News

Native Outlook for Android App Released

Microsoft released a native Outlook e-mail client app for Android on Wednesday.

• By Kurt Mackie
• 04/23/2015

Microsoft released a native Outlook e-mail client app for Android on Wednesday.

The company signaled in its announcement that the app is ready for use in production environments by organizations, although that requires an assessment. The app can be downloaded from the Google Play store here.

Outlook for Android will run on devices with Android 4.1 or greater versions operating systems. The client will work with Microsoft Exchange Server (such as Exchange 2007 SP2, 2010 and 2013), as well as Office 365's Exchange Online service. It also works with the Outlook.com service, as well as Gmail, iCloud and Yahoo Mail services.

Out of Preview
Outlook for Android, as well as Outlook for iOS, is based on technology Microsoft acquired when it bought Accompli. Previously, Outlook for Android was at the "preview" test stage. Microsoft announced today that Outlook for Android was "out of preview," avoiding its usual "general availability" terminology that signals it's a finished product ready for production environments.

The Outlook app is part of Microsoft's new rapid development cycle now, and the company plans to update it approximately "every few weeks," according to the announcement. Here's how Microsoft characterized that nuance:

This removal from preview is not a change in that plan or a statement that we are 'done.' We will continue our pace of updates to make the app better each week in response your feedback.

Security Controversy
Earlier this year, Outlook apps for iOS and Android devices engendered some controversy because these native clients partly depend on the use of Microsoft's datacenter "cloud" for security controls. In February, it was noted that the European Parliament had blocked access to Outlook apps for iOS and Android devices because of such uncertainties.

The issue was pointed out in a February Rapid7 blog post (that has since been pulled) by Dirk Sigurdson, director of engineering for Mobilisafe at Rapid7, a software security firm. He had suggested that ActiveSync security policies configured for servers would get ignored when using Microsoft's new Outlook apps for iOS and Android devices.

Those issues were mostly addressed by an update released that same month by Microsoft, Sigurdson noted, in an e-mail sent today:

In February Microsoft released an update which significantly improved upon the issue that I highlighted in my blog post. On iOS things are better but still not great. They now enforce that a passcode is set if the Exchange admin defines a policy requiring it. The main problem now however is that the finer grain policies, like specifying how complex a passcode must be are not supported on iOS. On Android, it looks like the passcode and passcode complexity requirements are fully supported.

Microsoft's February update added the ability to enforce a personal identity number (PIN) lock on the device in order to use Exchange ActiveSync to access mail. Some of the finer details, though, depend on the operating system controls, which are set by Apple and Google, respectively. However, the idea that passwords can be set and encrypted locally on the device seems to address some of the initial criticisms with the Outlook apps.

Sigurdson had not been alone in raising such questions. A critique had also come from René Winkelmeyer, head of development at midpoints GmbH, who claimed in a blog post that the Outlook app for iOS devices was storing "personal credentials and server data" on Amazon Web Services, which Microsoft uses to support its Outlook clients.

Winkelmeyer's complaint seems broader, though -- more about the potential hazards of using any cloud services. Microsoft uses OAuth for authentication delegation in Outlook, in some cases. However, according to Winkelmeyer, OAuth use doesn't solve the implicit security issues with using cloud services.

"As long as they [Microsoft] use a cloud-based service to check your ActiveSync account they'll have access," he wrote in a follow-up blog post.

Microsoft, for its part has said very little about such concerns, even with Outlook for Android now released for commercial use. IT pros looking for details on the security aspects of managing Outlook for Android can find some resources in Microsoft's "Outlook for iOS & Android -- Info for IT Pros" document. This document only seems to be available through this Yammer discussion page (sign-up may be required).

Microsoft's document (p. 2) explains that some accounts won't support the use of OAuth with the Outlook client:

Outlook uses OAuth for the accounts that support it (Outlook.com, OneDrive, Dropbox, Box, and Gmail). OAuth provides Outlook with a secure mechanism to access those cloud services without ever touching your password. For accounts that don't support OAuth (Exchange ActiveSync for on-premises Exchange or Office 365, Yahoo, and iCloud), we have to take a different approach.

That different approach apparently is the ability to set a PIN lock on Android devices to enable access via Exchange ActiveSync, as described above, although Microsoft's document doesn't really spell it out. Microsoft is planning to add OAuth support for its Office 365 services in the second quarter of this year.

By no means will Microsoft abandon cloud enablement for its iOS and Android Outlook apps, though. Microsoft's document explains that "in order to fulfill this promise of getting more done, Outlook needs two components -- a rich, cloud-enabled native app as the front end, powered by a secure and scalable cloud service on the back end."

According to the document, Microsoft's native mobile apps aren't covered by the promises of the Office 365 Trust Center, which describes security and compliance assurances for Microsoft's services. Neither are Outlook cloud services covered by Trust Center assurances. Apparently that's because the data are stored on the end user's device. Another reason, apparently, is because Microsoft uses Amazon Web Services to host the service. Microsoft plans to move Outlook cloud support to its Azure and Office 365 datacenters sometime "later this year."

IT pros trying to figure out if they can now securely run Outlook for Android with Exchange Server can find lots of details in Microsoft's "Outlook for iOS & Android -- Info for IT Pros" document. It concludes with these reassuring words:

Your unique device key is never stored in the Outlook cloud service. Your password is never stored on the device. This architecture means that in order for a malicious party to gain access to your password, they would need unauthorized access to the Outlook cloud service and physical access to your device.

Microsoft's announcement today indicated that it plans to "expand the capabilities that matter to IT" with its subsequent Outlook releases. Some of that work is happening on the mobile device management solution side. In March, Microsoft added a few of those management capabilities at no extra cost for its Office 365 customers. Its Intune mobile device management product is evolving, too, with recent updates for Android management arriving this week.

Outlook Web Apps Going Away
Microsoft's native Android and iOS apps are different from Microsoft's Outlook Web Apps (part of the Office.com series of apps), which are designed to run in a browser. The new native apps eventually will replace Microsoft's Outlook Web Apps, according to a blog post today by veteran Microsoft reporter Mary Jo Foley. The replacement will happen sometime this summer, according to Foley, who cited "officials" as the source.

In a response, a Microsoft spokesperson hinted that the Outlook Web Apps (OWAs) would be going away, although a timeline wasn't indicated.

"While we work to deliver all of the IT capabilities in the Outlook for iOS and Android apps, the OWA for iPhone/iPad/Android apps will remain in market for customers requiring the advanced Office 365 and Exchange Server features that these apps offer."