Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Use of Acompli to accelerate email to IOS and Android

From: "Douglass G. Burak" <burakd () BUCKS EDU>
Date: Fri, 30 Jan 2015 13:09:44 -0500
Another article on the topic...

http://windowsitpro.com/blog/do-ex-acompli-now-outlook-clients-really-compromise-security-or-everyone-overreacting

Douglass G. Burak
IT Security Officer
Bucks County Community College
Newtown, PA 18940

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Treble
Sent: Friday, January 30, 2015 12:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Use of Acompli to accelerate email to IOS and Android

We've also found with our tests yesterday that our ActiveSync policy that enforces a pin code and auto-lock time, can 
be bypassed using the Outlook mobile app.

An interesting article, if you haven't seen it yet...

http://www.theregister.co.uk/2015/01/30/dev_finds_bleak_security_outlook_for_ios_app/

Our mail team has found a way to block the app (we don't have an enterprise wide MDM solution yet), but it sends a 
confusing message to the end user.

From: Microsoft Outlook  <snip>
Date: January 30, 2015 at 9:56:28 AM CST
To: Test Mailbox <snip>
Subject: Your mobile phone has been denied access to the server via Exchange ActiveSync because of server policies.
Your phone won't be able to synchronize with the server via Exchange ActiveSync because of an access policy defined on 
the server.
Information about your mobile phone:
Device model:

Outlook for iOS and Android

Device type:

Outlook

Device ID:

<snip>

Device OS:

Outlook for iOS and Android 1.0

Device user agent:

Outlook-iOS-Android/1.0

Device IMEI:

Exchange ActiveSync version:

14.1

Device access state:

Blocked

Device access state reason:

DeviceRule

Sent at 1/30/2015 9:56:25 AM to <snip>.



David Treble
IT Security Coordinator
University of Manitoba
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Mike Osterman 
[ostermmg () WHITMAN EDU]
Sent: January 30, 2015 11:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Use of Acompli to accelerate email to IOS and Android
I think the issue with Acompli (or CloudMagic, Inky and the others that support non-OAuth mail) password storage is 
that it's storing the password on a remote server rather than on the person's device. There's always the risk that the 
app itself could turn evil and leak your credentials, but in the remote server scenario, you're providing a credential 
to a third party that could prove very dangerous in SSO-enabled environments like the EDU space. Sure, it's encrypted, 
but if they lost their encryption keys and the database, that's a pretty substantial loss.

Worse still, I don't think anyone but IT folks really understand the distinction of the location of the password 
storage or cares to do the research to make an informed decision.

Even in the OAuth scenario, you're avoiding the credential issue, but do still have highly-sensitive mail data (except 
in the case of Inky - http://inky.com/faq/) passing through 3rd party servers in most implementations. If an 
organization is using Exchange on-premise, then you'll lose the inherent data privacy benefit by having institutional 
mail data--"metadata" at a minimum--traveling outside the organization.

It's tough, because this new breed of mail clients offer some fantastic functionality (I personally love the Snooze 
feature in Mailbox.app and use it with my personal email), but there are privacy tradeoffs, and many of our 
institutions don't have the policies and/or technical controls in place to be able to address these risks.

Mike Osterman
Director, Enterprise Technology
Whitman College
(509) 527-5419

On Jan 30, 2015, at 9:00 AM, Steve Terry <terrys () DENISON EDU<mailto:terrys () DENISON EDU>> wrote:

Dennis:

Microsoft purchased Acompli a short time ago and turned it into a new version of Outlook for iOS and Android devices:
http://www.theverge.com/2015/1/29/7936081/microsoft-outlook-app-ios-android-features

I have used Acompli for about a year and have found it to be a fantastic piece of software.  I have also downloaded and 
run the new version of Outlook to compare it to my previous version of Acompli - it is same, but better!  (Add file 
access to Dropbox and other services.)

As for authentication, (Denision is a Google Education shop) - it prompts and uses our SSO authentication services to 
establish the initial connection to (Gmail) for us.  I see no differences, in this new version of Outlook, in terms of 
"storing" account information over any other previous iOS email clients?

Steve

Steve Terry
Director of Enterprise Applications
ITS
Denison University
Fellows Hall - 102B
Granville, OH 43023
740-587-8685 | www.denison.edu<http://www.denison.edu/>

On Fri, Jan 30, 2015 at 10:11 AM, Dennis Levine <dennis_levine () emerson edu<mailto:dennis_levine () emerson edu>> 
wrote:
Hi All.
  Just wondering if anyone is using or is considering the use of Acompli 
(https://www.acompli.com<https://www.acompli.com/>) to accelerate email distribution to IOS and Android mobile devices.
I'm a bit hesitant because they require a login to the exchange server and then store the email and account information 
on their servers, though they say it's encrypted.
Any thoughts,
Dennis

Dennis Levine | Network and Security Administrator | 120 Boylston Street  Boston, MA  02116-4624 | (617) 
824-8972<tel:%28617%29%20824-8972> | Dennis_Levine () emerson edu<mailto:Dennis_Levine () emerson edu> | 
www.emerson.edu<http://www.emerson.edu/>
<image001.jpg>
Previous By Date Next
Previous By Thread Next

Current thread: