Microsoft Exchange Server is an email server solution that is commonly used by businesses and organizations. The exchange allows users to easily send and receive emails, manage their calendars, and stay current with any changes to their contacts list. Exchange is available as a cloud solution or can be installed on your own premises.

Regardless of which installation you choose, you may use some mobile email applications such as Bluemail, Outlook, Newton, myMail, Boxer or Gmail with your Exchange account.

Using Exchange Server in the cloud has some advantages such as scalability and easier management. The main disadvantage is that you have to trust Microsoft with your data. All your email and other data will be stored and processed by Microsoft. Companies or organizations with privacy concerns often choose on-prem solutions, meaning they operate their Exchange Server in their own infrastructure. With this, their data will be stored on their server and can not be accessible with third-party solutions.

Or it's assumed that way !?

The Security For Everyone team has discovered that certain sensitive information is shared with third parties if you use some mobile mail applications to access your Exchange account.

This includes email content, attachments, contacts, and Exchange credentials (email and password).

Exchange Compatible Mobile App Security Reviews

Here is a table displaying the results of our research.

Before we go into each mobile application analysis, we first want to mention our approach for this research project.

1. The tests are performed on two separate on-premises Exchange servers with two distinct accounts on each.
2. Mail clients were chosen among the most used.
3. We have no idea, why some apps get your Exchange credentials to support Exchange login while others do not get.

Let's take a closer look at the security of popular mobile apps that are compatible with Microsoft Exchange.

1.Microsoft Outlook

Tested version: v4.2224.

Even if you use an on-prem Exchange Server, which means the server is set up in your company infrastructure, your credentials are still sent to other Microsoft servers when using the Outlook mobile application.

This is pretty weird. The required information to verify your username and password is stored on your company's Exchange server, not Microsoft's cloud servers. A sample request to Microsoft server shown below:

Another interesting thing is outlook sends your mail content to the cloud. This request is being sent whenever you open or send an email in Outlook mobile.

Lastly, Microsoft read all of your mail attachments even if you use an on-prem solution. The request triggers whenever a user opens an email that has an attachment. As can be shown in the email, the attachment name and content are being sent to the Microsoft cloud services.

2.myMail

Tested version: v14.39.0.38591

For each login to the myMail application with your Exchange account, your email address and password are sent to myMail servers as shown below.

In addition, similar to the Outlook mobile application, it sends the e-mail contents and e-mail attachments in your inbox to its own 3rd party servers.

3. Newton Mail

Tested version: v10.0.95

During our research, we found that Newton Mail also transmits your email and password information to their servers as you log in.

This application is among the applications that send private data such as e-mail contents and e-mail attachments of your company to its own 3rd party servers.

4. Bluemail

Tested version: v1.9.8.108

Bluemail is a popular mail client application which is downloaded over 1M. It seemss application directly communicates with your on-prem exchange server to operate.

Fortunately, in the above-mentioned version of this application, we have not seen any evidence that it shares your private data such as mail and e-mail attachments with any 3rd party server.

5. Boxer - Workspace ONE

Tested version: v22.09.0.1

Good news! This application is one of the applications that processes your private data only on your servers.

6. Gmail

Don't worry. It seems Gmail client do not send any credentials, mail contents and mail attachment to the cloud.

Conclusion

According to our findings, some of the mail applications that are compatible with Microsoft Exchange send your login information and process your e-mail content and attachments on their own servers. We strongly recommend that you check the security policies of the mobile application before using it with your company's Microsoft Exchange account.

We all care about the privacy of our personal and corporate data. Our Exchange accounts are also a very important part of this privacy. Therefore, we share the results of this review with you.