Microsoft Pushes New Security Features on Outlook App

Written by

Microsoft has updated its controversial Outlook smartphone app with new business-grade IT controls and promised to move its back-end platform from Amazon to Azure.

A blog post by the Office 365 Team pointed to a new PIN lock function, with password enforcement implemented using Exchange ActiveSync.

“If your company email policy requires that devices have a password in order to sync mail, Outlook will enforce this at the device level,” it noted. “How this works on iOS and Android devices varies slightly, based on the available controls provided by Apple and Google.”

On iOS 8 or later – the only versions for which the Outlook app is available – Outlook will check for a passcode and require one to be set-up in order to access the platform.

“These devices are shipped with built-in encryption, which Outlook uses once the passcode is enabled to encrypt all the data Outlook stores locally on the device,” said Microsoft. “Therefore, iOS devices will be encrypted whether the Office 365 or Exchange policy requires this or not.”

On Android, Outlook will lock the screen if no passcode is entered.

“Further, Google provides controls that allow Outlook to honor additional Office 365 and Exchange policies regarding password length and complexity requirements and the number of allowable screen-unlock attempts before wiping the phone,” the blog continued.

“It will also encourage storage encryption if it is not enabled. Outlook will guide users through this process with a step-by-step walk through.”

Microsoft also announced faster admin-led remote wipe functionality – which will now happen “within seconds” – IMAP support, and more options for conversation view in iOS.

There are also new capabilities for Android users keen to customize and change folders for swipe gestures.

Microsoft said a range of new security and management features would follow over the coming weeks and months, including “moving Outlook’s cloud service from Amazon Web Service to Microsoft Azure.”

When the Outlook app was launched back in January, IBM developer Rene Winkelmeyer raised serious security concerns with it – claiming the application would “break” corporate security.

The part he didn’t like was Microsoft storing user account credentials in the Amazon cloud to facilitate push notifications, without telling users.

He continued:

“A frequent scanning from an AWS IP to my mail account... [m]eans Microsoft stores my personal credentials and server data (luckily I’ve used my private test account and not my company account) somewhere in the cloud! They haven’t asked me. They just scan. So they have in theory full access to my PIM data.”

However, it’s unlikely that moving Outlook to Azure will pacify Winkelmeyer, who is pushing Redmond to allow account log-ins to be stored on premise or to move from push notifications to a "periodic fetch". 

What’s hot on Infosecurity Magazine?