![]() ![]() The device key, meanwhile, is wiped from memory and never stored in the Microsoft 365 or Office 365-based architecture (the key is only stored on the user's device). After verifying the password with the Exchange server, the Microsoft 365 or Office 365-based architecture uses the device key to encrypt the password, and the encrypted password is then stored in the service. When a user logs onto Exchange with Basic authentication, the username, password, and a unique AES-128 device key are sent from the user's device to the Outlook cloud service over a TLS connection, where the device key is held in runtime compute memory. Taking into account the man in the middle nature of this connection and that mailbox data is stored in the cloud, this application is not authorized as it does not conform to our current security posture for maintaining control of where our data lives. However as we do not have our mailboxes in the cloud, the cloud tenant needs to keep a "cleartext" copy of our passwords in memory to access our mail servers ( ). MS further addressed the security issues by changes the authentication method for native cloud users (mailboxes in O365) to use OAUTH, or certificate based authentication between cloud hosted mailboxes and devices (no basic username / password). ![]() MS addressed this partially at the end of 2016 and moved out of the AWS cloud to the O365 cloud, however the data flow and caching still persisted (See embedded screenshot). This is bad, as they have your actual email and your password stored in that cloud tenant. The application used a cloud tenant in AWS to cache active sync credentials and mailbox content and acted as a man in the middle to request mail from a mail server, and then forward it to a requesting IOS client. "In 2014 Microsoft (MS) bought the company Acompli and absorbed their active sync mail client and rebranded it Outlook for IOS. Here is a super generalized blurb I wrote back in 2018 to my userbase RE: not installing Outlook for IOS due to security concerns of the MITM nature of the connection.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |