Access to Microsoft’s new Outlook apps has been blocked for members of the European Parliament because of “serious security issues.”
Microsoft launched new Outlook apps for iOS and Android just over a week ago. The new apps are basically a rebranded version of a mail app made by Acompli, a company Microsoft bought in December for a reported US$200 million.
Access to the apps though was blocked on Friday by the Parliament’s IT department, DG ITEC, in order to protect the confidentiality and privacy of its users, according to an email seen by the IDG News Service.
“Please do not install this application, and in case you have already done so for your EP corporate mail, please uninstall it immediately and change your password,” it said.
The apps will send password information to Microsoft without permission and will store emails in a third-party cloud service over which the Parliament has no control, DG ITEC added in a message on the Parliament’s intranet.
Microsoft’s new Outlook app basically acts as an email inbox for Exchange, Outlook, iCloud, Google and Yahoo mail accounts.
The service retrieves incoming and outgoing messages, calendar data and address book contacts and pushes them securely to the app. Those messages, calendar events, and contacts, along with their associated metadata, “may be temporarily stored and indexed securely both in our servers and locally on the app on your device,” according to Acompli’s privacy policy. Email attachments will also be temporarily stored on its servers.
Email accounts that use Microsoft Exchange require users to provide email login credentials, including username, password, server URL, and server domain, it said, adding that other accounts such as Google Gmail accounts using the OAuth authorization mechanism do not require to store a password.
Each user’s credentials are double-encrypted using a server per-account unique key and then using a client device unique key, therefore the credentials can only be unlocked by the collaboration of both the server and the app at runtime, according to Acompli’s security page.
It’s not just the European Parliament though that thinks this is not secure enough: a number of other organizations have banned the new Outlook app because of how it stores passwords.
The University of Wisconsin for instance announced last week it would start blocking the app as of Monday. The app stores login information in the cloud, which clearly poses a security risk because the cloud service is not overseen by the University, it said in a blog post, adding that other universities are having similar issues.
In the Netherlands, the Delft University of Technology reportedly also started blocking the apps because they store contact data and passwords in the cloud.
A Microsoft spokesman said the app’s security and privacy capabilities, as well as the controls available to IT administrators, meet the company’s thresholds. If customers have concerns though, they can follow guidance on Controlling Device Access on Microsoft TechNet to block the app and continue using the Outlook Web Access (OWA) for iPhone, iPad, and Android apps, he added.