How secure is your current iOS SharePoint client with Office 365?

Updated 27 March 2012: With the release of SharePlus v3 and Filamente 1.6, the issue described below has been resolved in those products.

==================================================================

So, you’ve used a SharePoint client on an iOS device to access an Office 365 SharePoint site that you logged into with your unique identity and password. Say for this example, you have quite high privileges associated with your account e.g. Site Owner or Site Collection Administrator.

You test with the site to evaluate the SharePoint client application. Happy with your results, you then delete the site from within the client, assuming this is getting rid of all your settings and data.

You hand over to another member of staff who is a regular user of the same site with Contribute permissions so that they can test. They use the same iOS device and SharePoint client to connect to the same site. You’d expect this user would not be able to access the site without entering their own username and password.

Not so in the case of what I’ve found in testing the clients so far.

Invalid Credentials

As per the image above, I’ve found that after an Office 365 site has been registered within an application and then deleted, it is possible to create a new association with the site and bypass entering valid user credentials. If prompted for authentication, I hit cancel and still got into the site and content.

Beyond the site URL in the above example, all I entered in the username and password field was “x”. I got into the site with the privileges for the account that was used for the site that had been deleted.

The above example is only one example of how I believe this issue could currently be exploited.

This situation could be far worse if a personal device that is configured to use Office 365 sites containing sensitive material is lost or compromised.

There are device management solutions that can secure or protect devices but that does not resolve the underlying issue. In my opinion, application level security needs to be improved to prevent these scenarios i.e. not allow someone to login without authentication, a different identity and permissions. If a site is deleted, everything associated with that site should also be deleted within the application.

This is of major importance for these applications to be considered of use to enterprises.

Vendor Responses

As the image above shows, I found this issue when looking at the Moprise client. I can actually get back into an Office 365 site without a username and password a day after originally deleting the site and having terminated the application completely. The only way I can prevent this behaviour is to delete and then reinstall the application.

I’m still in correspondence with Moprise around this issue and as yet there is no indication of when they may have a fix.

I could recreate this issue with Filamente Lite from Aircreek and contacted them. They were back to me pretty much immediately advising that they have fixed the issue and have included some additional improvements around site management. This fix will be in the next release of their application.

Similarly, I contacted Infragistics as I also found this issue was present within the SharePlus Lite application. Again, they were back to me extremely quickly. At this point, I understand a fix has been identified and will be included in the upcoming V3 release.

The only current application that I found that does not exhibit this behaviour is Colligo Briefcase Lite. When a site is deleted and then recreated, this client will not let you anywhere until you re-authenticate.

Conclusion

So, if you want the most secure client today, it would appear that Colligo Briefcase looks to be the best one to go with.

Failing that, delete and reinstall the application to remove cached information until the updated versions become available.