet | Vastnet | Netmode
-----Original Message-----
From: AusNOG <[email protected]> On Behalf Of Graham Maltby
Sent: Friday, 17 December 2021 2:35 PM
To: [email protected]
Subject: [AusNOG] Outlook Mobile (OT)
Importance: Low
Afternoon all,
While attempting to sort out some autodiscover / activesync processes last
night, I installed Outlook on my mobile (current Android version from the Play
Store). Setup and an account and logged in.
To my dismay, I find my phone is not connecting over the LAN to the server 4m
away but instead a server in Seoul, South Korea is connecting and downloading
my mail instead. Aside from the woeful performance, it raises a lot of concerns
with privacy, security and data sovereignty.
The most annoying part (if that was not sufficient), is that 14 hours after deleting the
account from "all devices" and uninstalling the app, the server is still
logging in and collecting mail now (or was until I changed the password).
Is this common knowledge I have just missed all these years?
Is there a reason the media are not making noise about this?
Does nobody care because it's pretty?
I have very low expectations when it comes to Microsoft but this poor by any
measure.
Graham
_______________________________________________
AusNOG mailing list
[email protected]
https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7Cc78698f33b944aa750c408d9c10e5b4c%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637753089685219848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=4mr8ny9ODSiKpYpshRZ0eVceTabA95bJbmfw7qhk0KI%3D&reserved=0
_______________________________________________
AusNOG mailing list
[email protected]
http://lists.ausnog.net/mailman/listinfo/ausnog
