[AusNOG] Outlook Mobile (OT)

Philip Loenneker Philip.Loenneker at tasmanet.com.au
Mon Dec 20 09:09:34 AEDT 2021


I know that the Gmail app on Android works fine for MFA, but that's just trading which big organisation you're sharing your details with, I guess...


From: AusNOG <ausnog-bounces at lists.ausnog.net> On Behalf Of David Rawling
Sent: Saturday, 18 December 2021 12:16 AM
To: <ausnog at lists.ausnog.net> <ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] Outlook Mobile (OT)

Hi DaZZa

I didn't wish to mention it earlier and unprompted in case it felt like spam to people (yes, I'm from the old pre-eternal-September Internet), but Scott was on the money - Nine is the client I use personally (com.ninefolders.hd3 if you need the package name to find it).

Dave.

--
David Rawling - Principal Consultant

t: +61 41 213 5513  |  e: djr at pdconsec.net<mailto:djr at pdconsec.net>

Please note that whilst we take all care, neither PD Consulting and Security nor the sender accepts any responsibility for viruses and it is your responsibility to scan for viruses. The contents are intended only for use by the addressee and may contain confidential and/or privileged material. If you received this in error, we request that you please inform the sender and/or addressee immediately and delete the material.

On Fri, 2021-12-17 at 20:39 +1100, DaZZa wrote:
Hi Dave

Be good fella and elucidate us as to the name of this non-Microsoft android client that supports MFA, please?

The only reason I started using the streaming pile of putrid dog crap that is Outlook is because corporate decided to enforce MFA - and the Samsung/Android client didn't support that

I'd love to know a client that I can use that supports MFA and isn't Outlook.

Thanks

DaZZa

On Fri, 17 Dec 2021, 7:42 pm David Rawling, <djr at pdconsec.net<mailto:djr at pdconsec.net>> wrote:
Hi Graham

I am highly cynical about this, I realise, but I find it saves time. With that in mind ...

This was discussed fairly extensively a few years ago when Outlook Mobile became the "Microsoft-offered/preferred" mobile client. I suspect that for most organisations who knew about it and actively considered it, the risk analysis included "Well, we already bent over ... er ... I mean, 'offloaded authentication to Azure' for Office 365, my corporate credentials and email are already stored by a company beholden to the PATRIOT Act etc, so what's one more case of credentials stored blindly in the cloud - MS swear it's the only/best way to do it and they must know what they're talking about".

I decided back then I would let my employer decide that was OK for their stuff, but for my own use I have a different Android client (which supports all the Office 365 functionality anyway including MFA, so Microsoft's justifications are hollow). Most of these "decisions" on clients seem to be made by people on the basis of "ooh shiny", at least within SMEs. I'm sure the ADF wouldn't be using Mobile Outlook on this basis, right?

Anyway, for organisations, there's also some value in being able to use Azure functionality to lock down mail to their own choice of client and managed device, so when it's lost or the employee leaves, company IP can be wiped (and they "know" it works). Those who know about the credential caching/storage have their concerns dismissed, and their successors have a harder time arguing for an alternative, too, since Outlook is already in place. And since MS hasn't enabled on-premises platforms for modern needs like MFA and modern authentication, and is actively trying to make rentals the only available option, I doubt the situation will improve.

Dave.

--
David Rawling - Principal Consultant

t: +61 41 213 5513  |  e: djr at pdconsec.net<mailto:djr at pdconsec.net>

Please note that whilst we take all care, neither PD Consulting and Security nor the sender accepts any responsibility for viruses and it is your responsibility to scan for viruses. The contents are intended only for use by the addressee and may contain confidential and/or privileged material. If you received this in error, we request that you please inform the sender and/or addressee immediately and delete the material.

On Fri, 2021-12-17 at 15:42 +1000, Graham Maltby wrote:
Thanks everyone for the confirmation.

The process does not appear to have changed at all from what has been
described; still storing credentials and all the mail they can slurp. I
have never liked or used Outlook in any of it's various incarnations so
I've had little exposure to this.

I am somewhat surprised that this is not more well reported in
mainstream media. If any other app so blatantly stole your data and
shipped it off overseas, it would be all over the press as this should
be. But Microsoft, like a number of others, are big enough to get away
with this.

Cheers,
Graham



On 17/12/21 14:01, Philip Loenneker wrote:
Hi Graham,

I don't know if this is still the case, but the original "Outlook" app for mobiles saved your credentials on a server and downloaded to there, then synced it down to your device. I think they did that so they could do things like push notifications when you get an email, which doesn't work if it runs locally and the app isn't allowed to run in the background. That was before Microsoft bought the app, but I haven't looked at it at all since then.

Where I was working at the time, we were justifiably concerned by this "feature", advised everybody to not use it, and blocked it from working on the corporate Internet service.

It is possible that it operates differently now, but from what you described, it sounds like they still do the same thing.

This rather old blog post discusses some of the security concerns, but it's from 2015 and may be completely irrelevant now.
https://4sysops.com/archives/is-microsofts-outlook-app-for-ios-and-android-insecure/<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2F4sysops.com%2Farchives%2Fis-microsofts-outlook-app-for-ios-and-android-insecure%2F&data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7Ca0b0bc3b36974d7191b808d9c168a85a%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637753477802353102%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=EJGdRALn%2BSnO8ODfLPrm%2BJlB2HFs11BfoY5EzcGKls0%3D&reserved=0>

Regards,
Philip Loenneker| Senior Network Engineer
TasmaNet | Vastnet | Netmode

-----Original Message-----
From: AusNOG <ausnog-bounces at lists.ausnog.net<mailto:ausnog-bounces at lists.ausnog.net>> On Behalf Of Graham Maltby
Sent: Friday, 17 December 2021 2:35 PM
To: ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>
Subject: [AusNOG] Outlook Mobile (OT)
Importance: Low

Afternoon all,

While attempting to sort out some autodiscover / activesync processes last night, I installed Outlook on my mobile (current Android version from the Play Store). Setup and an account and logged in.

To my dismay, I find my phone is not connecting over the LAN to the server 4m away but instead a server in Seoul, South Korea is connecting and downloading my mail instead. Aside from the woeful performance, it raises a lot of concerns with privacy, security and data sovereignty.
The most annoying part (if that was not sufficient), is that 14 hours after deleting the account from "all devices" and uninstalling the app, the server is still logging in and collecting mail now (or was until I changed the password).

Is this common knowledge I have just missed all these years?

Is there a reason the media are not making noise about this?

Does nobody care because it's pretty?


I have very low expectations when it comes to Microsoft but this poor by any measure.

Graham

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7Cc78698f33b944aa750c408d9c10e5b4c%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637753089685219848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=4mr8ny9ODSiKpYpshRZ0eVceTabA95bJbmfw7qhk0KI%3D&reserved=0<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7Ca0b0bc3b36974d7191b808d9c168a85a%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637753477802353102%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sliO9NDEgobTLMQtsf49Wm46RfI3zOIiqR%2FORJAd0Gg%3D&reserved=0>

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7Ca0b0bc3b36974d7191b808d9c168a85a%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637753477802363062%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WYAMcKHObHzvDgq3EVvvfJ3vgDVcVKy0Zi80oCdjCZM%3D&reserved=0>
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7Ca0b0bc3b36974d7191b808d9c168a85a%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637753477802363062%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WYAMcKHObHzvDgq3EVvvfJ3vgDVcVKy0Zi80oCdjCZM%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20211219/d5f36e45/attachment-0001.htm>


More information about the AusNOG mailing list