Outlook for Android uses intermediate Microsoft Servers
- Is it possible that they could be authenticating over a TLS tunnel from their own server rather than the client device without sharing the credentials?
No, for the server to make the connection, it has to know the credentials. And we know that the server does make the connection, not the client, because I captured all the packets coming off my Android tablet running Outlook 3.0.46 (315) and absolutely none of them went to the configured IMAP and SMTP server, but quite a few went to Microsoft addresses. Even if their mail bastion acted like an HTTP CONNECT proxy, we would expect to see the TLS certificates from my servers, and I did not.
Likewise, when I sent mail to a third party, the first hop mailserver was mail.outlook.com, which had to authenticate to my mail server to send the mail through it. That's all in the SMTP headers for the recipient to review.
So, it's their server doing the connections, not the client tunneling through. And that means their server knows your passwords, even if only transiently.
- Does this mean that the intermediate server is able to read mail prior to pushing it to the client?
Yes, it does.
- Is this behaviour documented or known?
That's hard to say. Their bundled documentation doesn't clearly describe it that I saw, but there's a surprising amount of documentation there.
It is worth noting that there is a legitimate technical driver for this behavior - the various phone and wireless networks your device may move between may block access to mail services; it's sort of the sole area that ingress filtering ever took off. By forcing your communications through home base Microsoft, they can ensure that mail protocols aren't blocked at the source...
...whether that's worth it to you is another question.