It was brought to my attention that Microsoft had recently launched a new iOS and Android Outlook {review app last week. Unlike previous Exchange sync features built into iOS and Android this new Outlook Preview app offered a more integrated approach to syncing email and calenders with Exchange servers and other ActiveSync servers such as MDaemon.

I thought it would be a good thing to test on my Android handset so I downloaded the app from the Google play store.

I setup a test account in MDaemon filled it with some email and calendar content, and set about testing the app.

Setup was very easy and looked just like the built in Exchange sync features and very quickly the app was syncing with MDaemon as expected.

There were some oddities with public and shared calendars but as the data synced in the background these folders started to fill with email and also appeared to work. There did appear to be a long delay here in comparison to the built in Android email app which did appear better.

However there is a much more worrying factor that only just became apparent when we prompted by one of our resellers to look at the ActiveSync Logs in MDaemon.

(Thanks for the heads up on this post and comments Chris@headtex !)

The worrying part!

Up until this point I was under the impression that the app was connecting directly to our MDaemon server in the same way the Android email app does. However looking at the ActiveSync log in MDaemon it became apparent the source IP of the ActiveSync session was not the network my phone was connecting from but instead an Amazon Web Service IP of “54.148.219.178”?

Why is that?

Well Microsoft are actually using a  ‘Acompli’ server hosted in AWS to connect to the ActiveSync server (MDaemon in my scenario) and sync all the data with it. Then the app connects to this 3rd party server.

Whats wrong with this?

Well the problem becomes most obvious when you remove the app from the phone, the Acompli server still continues to authenticate and sync with MDaemon. So in order for it to do this it must keep a copy of your account username and password. It’s also very likely that mailbox data is also kept on the server.

This document explains to some degree what Microsoft have access to.

(Thanks Dave Warren for providing this link)

What this means is that you are having to trust this 3rd Party server is secure and is only allowing access to this data from the relevant clients only.

Shortly after setting the app and account I actually removed the app as I believed it was impacting on my bandwidth at the time. Unfortunately it was only later that I was made aware that doing this does not remove the account from the Acompli server! It is possible to remove the account from within the app and during this process there is an option to also delete the account and data form the server. However it was too late for me to do this. So if you are testing the app I would recommend that you do this first before simply removing the app from the handset. Simply re-installing the app does not automatically bring back the previous account and settings so you only get once chance!

How does this effect the features of MDaemon?

One of the key features of the MDaemon ActiveSync server is the ability to control what data is stored and remains on the remote Handsets, This is done through the use of ActiveSync device policies.  Usually all ActiveSync communication is done directly between the Handset/device and MDaemon and so you can set device policies per handset and if required issue a soft or hard wipe of the handset should you think it has become lost or stolen.

However in the above scenario MDaemon is not connected to the handset – it is talking to the 3rd party AWS server so any policy or WIPE command is being sent to this.

As it happens it looks like these are ignored as well.

So what is the issue.

Well functionally the solution works OK, with exception of a few bugs, however from a security point of view not only is my data being accessed by a third party server, but if the app is removed before the account is deleted then the data and account details appear to remain on this 3rd party server and continue to access MDaemon.

Issuing a remote soft or hard wipe does not appear to be honored. (however without direct access to the server this is unclear)

For this reason we would recommend against using the Outlook Preview app at this point until Microsoft make it clear how secure it is and how to guarantee data is removed when needed.