University of California, Riverside

Security



New Outlook Mobile App


Dear Campus Community,

Microsoft has released an updated Outlook mobile app for Apple iOS and Android devices. These apps, which are rebranded from a recently acquired company, Acompli, significantly change the e-mail model used by the previous Outlook apps. Even though Microsoft claims credentials and e-mail content are securely protected and encrypted, this new connection model raises security and privacy concerns. The new app / approach stores users' email and content on a third party system that has NOT been vetted systemwide or here at UCR (additional background can be found below).
Given this potential security / privacy issue, C&C is recommending the following:

  • Campus users with access to protected or sensitive data should NOT use these Outlook apps until further notice.
  • Campus users who don't regularly transmit protected or sensitive data should nevertheless be aware that if they use these apps, their mail will be stored by a third party vendor WITHOUT a business / security / privacy agreement with the University of California.
  • In general, UCR recommends using the native Mail client for iOS devices as well as the native client for Andriod systems.
  • If you have any questions, please contact the C&C helpdesk at helpdesk@ucr.edu or 951-827-3555.

Thank you,
Phyllis Franco,

--------------
Phyllis Franco
Manager, Computer Support Group
and Student Technology Services
Computing and Communications
University of California, Riverside 92521

Additional Information - Outlook Mobile App Security Notification

The new Outlook app supports multiple e-mail services including Exchange, Office365, Hotmail, Yahoo, and Gmail, etc. Additionally, the app supports cloud storage solutions such as Dropbox, Google Drive and Microsoft OneDrive. E-mail access using these new apps is provided through intermediate cloud gateway servers, currently hosted by Acompli/Microsoft. User e-mail credentials are stored on these gateway servers and used to download and maintain one month of e-mail from UCR mail servers. Acompli/Microsoft use this feature to provide enhanced mail organization and push notifications. In this new model, clients connect to the Acompli/Microsoft cloud servers, but not directly to UCR servers to sync e-mail.

Computing & Communications wishes to emphasize that the new Outlook apps have not been thoroughly reviewed by campus security teams and users should understand the security risks before using these apps with their UCR credentials. More so, campus users with access to protected or sensitive data should NOT use these Outlook apps until further notice. UCR is currently not blocking access to mail from these Outlook apps, but that may change as further information is collected. Since this is the official Microsoft Outlook app, this is likely to attract more faculty, staff and students and we want the campus community to understand the risks of using this app.

The Outlook FAQ is located at:
https://support.office.com/en-us/learn/outlook-for-ios-and-android-faq

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541
E-mail: helpdesk@ucr.edu

Footer