Is Acompli the next Linkedin Intro?

A little over a year ago Linkedin released a product called "Intro" that added details from Linkedin to email when viewed on your iPhone.

Within hours of it's release it became clear that the way they were doing this was to route the connection to your email server via their servers - in effect performing a "man-in-the-middle" attack on your connection. Amid countless claims of being insecure Intro never really took off, and they shuttered it a few short months later.

Fast-forward to yesterday when news broke that Microsoft had aquired Acompli, who, according to the press release, provide "innovative mobile email apps for iOS and Android".

I'd never heard of Acompli but a few web forums lit up with people saying they had tried it and loved the interface, so I decided to give it a go.

Things looked great for the first few minutes, until I received an email from them thanking me for installing it. Given that I hadn't given them my email (other than in the application configuration) this was a fairly obviously red flag for the app sending personal data back to the company behind it, so I went looking for their privacy policy and found :

Acompli’s service requires that certain data flow through the Acompli service so that we can index it and provide the Acompli experience on your mobile device.

[...]

That means that our service retrieves your incoming and outgoing email messages and securely pushes them to the Acompli app on your device.

That's right - Acompli's mobile app doesn't connect to your mail server, it connect to Acompli's servers, which then use the password you've given then to connect your mail servers. This can be confirmed by looking at the logs of it attempting to conncet to a "mail server" when setting up a new account :

54.148.8.27 - - [02/Dec/2014:15:12:44 -0800] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 404 4210 "-" "Acompli/backend-662"
54.148.8.27 - - [02/Dec/2014:15:13:18 -0800] "OPTIONS /Microsoft-Server-ActiveSync?User=myuser&DeviceId=382FB79915D390EA&DeviceType=Acompli HTTP/1.1" 200 3917 "-" "Acompli"

In effect, this is the same behavour that Linkedin Intro was doing - a Man-in-the-Middle between your client and your mail server. There's a slight difference in that Intro was doing it within the default email app where Acompli is doing it directly in their own app - but the end result is the same, your email/corporate password is being sent to a 3rd party, along with copies of all of your email. It's not clear if Acompli actually stores your password or if it's just used in a pass-through manner, but regardless the effect is the same.

If you run a corporate email server you probably want to try and block this service completely. The IP above maps to an AWS host so blocking by IP is likely going to be impossible. Thankfully they do seem to include a user-agent containing "Acompli" in all requests, so if you have the ability to block (or at least track) by User-Agent it should be possible to do it that way.

Interestingly Acompli also didn't seem to enforce any of the security policies required by Exchange (device PIN, encryption, etc) despite these being manditory for all clients licensed to use ActiveSync - which makes me question if they actually have a valid ActiveSync license.

It'll be interesting to see how this plays out with Microsoft buying them. Any ActiveSync licensing issues will obviously go away (and I'm sure the ActiveSync security enforcement will be fixed), but given their model seems to be completley based around man-in-the-middleing your email I can't see very many (ok, any!) corporates allowing their staff to use this client.