nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Microsoft updates Outlook app security, but haters still gunna hate

Amazon moving to Azure

By Darren Pauli, 19 Feb 2015

Microsoft has upgraded the security controls of its mobile Outlook app to allow credentials to be kept on its servers rather than Amazon's.

Security upgrades detailed in a Redmond blog include PIN lock enforcement and faster remote wiping of application data, some of which will be deployed in coming months, along with functionality improvements.

Microsoft said the updates were designed to meet user experience needs and business requirements.

"Over the coming weeks and months, we will deliver additional security and management features that matter to IT as well as user-focused features to help you get even more done while on the go," the Office 365 team wrote.

"Outlook now implements password enforcement using Exchange ActiveSync; If your company email policy requires that devices have a password in order to sync mail, Outlook will enforce this at the device level.

"We've also made improvements to how quickly admin-led remote wipes are executed—they now happen within seconds."

The server migration from Amazon Web Services to Azure was expected as part of Microsoft's acquisition of Accompli, the makers of what was now the Outlook app, but was not yet implemented.

While the improvements will likely be welcomed by system administrators, it remains to be seen if the updates change attitudes at users like the the EU Parliament, which torpedoed use of the app after discovering corporate credentials were being stored on third party servers to facilitate iOS push notifications.

Those admins sided with developer Rene Winklemeyer who roasted the app for what he said was unacceptably lax security controls pointing his finger at the storage of credentials on Amazon servers.

In an update to a blog detailing his initial concerns, Winklemeyer said Microsoft would need to redesign the app to allow on premise storage of credentials, or retrieve emails using periodic fetching.

He said Microsoft was restricted in the way it could notify uses of new email under Apple's iOS requirements that prevent background apps from running for longer than 10 minutes. He indicated Microsoft may have to follow IBM's route for its ToDo app and allow company local servers to issue push notifications.

"You're giving away your credentials but it's the only way how Microsoft can handle it," Winkelmeyer said.

"So Microsoft has to build a way that allows [push notifications] by a local server [which will] change the need for storing data in the cloud."

Microsoft stands by its security arrangements and stated it uses best security practise.

Redmond's app now also features functionality for local contact synchronisation, email support for AOL and Comcast, and new on-screen gestures. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing