The EU Parliament has blocked politicians from using the Microsoft mobile Outlook app in the wake of security and privacy concerns centred on the siphoning of corporate credentials to a third party, according to reports.
The Parliament's IT department, DG ITEC, has reportedly told staff to delete the app and reset corporate email passwords if it was used.
The IT department was concerned that the app held passwords data 'without permission' on servers that were beyond its control.
Redmond held fast saying the app met its security requirements. The service used credentials were "double-encrypted using a server per-account unique key" and a client device unique key meaning credentials could be unlocked only by the server and app at runtime.
Tech shops at organisations including the University of Wisconsin-Madison and Delft Technical University blocked the app after German researcher Rene Winkelmeyer (@muenzpraeger) revealed a seemingly little known detail that it had shipped corporate credentials off to third party servers.
The developer detailed his concerns a day after the app launch late last month, explaining how it can store credentials in the cloud even after delete requests, and reportedly did not observe known good security practices.
The Outlook app was acquired by Microsoftalong with a company called Acompli. The software's workings are in a policy that appears to have been ignored by many users. Here's the relevant bits of that policy:
"... our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device [and] may be temporarily stored and indexed securely both in our servers and locally on the app on your device
If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app."
Concerned administrators can control device access advice to block the app. ®