[AusNOG] Outlook Mobile (OT)

Fri Dec 17 16:42:08 AEDT 2021

Thanks everyone for the confirmation.

The process does not appear to have changed at all from what has been 
described; still storing credentials and all the mail they can slurp. I 
have never liked or used Outlook in any of it's various incarnations so 
I've had little exposure to this.

I am somewhat surprised that this is not more well reported in 
mainstream media. If any other app so blatantly stole your data and 
shipped it off overseas, it would be all over the press as this should 
be. But Microsoft, like a number of others, are big enough to get away 
with this.

Cheers,
Graham

On 17/12/21 14:01, Philip Loenneker wrote:
> Hi Graham,
>
> I don't know if this is still the case, but the original "Outlook" app for mobiles saved your credentials on a server and downloaded to there, then synced it down to your device. I think they did that so they could do things like push notifications when you get an email, which doesn't work if it runs locally and the app isn't allowed to run in the background. That was before Microsoft bought the app, but I haven't looked at it at all since then.
>
> Where I was working at the time, we were justifiably concerned by this "feature", advised everybody to not use it, and blocked it from working on the corporate Internet service.
>
> It is possible that it operates differently now, but from what you described, it sounds like they still do the same thing.
>
> This rather old blog post discusses some of the security concerns, but it's from 2015 and may be completely irrelevant now.
> https://4sysops.com/archives/is-microsofts-outlook-app-for-ios-and-android-insecure/
>
> Regards,
> Philip Loenneker| Senior Network Engineer
> TasmaNet | Vastnet | Netmode
>
> -----Original Message-----
> From: AusNOG <ausnog-bounces at lists.ausnog.net> On Behalf Of Graham Maltby
> Sent: Friday, 17 December 2021 2:35 PM
> To: ausnog at lists.ausnog.net
> Subject: [AusNOG] Outlook Mobile (OT)
> Importance: Low
>
> Afternoon all,
>
> While attempting to sort out some autodiscover / activesync processes last night, I installed Outlook on my mobile (current Android version from the Play Store). Setup and an account and logged in.
>
> To my dismay, I find my phone is not connecting over the LAN to the server 4m away but instead a server in Seoul, South Korea is connecting and downloading my mail instead. Aside from the woeful performance, it raises a lot of concerns with privacy, security and data sovereignty.
> The most annoying part (if that was not sufficient), is that 14 hours after deleting the account from "all devices" and uninstalling the app, the server is still logging in and collecting mail now (or was until I changed the password).
>
> Is this common knowledge I have just missed all these years?
>
> Is there a reason the media are not making noise about this?
>
> Does nobody care because it's pretty?
>
>
> I have very low expectations when it comes to Microsoft but this poor by any measure.
>
> Graham
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7Cc78698f33b944aa750c408d9c10e5b4c%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637753089685219848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=4mr8ny9ODSiKpYpshRZ0eVceTabA95bJbmfw7qhk0KI%3D&reserved=0