A lot happened over the last month regarding the new Microsoft Outlook for mobile devices. First Microsoft bought out Accompli and rebranded it Microsoft Outlook app. This app was distributed to both iOS and Android. It was well received according to the positive reviews all over the web. But then, people objected over the security issues saying that the Microsoft Outlook app for Android and iOS stores login credentials, calendar and task list etc. in a third party cloud.
Acting on these weaknesses of the app, EU parliament and a couple of other institutions blocked their server access to Outlook app. We had reported both the acquirement of Accompli by Microsoft and that Outlook was banned by EU Parliament earlier.
Though Microsoft did not openly comment on the security and privacy issues that caused some institutions to block Outlook for iOS and Android in their workplace systems, it worked on some parts to provide it with a better security.
The Outlook app now enforces a password enforcement using Exchange ActiveSync and that should be in line with the privacy policies of almost all institutions that wish to use Microsoft Outlook for Android and iOS. In a blog post, Microsoft said that if a company policy requires that devices have a password for syncing email, Outlook will enforce it at the device level. The way it works would be different in iOS and Android, as they are two different operating systems.
On iOS, Outlook will check if a password is properly set up. If it is, people can access Outlook. In case there is no password, Outlook will lead them through setting up one so that they can access Outlook for iOS. In case a user opts not to set up password, he or she may will not be able to access Outlook until the password is set up.
Screen Lock rules will be enforced on Android devices. Sync Android does not provide the encryption that iOS 8 and later versions provide, Microsoft will be using the password policies of Exchange to create a strong password. It will also help in setting up the number of attempts one can make to unlock the device before wiping out the device. That is, to say, that if a password is entered wrong few times, the device will be wiped so that it does not fall into wrong hands.
Microsoft has also set up remote admin wipe so that in case of lost devices, admins can wipe off the app (and not the entire device though entire device can be wiped off using Android Device Manager). In other words, if a device is lost, admins will make Microsoft Outlook for both iOS and Android unusable by wiping off all the data from the device.
These are some security changes made to address privacy concerns. However, it is not clear whether passwords and other information will be stored locally or somewhere more reliable place so that third party cloud issues do not arise again.