Microsoft working to fix Outlook encryption flaw

Microsoft is developing a solution to an encryption flaw in the Outlook Android and iOS apps that cause some devices to ignore IT department passwords and policies, including encryption.

The company said additional features will be rolled out in the next few months to heighten security for corporate IT departments, including the addition of PIN lock and new Exchange ActiveSync policies.

Dirk Sigurdson, director of engineering at Rapid 7's Mobilisafe uncovered the flaw, and demonstrated how encryption policies are being ignored on some mobile devices.

Sigurdson explained in a blog: "[With Outlook for Android and iOS] any ActiveSync policy defined on the server is completely ignored. Your company can define a sophisticated passcode or encryption policy that will have absolutely no impact on devices if this new email client is used by your employees. There are other potential security issues with Outlook as well, but this one I think is the most egregious.

"If your organisation is dependent on ActiveSync policies in anyway you should immediately block ActiveSync access to Outlook for iOS and Android," he advised.

Another security blogger, Rene Winkelmeyer, warned of a number of other corporate security flaws in the Outlook apps when they were first released in January. He explained that Microsoft allows users to share corporate mail attachments with personal accounts, share ActiveSync IDs across a single user's devices and shares these credentials with Microsoft.

"The only advice I can give you at this stage is: block the app from accessing your companies [sic] mail servers. And inform your users that they shouldn't use the app," he explained.