Security alert issued for Outlook mobile app

February 7, 2015

This message details a security concern involving about 170 campus users of the Microsoft Outlook mobile app. In short, the app is using a login method involving a cloud service. This means login information may be stored in the cloud service, which is not overseen by the University of Wisconsin–Madison.

This clearly poses a security risk, and the following information will detail the steps UW–Madison is taking. Campus leaders, campus IT and those affected have been notified. It is also noteworthy that other universities are experiencing similar issues, and taking action.

Microsoft recently released an Outlook app for iOS and Android that is essentially a rebranded app from a company called Acompli, which Microsoft bought a couple of months ago.

We have just learned of significant security issues with the iOS/Android Outlook app. The application stores each user’s NetID and password in a cloud service. The UW–Madison has neither a contract with, nor a security assessment from, the service.

Due to these issues, we are requesting that Exchange administrators block access to the Outlook app until a complete IT security review can be completed or Microsoft corrects the issue.

DoIT will begin blocking the Outlook app from accessing the campus Office 365 service starting at noon, Monday, February 9th.

The block will prevent syncing for approximately 170 Office 365 users. These users have been contacted and we have suggested they change their NetID password.

The native mail applications on iOS and Android are still considered safe for use.

If you have questions or comments, please see this document or contact help@doit.wisc.edu.

– See more at: http://www.doit.wisc.edu/news/important-security-information-ms-outlook-mobile-app-users/#sthash.9d0iG7Fn.dpuf