I would love to use this cool mail app â€“ really. One of the pain points since moving away from Windows Phone (to me definitely the best phone on the market with too many apps missing) is finding a good and efficient mail/calendar/task app. There are plenty out there but hardly one that is as good as what I had on Windows Phone.
So far so good. Outlook on Android got released and luckily I did not find time to install it! Everything (including user name/password, all the mails) get routed through Microsoft servers in the US! We might have a chat about whether this makes sense for a consumer (my take is â€“ it does not) but is definitely a huge security vulnerability in a corporate environment. I mean, the app developers do nothing more than asking for your credentials to store them in a server on their environment. Give me a break! You cannot be serious, are you? One of the first lessons you learn developing is that you do not need plain text passwords. And the second lesson is not to store user data in the Cloud unless you get the explicit and clear blessing of the user.
I am really worried â€“ what happened to the Security Development Lifecycle? If you do a basic threat model on that, you will figure out that all the alarm bells go off loud and heavy.
We informed all our users and block now the use of this cool app on Exchange. This does only limit and not solve the problem as a failed logon attempt still passes through the US. So if somebody installs the app (which then gets denied on our Exchange) and enters the credentials, they still pass through the US.
If you would be paranoid, you could ask, whether this is a spy app by the NSAâ€¦ It would perfectly work. You do not need to sniff on anything. Just download all the corporate mail.