[AusNOG] Outlook Mobile (OT)

David Rawling djr at pdconsec.net
Sat Dec 18 00:15:38 AEDT 2021 

Hi DaZZa

I didn't wish to mention it earlier and unprompted in case it felt like
spam to people (yes, I'm from the old pre-eternal-September Internet),
but Scott was on the money - Nine is the client I use personally
(com.ninefolders.hd3 if you need the package name to find it). 

Dave.
--
David Rawling - Principal Consultant

t: +61 41 213 5513  |  e: djr at pdconsec.net

Please note that whilst we take all care, neither PD Consulting and
Security nor the sender accepts any responsibility for viruses and it
is your responsibility to scan for viruses. The contents are intended
only for use by the addressee and may contain confidential and/or
privileged material. If you received this in error, we request that you
please inform the sender and/or addressee immediately and delete the
material.

On Fri, 2021-12-17 at 20:39 +1100, DaZZa wrote:
> Hi Dave
> 
> Be good fella and elucidate us as to the name of this non-Microsoft
> android client that supports MFA, please?
> 
> The only reason I started using the streaming pile of putrid dog crap
> that is Outlook is because corporate decided to enforce MFA - and the
> Samsung/Android client didn't support that 
> 
> I'd love to know a client that I can use that supports MFA and isn't
> Outlook.
> 
> Thanks
> 
> DaZZa
> 
> On Fri, 17 Dec 2021, 7:42 pm David Rawling, <djr at pdconsec.net> wrote:
> > Hi Graham
> > 
> > I am highly cynical about this, I realise, but I find it saves
> > time. With that in mind ...
> > 
> > This was discussed fairly extensively a few years ago when Outlook
> > Mobile became the "Microsoft-offered/preferred" mobile client. I
> > suspect that for most organisations who knew about it and actively
> > considered it, the risk analysis included "Well, we already bent
> > over ... er ... I mean, 'offloaded authentication to Azure' for
> > Office 365, my corporate credentials and email are already stored
> > by a company beholden to the PATRIOT Act etc, so what's one more
> > case of credentials stored blindly in the cloud - MS swear it's the
> > only/best way to do it and they must know what they're talking
> > about".
> > 
> > I decided back then I would let my employer decide that was OK for
> > their stuff, but for my own use I have a different Android client
> > (which supports all the Office 365 functionality anyway including
> > MFA, so Microsoft's justifications are hollow). Most of these
> > "decisions" on clients seem to be made by people on the basis of
> > "ooh shiny", at least within SMEs. I'm sure the ADF wouldn't be
> > using Mobile Outlook on this basis, right?
> > 
> > Anyway, for organisations, there's also some value in being able to
> > use Azure functionality to lock down mail to their own choice of
> > client and managed device, so when it's lost or the employee
> > leaves, company IP can be wiped (and they "know" it works). Those
> > who know about the credential caching/storage have their concerns
> > dismissed, and their successors have a harder time arguing for an
> > alternative, too, since Outlook is already in place. And since MS
> > hasn't enabled on-premises platforms for modern needs like MFA and
> > modern authentication, and is actively trying to make rentals the
> > only available option, I doubt the situation will improve.
> > 
> > Dave.
> > --
> > David Rawling - Principal Consultant
> > 
> > t: +61 41 213 5513  |  e: djr at pdconsec.net
> > 
> > Please note that whilst we take all care, neither PD Consulting and
> > Security nor the sender accepts any responsibility for viruses and
> > it is your responsibility to scan for viruses. The contents are
> > intended only for use by the addressee and may contain confidential
> > and/or privileged material. If you received this in error, we
> > request that you please inform the sender and/or addressee
> > immediately and delete the material.
> > 
> > On Fri, 2021-12-17 at 15:42 +1000, Graham Maltby wrote:
> > > Thanks everyone for the confirmation.
> > > 
> > > The process does not appear to have changed at all from what has
> > > been 
> > > described; still storing credentials and all the mail they can
> > > slurp. I 
> > > have never liked or used Outlook in any of it's various
> > > incarnations so 
> > > I've had little exposure to this.
> > > 
> > > I am somewhat surprised that this is not more well reported in 
> > > mainstream media. If any other app so blatantly stole your data
> > > and 
> > > shipped it off overseas, it would be all over the press as this
> > > should 
> > > be. But Microsoft, like a number of others, are big enough to get
> > > away 
> > > with this.
> > > 
> > > Cheers,
> > > Graham
> > > 
> > > 
> > > 
> > > On 17/12/21 14:01, Philip Loenneker wrote:
> > > > Hi Graham,
> > > > 
> > > > I don't know if this is still the case, but the original
> > > > "Outlook" app for mobiles saved your credentials on a server
> > > > and downloaded to there, then synced it down to your device. I
> > > > think they did that so they could do things like push
> > > > notifications when you get an email, which doesn't work if it
> > > > runs locally and the app isn't allowed to run in the
> > > > background. That was before Microsoft bought the app, but I
> > > > haven't looked at it at all since then.
> > > > 
> > > > Where I was working at the time, we were justifiably concerned
> > > > by this "feature", advised everybody to not use it, and blocked
> > > > it from working on the corporate Internet service.
> > > > 
> > > > It is possible that it operates differently now, but from what
> > > > you described, it sounds like they still do the same thing.
> > > > 
> > > > This rather old blog post discusses some of the security
> > > > concerns, but it's from 2015 and may be completely irrelevant
> > > > now.
> > > >
> >
> https://4sysops.com/archives/is-microsofts-outlook-app-for-ios-and-android-insecure/
> > > > 
> > > > Regards,
> > > > Philip Loenneker| Senior Network Engineer
> > > > TasmaNet | Vastnet | Netmode
> > > > 
> > > > -----Original Message-----
> > > > From: AusNOG <ausnog-bounces at lists.ausnog.net> On Behalf Of
> > > > Graham Maltby
> > > > Sent: Friday, 17 December 2021 2:35 PM
> > > > To: ausnog at lists.ausnog.net
> > > > Subject: [AusNOG] Outlook Mobile (OT)
> > > > Importance: Low
> > > > 
> > > > Afternoon all,
> > > > 
> > > > While attempting to sort out some autodiscover / activesync
> > > > processes last night, I installed Outlook on my mobile (current
> > > > Android version from the Play Store). Setup and an account and
> > > > logged in.
> > > > 
> > > > To my dismay, I find my phone is not connecting over the LAN to
> > > > the server 4m away but instead a server in Seoul, South Korea
> > > > is connecting and downloading my mail instead. Aside from the
> > > > woeful performance, it raises a lot of concerns with privacy,
> > > > security and data sovereignty.
> > > > The most annoying part (if that was not sufficient), is that 14
> > > > hours after deleting the account from "all devices" and
> > > > uninstalling the app, the server is still logging in and
> > > > collecting mail now (or was until I changed the password).
> > > > 
> > > > Is this common knowledge I have just missed all these years?
> > > > 
> > > > Is there a reason the media are not making noise about this?
> > > > 
> > > > Does nobody care because it's pretty?
> > > > 
> > > > 
> > > > I have very low expectations when it comes to Microsoft but
> > > > this poor by any measure.
> > > > 
> > > > Graham
> > > > 
> > > > _______________________________________________
> > > > AusNOG mailing list
> > > > AusNOG at lists.ausnog.net
> > > >
> >
> https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7Cc78698f33b944aa750c408d9c10e5b4c%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637753089685219848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=4mr8ny9ODSiKpYpshRZ0eVceTabA95bJbmfw7qhk0KI%3D&reserved=0
> > > 
> > > _______________________________________________
> > > AusNOG mailing list
> > > AusNOG at lists.ausnog.net
> > > http://lists.ausnog.net/mailman/listinfo/ausnog
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20211218/4d27939e/attachment.htm>

More information about the AusNOG mailing list