Category Archives: microsoft

microsoft, software development

StackOverflow developer survey shows decline in C#, Windows

6 Comments

StackOverflow, a popular (and the best) site for programming queries, has published its annual developer survey. Respondents included:

26,086 people from 157 countries participated in our 45-question survey. 6,800 identified as full-stack developers, 1,900 as mobile developers, 1,200 as front-end developers, 2 as farmers, and 12,000 as something else.

That is a decent sample size, though not necessarily representative of the entire developer community.

What is notable? Here are a few things that stood out for me:

Developers are young. The largest group is 25-29 and the average age 28.9 years old.

92.1% of respondents are male. Ouch.

Software is still a good bet for a career even if you have no qualifications. 41.8% declared themselves self-taught. That said, it is not clear to me what proportion of respondents do programming as their main job. Presumably not the two farmers?

If you look at the “Most popular technologies”, there is a striking decline in C# over the last three years:

2013: 44.7%

2014: 37.6%

2015: 31.6%

That’s a shame because C# is an excellent language. The reason? It’s speculation, but probably means less Windows development, whether server or desktop.

Swift is top of the “most loved” list, meaning a language that developers intend to continue with. Salesforce tops the “most dreaded”, meaning a platform that developers cannot wait to abandon, followed by Visual Basic.

What OS do developers use on the desktop? Here, Windows remains the biggest, but is declining:

2013: 60.4%

2014: 57.9%

2015: 54.5%

Windows XP has declined dramatically, down from 10.8% in 2013 to 1.0% today.

Where have developers gone, if they no longer use Windows? Mac is up over the period, but only by 2.8% share. 3.5% are using “Other”, interesting (Chromebook?).

I’ll stop there; I don’t want to spoil the survey.

Conclusions? This puts some data (albeit imperfect) on the theory that Microsoft is losing its grip on the developer community – though note that Microsoft’s technology in general remains popular, just less so than before.

Postscript: Several on Twitter have observed that most languages have declined over the period, not just C#. Here’s the difference in share from 2013 to 2015 for some of them:

JavaScript: –2.2%

SQL: –11.6%

Java: –5.1%

C#: –13.1%

PHP: –5.1%

In other words, all of the top 5 have declined, though C# has declined the most.

What does this mean? Since the numbers sum to more than 100%, it might imply more specialisation. Or it might just say something about how the StackOverflow community has evolved, since that is the source of the data. Still, it seems to me that you cannot spin this as good news for Microsoft, though it might be less bad than it first appears.

android, embarcadero, Internet of things, ios, microsoft, software development

Delphi and RAD Studio 2015 roadmap: no Universal Apps?

4 Comments

Embarcadero has posted a roadmap for RAD Studio 2015, its suite of tools for building apps for Windows, Mac, iOS and Android.

Note that the company says the (sketchy) plans outlined are “not a promise, or a contract”.

I will be interested to see if the company intends to support the Windows 10 Universal App Platform (UAP), which Microsoft is pushing as the future of Windows client app development. UAP apps run on the Windows Runtime, a sandboxed environment introduced in Windows 8. In Windows 10, UAP apps are integrated with the Windows desktop, and run on Windows Phone and Xbox as well as on PCs and tablets.

When Window 8 came out, Embarcadero came up with a project type called “Metropolis”, which simulated the Windows 8 Metro environment but with a Win32 executable. It was neither one thing nor the other, and mostly ignored as far as I can tell. That said, lack of support for Windows 8 Store apps proved to be no big deal, because of the low take-up for the platform in general. At this stage, nobody knows whether the UAP may be similarly unsuccessful, though it seems to me that it has a better chance thanks to its broader scope and changes that have been made.

The roadmap promises “Integration with new Windows 10 platform technologies” but does not promise support for the Windows Runtime or UAP, so my assumption for the moment is that Embarcadero is steering clear for the time being. There may also be technical challenges.

Not much new is promised for the venerable VCL (Windows-only apps), and only a little more for the cross-platform FireMonkey: new mobile components including Maps, a WebBrowser component for desktop apps, and more iOS platform (real native) controls.

A new iOS 64-bit compiler is promised, as well as moving the Win32 compiler to an LLVM-based toolchain, as is already the case for 64-bit Windows.

There is an Internet of Things slide which promises “mobile proximity integration” and components for connecting to different devices. Exactly what is new compared to the IoT support described here for XE7 is not clear to me.

Under consideration, Embarcadero says, is Linux server-side support for its middle-tier technologies like DataSnap, support for Intel Android, and a 64-bit toolchain for Mac OS X.

Since it is on SlideShare, I can embed the whole thing here:

This is some help I guess; though I recall much past angst expressed on the Embarcadero forums about these roadmaps, or the lack/lateness of them. The problem, I guess, is that roadmaps are of little benefit to the tools vendors, since they have potential to fuel discontent, set expectations that may later prove unrealistic, and give away plans to competitors.

This may explain why this one has so little content. Embarcadero could work a bit harder on the presentation as well; this really does not have the look of being the exciting next generation of a powerful cross-platform toolkit.

microsoft, mobile, software development, visual studio, windows

Windows 10 at Mobile World Congress 2015: a quick reflection

1 Comment

I attended Mobile World Congress in Barcelona last week – with 93,000 attendees and 2,100 exhibitors according to the latest figures.

It was a big event for Microsoft’s new Windows. It started for me on the Saturday before, when Acer unveiled a low-end Windows Phone (write-up on the Reg). Next was Microsoft’s press conference; Stephen Elop was on stage, presenting two new mid-range Lumias as if nothing had changed since last year when he announced the now-defunct Nokia X:

image

The Lumia 640 looks good value, especially in its XL guise: 5.7” 1280 x 720 display, 8GB storage plus microSD slot, 13MP camera, 4G LTE, quad-core 1.2GHz CPU, €189 ex VAT. The smaller Lumia 640 is now on presale at £169.99; we were told €139 ex VAT at MWC, so I guess the real price of the 640XL may be something like £230, though there will be deals.

These phones will ship with Windows Phone 8.1 but get Windows 10 when available.

The big Windows 10 event was elsewhere though, and not mentioned at the press conference. This was the developer event, where General Manager Todd Brix, Director of Program Management Kevin Gallo and others presented the developer story behind the new Universal App Platform (not the same as the old Universal App Platform, as I explain here).

image

This was the real deal, with lots of code. There was even a hands-on session where we built our own Universal Apps in Visual Studio 2015. Note that the Visual Studio build we used featured an additional application type for Windows 10; this is not the same as a Store app in Windows 8, though both use the Windows Runtime.

As someone with hands-on experience of developing a Store app, I am optimistic that the new platform will achieve more success. It is a second attempt with a bit more maturity, and much greater effort to integrate with the Windows desktop, whereas the first iteration went out of its way not to integrate.

Much of the focus was on the Adaptive UX, creating layouts that resize intelligently on different devices. The cross-platform UI concept is controversial, with strong arguments that you only get an excellent UI if you design specifically for a device, rather than trying to make one that runs everywhere. The Universal App Platform is a bit different though, since it is all Windows Runtime. Microsoft’s pitch is that by writing to the UAP you can target desktop, Windows Phone, tablet and Xbox One, with a single code base; and without a cross-device UI this pitch would lose much of its force. Windows 7 legacy is a problem of course; but if we see Windows 10 adopted as rapidly as Windows 7 (following the Vista hiccup) this may not be a deal-breaker.

The official account of the MWC event is in Gallo’s blog post which went out on the same day. There was much more detail at the event, but Microsoft is holding this back, perhaps for its Build conference at the end of April. So in this case you had to be there.

image

Aside: if you look at the publicity Microsoft got from MWC, you will note that it is mostly based on the press conference and the launch of two mid-range Lumias, hardly ground-breaking. The fact that a ton of new stuff got presented at the developer event got far less attention, though of course sharp eyes like those of Mary Jo Foley was onto it. I have a bias towards developer content; but even so, it strikes me that a session of new content that is critical to the future of Windows counts for more than a couple of new Lumias. This demonstrates the extent to which the big vendors control the news that is written about them – most of the time.

microsoft, mobile, salesforce.com

Microsoft and Salesforce: Office 365 integration in Salesforce 1

Salesforce has posted a video showing Microsoft Office 365 integration in the forthcoming version of Salesforce 1, its cloud platform and mobile app.

The demo is not in the least elaborate. It shows how a user opens the Salesforce 1 app on an iPhone:

image

searches for a document on Office 365 and previews in in the app:

image

taps the Word icon to edit in Word on the iPhone:

image

and shares the document with a colleague:

image

Not much too it; but it is the kind of workflow that makes sense to a busy executive.

This interests me for several reasons. One is that, historically, Salesforce and Microsoft are not natural partners. Salesforce CEO Marc Benioff loves poking fun at the Redmond company. I remember how he spoke to the press about “Microsoft Azoon” soon after the launch of Azure. He did not believe that Microsoft grasped what cloud computing was. Of course his product also competes with Microsoft’s Dynamics CRM.

That said, Salesforce always tied in with Microsoft products like Active Directory and Outlook, because it needed to. It could be the same today, as Office 365 has grown too big to ignore, but I am sensing a little more warmth from Benioff in Microsoft’s Nadella era:

image

It is also worth noting that the workflow above needs iOS Office to work well. The example edit could have been done in Office Web Apps, I guess, but the native app is a much better experience. Microsoft’s decision was: do we keep Office as a selling point for Windows, or do we try to keep Office as the document standard in cloud and mobile, as it has been on the desktop? It chose the latter path, and this kind of partnership shows the wisdom of that strategy.

cloud computing, exchange, microsoft

Notes from the field: when Outlook 2010 cannot connect to Office 365

If you set up a PC to connect to Office 365, you may encounter a problem where instead of connecting, Outlook repeatedly prompts for a password – even when you have entered all the details correctly.

I hit this issue when configuring Outlook 2010 on a new PC. It was not easy to find the solution, as most technical help documents suggest that this is either a problem with the autodiscover records in DNS (not so in this case), or that you can fix it with manual configuration of the connection properties (also not so in this case).

Note that if you are using Office 2010, you should install the desktop setup software from Office 365 before trying to configure Outlook. However this still did not work.

The clue for me was when I noticed that Outlook 2010 was missing a setting in network security for Anonymous Authentication.

image

In order to fix this, I installed Office 2010 Service Pack 2, and it started working. The problem is that if you set up a new PC using an Office 2010 DVD, it takes a while before everything is up to date.

I heard of another business that had this problem and decided to upgrade their Office 365 subscription to include the latest version of Office, rather than figuring out how to fix it. Now that plans including desktop Office are reasonably priced, this strikes me as a sensible option.

.net, cloud computing, microsoft

Microsoft publishes new OneDrive API with SDK, sample apps

1 Comment

Microsoft has announced a new OneDrive API for programmatic access to its cloud storage service. It is a REST API which Microsoft Program Manager Ryan Gregg says the company is also using internally for OneDrive apps. The new API replaces the previous Live SDK, though the Live SDK will continue to be supported. One advantage of the new API is that you can retrieve changes to files and folders in order to keep an offline copy in sync, or to upload changes made offline.

Unfortunately this does not extend to only downloading the changed part of a file (as far as I can tell); you still have to delete and replace the entire file. Imagine you had a music file in which only the metadata had changed. With the OneDrive API, you will have to upload or download the entire file, rather than simply applying the difference. However, you can upload files in segments in order to handle large files, up to 10GB.

I have worked with file upload and download using the Azure Blob Storage service so I was interested to see what is now on offer for OneDrive. I went along to the OneDrive API site on GitHub and downloaded the Windows/C# API explorer, which is a Windows Forms application (why not WPF?). This uses a OneDrive SDK library which has been coded as a portable class library, for use in desktop, Windows 8, Windows Phone 8.1 and Windows Phone Silverlight 8.

image

I have to say this is not the kind of sample I like. I prefer short snippets of code that demonstrate things like: here is how you authenticate, here is how you iterate through all the files in a folder, here is how you download a file, here is how you upload a file, and so on. All these features are there in this app, but finding them means weaving your way through all the UI code and async calls to piece together how it actually works. On top of that, despite all those async calls, there are some performance issues which seem to be related to the smart tiles which display a preview image, where possible, from each file and folder. I found the UI becoming unresponsive at times, for example when retrieving my large SkyDrive camera roll.

Gregg makes no reference in his post to OneDrive for Business, but my assumption is that the new API only applies to consumer OneDrive. Microsoft has said though that it intends to unify its two OneDrive services so maybe a future version will be able to target both.

At a quick glance the API looks different to the Azure Blob Storage API. They are different services but with some overlap in terms of features and I wonder if Microsoft has ever got all its cloud storage teams together to work out a common approach to their respective APIs.

I do not intend to be negative. OneDrive is an impressive and mostly free service and the API is important for lots of reasons. If you find the OneDrive integration in the current Windows 10 preview too limited (as I do), at least you now have the ability to code your own alternative.

microsoft, software development

Universal Apps: a look at Microsoft’s first efforts on Phone and PC

1 Comment

Windows 10 for phones is now available on preview; I wrote a first-look piece for The Register here. I like it better than I had expected; it is a bit laggy but pretty much stable and with some compelling new features.

The main interest of the preview for me though is the appearance of first-party universal apps. Since these form a key part of the strategy for Windows 10, it seems to me that they merit close attention; after all, this is what Microsoft is hoping other developers will do when creating apps for Windows. Universal apps are not actually new in Windows 10 – you can write one today for Windows 8 and Windows Phone – but in the forthcoming Windows they run on the desktop rather than just in the tablet environment. There are also changes in the Windows Runtime API and frameworks though these are currently undocumented as far as I am aware (wait for Build!)

How many Microsoft universal apps are there in Windows 10, designed for both tablet and phone? Quite a few. The ones I am looking at here are Settings (not sure if this is actually the same app), Calculator, Photos, Sound Recorder, Alarms and Feedback.

There is more coming, most notably Outlook (including Mail and Calendar), Word, Excel and PowerPoint. The latter three are already available in preview in Windows 10 for PCs and tablets, but not yet for phone. However, the Android and iOS phone versions are probably a good indication of what is to come, at least for Word, Excel and PowerPoint. For Outlook there is some confusion caused by Microsoft acquiring third-party apps and rebadging them, so in these cases Windows 10 may diverge more from iOS and Android.

Enough apps then to be significant. In the screenshots that follow, I have shown in most cases three versions of each app: Windows Phone 8.1 (the equivalent app, not a universal app), Windows 10 PC, and Windows 10 phone. My general observations are:

1. The old Windows Phone version is more carefully optimized for a smartphone, with a chunky UI that is optimized for touch.

2. The new apps have more functionality, as you would expect for apps that need to work on the desktop where expectations are higher.

3. The new apps have a distinctive look and feel compared to either Windows Phone 8.1 apps, or Windows 8 “Metro” apps. Needless to say, they look different from Windows 7 style desktop apps as well. These are still Windows Runtime (the platform underlying “Metro” or “Store” apps) but in general the UI is denser than before; there is more information on view in a single screen.

While I have some doubts about the usability of the new apps on a phone, this seems to me a good direction overall; the phone is benefiting from work Microsoft is doing for the PC and vice versa. I think we will see better, more useful apps on both platforms as a result.

Now for the screenshots:

Calculator

Windows Phone 8.1 Windows 10 Phone Windows 10 PC
image image image

A good example of how the new app is more functional but less well optimized for touch.

Alarms

Windows Phone 8.1 Windows 10 Phone Windows 10 PC
image image image

I have cheated a bit here because no world clock in the old Alarms app!

Sound Recorder

Windows 10 Phone Windows 10 PC
image image

No Phone 8.1 version. But you can see this really is the same app. I am glad to see this on the phone; it is an update of an ancient Windows accessory and actually useful.

Photos

Windows Phone 8.1 Windows 10 Phone Windows 10 PC
image image image

Feedback

Windows 10 Phone Windows 10 PC
image image

While this is the same app, you can see that Microsoft has adapted the UI for the phone. In the Phone version, you hit the All Categories link to see the categories and select. In the PC version, they are listed in a left-hand column. The Universal App concept allows for a totally different UI on different devices if necessary.

Settings

Windows Phone 8.1 Windows 10 Phone Windows 10 PC
image image image

The Settings app is radically changed in Windows 10; a good thing in that the Windows Phone 8.1 settings is a hopeless long and confusing list and needed some organisation. The Windows 10 PC version looks different but has the same sections and icons.

laptops, microsoft

Restoring a system image backup on Windows 7 when system recovery fails

I was asked to look at a laptop over the weekend. It was an HP running Windows 7 Home Premium, and the user was having problems installing applications. I noticed several things about it:

  • Lots of utilities like registry cleaners, system care, driver accelerator and more were installed
  • When I tried to remove the third-party firewall and use the Windows firewall instead, the Windows firewall could not be fully enabled
  • Most applications could not be removed using Control Panel – Programs and Features
  • Right-clicking a network connection and choosing Properties gave an error

When Windows is in this kind of state it makes sense to reinstall from scratch. There was an intact recovery partition, so I backed up the data and ran system recovery. This seemed to go fine until right at the end, when it gave an error and invited me to contact HP support. Oddly, if I chose HP’s “Minimized Image Recovery” I still got an error, but it got me a working “Windows Basic” installation, but Windows Basic is not much use because of some arbitrary limitations Microsoft imposed.

Now I had a problem, in that the system recovery had successfully removed the old Windows install, but had failed to install a new one.

One solution would be to re-purchase Windows or try to get recovery media from HP, but before going down that route, I decided to use a system image backup that had been made earlier. There was a backup from a year or so ago on a USB hard drive. I booted using a Windows 7 DVD, chose Repair your computer, then System Image Recovery.

Unfortunately Windows refused to list the backed up system image, even though it was in the standard location under WindowsImageBackup. Since the backup was not listed, it could not be restored.

Fortunately there is another approach that works. A system image backup actually created a virtual hard drive (.vhd) for each of the drives you select. You can zap the contents back onto the real hard drive to restore it.

This HP has three partitions. One is a small system partition used for booting, one is the main partition (C drive) and one is the recovery partition. The main partition is the one that matters. Here is what I did.

First, I installed Drive Snapshot, a utility I’ve found reliable for this kind of work.

Next, I plugged in the USB drive and found the .vhd file. These are located in WindowsImageBackup\[NAME OF PC] and have long names with letters and numbers (actually a GUID) followed by .vhd. The old C drive will be the largest file (there are usually at least two .vhd files, the smaller one being the system partition).

Step 3 is to mount the vhd so it looks like a real drive in Windows. You do of course need a working Windows PC for this; even Windows Basic will do, or you can use a spare PC. I opened a command prompt using Run as administrator and ran DISKPART. The commands are:

select vdisk file=”path\to\vhd\filename.vhd”

attach vdisk

I generally leave DISKPART open so you can detach the vdisk when you are done.

When you enter “attach vdisk” an additional drive will appear in Windows Explorer. This is your old drive. You can copy urgent documents or data from here if you like.

The goal though is to restore your PC. Run Drive Snapshot or an equivalent utility.

image

Choose Backup Disk to File. Select your old drive and back it up to an external USB drive. I hesitate to mention it, but you also need to keep the drive with the .VHD on it attached for obvious reasons! You can back up to that same drive if there is room.

Once complete, go back to DISKPART and enter:

detach vdisk

Now you need to use Drive Snapshot to restore your old hard disk. I was lucky in this case; I could run the utility in Windows Basic on the laptop itself and restore it from there. Drive Snapshot is smart enough that you can even restore the drive where it is running, after a reboot. You could also use pretty much any old version of Windows, no need to activate it, just to run the utility.

After the restore I was able to boot Windows and all was well, apart from the hundreds of Windows Updates needed for an OS that was a year out of date. In some cases though you might need to go back into system recovery to repair the boot configuration; it usually does that pretty well.

.net, microsoft

Microsoft open sources heart of .NET: CoreCLR runtime now on GitHub

Microsoft’s CoreCLR is now available on GitHub. We knew this was coming, but it is still a significant step, since this piece is the very heart of .NET: the execution engine that consumes a .NET IL (Intermediate Language) executable and compiles it to machine code for execution. The IL can easily be decompiled back to C#; it is in a sense fairly close to what you wrote in the editor. The CLR piece compiles it to a native executable, and also handles garbage collection (automatic memory management) and interop with other  native code libraries. The just-in-time compiler in CoreCLR is called RyuJIT.

CoreCLR is not same as the .NET Framework CLR (as found in the Windows desktop today), though one thing we now learn is that it is a true subset:

CoreCLR is a subset of the .NET Framework CLR. They share the same codebase and are updated together. For example, an update to the .NET GC improves both CoreCLR and the .NET Framework CLR.

We setup a live 2-way mirror between the coreclr repo on GitHub and the .NET Framework TFS server within Microsoft. The latency of the mirror is low, measurable in minutes.

Contributions made to the coreclr repo are integrated to the Microsoft TFS server automatically and will become part of both the .NET Framework and .NET Core products. The same is true in reverse, that .NET Framework CLR changes (within the CoreCLR subset) are mirrored to the CoreCLR repo. These changes will sometimes result in large commits to unrelated components.

This is good news since it reduces the risk of fragmentation between the .NET Framework and the CoreCLR. Note that the same does not apply to the framework libraries, which are forked between .NET Framework and CoreFX. The reason for the fork is to enable cross-platform .NET and to benefit from greater modularity in the Framework without breaking the existing .NET Framework.

Some other points of interest:

  • CoreCLR will run on Linux and Mac but not yet, this is work in progress
  • CoreCLR powers Windows Phone apps as well as ASP.NET 5
  • CoreCLR uses the CMake build system rather than MSBuild, because it runs cross-platform

There is a key architectural difference between CoreCLR and the .NET Framework, which is that in CoreCLR each application is deployed with the runtime and libraries it requires, whereas in the .NET Framework applications depend on a system-managed runtime and shared libraries. This has the advantage that applications are standalone, and you could run one from say a portable USB drive on a system which did not have .NET or Mono installed.

The disadvantage, aside from greater use of disk space, is that patching the same libraries across multiple applications is hard. In the interview here Microsoft offers a clue about how it might come up with a solution for this. Jan Kotas on the CLR team talks about an ideal scenario where identical copies of the same DLL are in fact shared even though each application appears to have its own copy. This sounds similar to the mechanism used by de-duplication in Windows Server. The file system makes it look as if several copies of a file exist in different directories, but in fact there is only one. If you update a file though, the right thing happens and only the virtual copy that you overwrite is changed. It sounds as if Kotas has in mind a variant where you could say, “update this file and all its instances elsewhere.” This would of course somewhat undermine the concept of app-isolated dependencies; but you know what they say about cakes and eating them:

“The ideal we should get to is every application has a local copy of everything. People eventually get to a point where through some OS mechanisms or through some other means the DLLs that are the same between different applications would get shared. That way nobody needs to worry about is this shared, or is it not shared. The ideal place that we’d like to get to is that sharing happens under the hood. It can happen through different mechanisms for different applications. [That would be the] ideal place for the runtime and how to version it.”

said Kotas. Possibly I am misinterpreting this; but it does sound like some kind of sharing-but-not-sharing solution to the patching problem.

Another point to note: a managed code application cannot execute without help. In order to run, every managed application needs three things:

1. The application code

2. The CLR – either CoreCLR or the .NET Framework CLR

3. A CLR host which loads the CLR and instructs it to execute the application. The CLR host has to be native code, for obvious reasons.

In the .NET Framework this third piece is invisible, since it is handled by the operating system (though apparently SQL Server is a special case). In the CoreCLR world though, you need to think about the CLR host. ASP.NET 5.0 has the KRuntime (K probably stands for Katana) which I think is the same as Project K. If you want to test CoreCLR today, you can use a host called CoreConsole which (as its name implies) lets you run console apps. Apparently there are a few technical problems using CoreCLR with ASP.NET 5 as the moment.

image

android, cloud computing, ios, microsoft, mobile

Microsoft risks enterprise credibility by pushing out insecure mobile Outlook

1 Comment

One thing about Microsoft: it may not be the greatest for usability or convenience, but it does understand enterprise requirements around compliance and protecting corporate data.

At least, I thought it did.

That confidence has been undermined by the release yesterday of new “Outlook” mobile apps for iOS and Android.

I read the cheery blog posts from Office PM Julia White and from new Outlook GM Javier Soltero. “Now, with Outlook, you really can manage your work and personal email on your phone and tablet – as efficiently as you do on your computer,” says White.

There is a snag though. The new Outlook apps are rebadged Acompli apps, Acompli being a company acquired by Microsoft in early December 2014. Acompli, when it thought about how to create user-friendly email apps that connected to multiple accounts, came up with a solution which, as I understand it, looks like this:

  1. User gives us credentials for accessing email account
  2. We store those credentials in our cloud servers – except they are not really our servers, they are virtual machines on Amazon Web Services (AWS)
  3. Our server app grabs your email and we push it down to the app

A reasonable approach? Well, it simplifies the mobile app and means that the server component does all the hard work of dealing with multiple accounts and mail formats; and of course everything is described as “secure”.

However, there are several issues with this from a security and compliance perspective:

  1. From the perspective of the email provider, the app accessing the email is on the server, not on the device, and the server app may push the emails to multiple devices. That means no per-device access control.
  2. Storing credentials anywhere in a third-party cloud is a big deal. In the case of Exchange, they are Active Directory credentials, which means that if they were compromised, the hacker would potentially get access not only to email, but to anything for which the user has permission on that Active Directory domain.
  3. If an organisation has a policy of running servers on its own premises, it is unlikely to want credentials and email cached on the AWS cloud.

The best source of information is this post A Deeper look at Outlook on iOS and Android, and specifically, the comments. Microsoft’s Jon Orton confirms the architecture described above, which is also described in the Acompli privacy policy:

Our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device. Similarly, the service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device. Those messages, calendar events, and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device. If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app … If you decide to sign up to use the service, you will need to create an account. That requires that you provide the email address(es) that you want to access with our service. Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password.

image

The only solution offered by Microsoft is to block the new apps using Exchange ActiveSync policy rules.

The new apps do not even respect Exchange ActiveSync policies – presumably hard to enforce given the architecture described above – though Microsoft’s AllenFilush says:

Outlook is wired up to work with Active Sync policies, but it currently only supports Remote Wipe (a selective wipe of the corporate data, not a device wipe). We will be adding full support for EAS policies like PIN lock soon.

However a user remarks:

Also, i have set up a test account, and performed a remote wipe, and nothing happened. I also removed the mobile device partnership later and still able to send and receive emails.

The inability to enforce a PIN lock means that if a device is stolen, the recipient might be able simply to turn on the device and read the corporate email.

The disappointment here is that Microsoft held to a higher standard for security and compliance than its competitors, more perhaps than some realise, with things like Bitlocker encryption built into Surface and Windows Phone devices.

Now the company seems willing to throw that reputation away for the sake of getting a consumer-friendly mobile app out of the door quickly. Worse still, it has been left to the community to identify and publicise the problems, leaving admins now racing to put the necessary blocks in place. If Microsoft was determined to do this, it should at least have forewarned administrators so that corporate data could be protected.