The software giant used the Tech Ed conference this week to train the spotlight on a security-centric feature pack for the mobile operating system, promising improved data protection via a nifty feature that wipes the devices main memory after too many failed password attempts.
Microsoft Corp. argues that the add-on, dubbed MSFP (Messaging & Security Feature Pack for Windows Mobile 5.0), which ships later this year, is crucial for businesses running Exchange Server 2003 SP2, allowing them to remotely handle data security for smart phones and PDAs.
However, according to a pair of analysts at Gartner Inc., the security improvements "are insufficient and do not meet basic enterprise security needs."
"[The Feature Pack] does not go far enough with security for enterprise-wide deployment," said a report from Gartner researchers Dion Wiggins and Nick Ingelbrecht. The report recommended that businesses use third-party vendor security add-ons to make Windows suitable for mobile use.
Gartner has long been critical of security on Microsofts Pocket PC platform. Back in 2002, a scathing report said that Microsoft would have to raise security on the platform—significantly—to make it enterprise-ready, and three years later the research outfit has very much the same message.
"Microsoft has missed an opportunity to show leadership in mobile security and have the market declare that the company has made Windows Mobile 5.0 secure," Wiggins and Ingelbrecht added.
The duo said Microsoft should have provided an integrated management and security framework for the platform instead of relying on third-party vendors to plug its mobile-security shortcomings.
The software maker shot back late Friday in a statement released to Ziff Davis Internet News: "[The] Windows Mobile 5.0 software went through extensive threat-modeling as well as [having] completed the rigorous Microsoft Trustworthy Computing Full Security Review, and received FIPS-140-2 certification—the stringent U.S. Federal government security requirements for IT products," a Microsoft spokesperson said.
He said the advancements add to a range of "existing security features in the software platform, such as end-to-end encryption over a virtual private network, application certification, and a range of third-party anti-virus and file encryption solutions."
The Gartner analysts acknowledge some security improvements in the platform, including certificate support and a remote management utility that lets an Exchange administrator wipe the devices main memory after too many failed password attempts.
A separate facility has also been added to allow an administrator to instruct the device to wipe itself the next time it connects via TCP/IP to the server.
Several policy and configuration-management enhancements have also been included, along with patch support, to avoid having to "reflash" the entire memory, and better Exchange integration through established Outlook Web Access technology and push-based e-mail.
But, according to Wiggins and Ingelbrecht, wiping the devices memory is "of limited use" because data on removable media is not erased and remains exposed.
"Because mobile devices have limited storage capacity, most users store data on media, such as memory cards, that can simply be removed from one device and read in another. Data encryption is required to secure the device," the analysts argue.
"The crypto-application programming interfaces are already built into the operating system, so such a feature should have been easy to implement."
The Microsoft spokesperson said the company is "working on many levels to help address the growing importance of mobile device security" and stressed that the creation of a complete mobile security experience for customers requires "strong technical features, tight integration with industry partners and education on end-user behavior."
He said the new feature pack adds significant security enhancements, including support for SSL (Secure Sockets Layer) encryption of all Exchange data—Inbox, Contacts, Calendar, Tasks—and support for S/MIME (Secure Multipurpose Internet Mail Extension) e-mail encryption.