Analysts: Windows Mobile 5.0 Security Falls Short

Redmond rolls out a security add-on for its mobile operating system, but Gartner analysts say improvements to the BlackBerry competitor "do not meet basic enterprise security needs."

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Microsofts Windows Mobile 5.0 is being touted as a potential "BlackBerry killer," but major security shortcomings could derail widespread enterprise adoption, analysts warned Friday.

The software giant used the Tech Ed conference this week to train the spotlight on a security-centric feature pack for the mobile operating system, promising improved data protection via a nifty feature that wipes the devices main memory after too many failed password attempts.

Microsoft Corp. argues that the add-on, dubbed MSFP (Messaging & Security Feature Pack for Windows Mobile 5.0), which ships later this year, is crucial for businesses running Exchange Server 2003 SP2, allowing them to remotely handle data security for smart phones and PDAs.

However, according to a pair of analysts at Gartner Inc., the security improvements "are insufficient and do not meet basic enterprise security needs."

"[The Feature Pack] does not go far enough with security for enterprise-wide deployment," said a report from Gartner researchers Dion Wiggins and Nick Ingelbrecht. The report recommended that businesses use third-party vendor security add-ons to make Windows suitable for mobile use.

/zimages/2/28571.gifRead more here about Microsofts Windows Mobile 5.0 announcements at Tech Ed.

Gartner has long been critical of security on Microsofts Pocket PC platform. Back in 2002, a scathing report said that Microsoft would have to raise security on the platform—significantly—to make it enterprise-ready, and three years later the research outfit has very much the same message.

"Microsoft has missed an opportunity to show leadership in mobile security and have the market declare that the company has made Windows Mobile 5.0 secure," Wiggins and Ingelbrecht added.

/zimages/2/28571.gifWindows Mobile 5.0 could wake up the PDA market, industry watchers say. Click here to read more.

The duo said Microsoft should have provided an integrated management and security framework for the platform instead of relying on third-party vendors to plug its mobile-security shortcomings.

The software maker shot back late Friday in a statement released to Ziff Davis Internet News: "[The] Windows Mobile 5.0 software went through extensive threat-modeling as well as [having] completed the rigorous Microsoft Trustworthy Computing Full Security Review, and received FIPS-140-2 certification—the stringent U.S. Federal government security requirements for IT products," a Microsoft spokesperson said.

He said the advancements add to a range of "existing security features in the software platform, such as end-to-end encryption over a virtual private network, application certification, and a range of third-party anti-virus and file encryption solutions."

The Gartner analysts acknowledge some security improvements in the platform, including certificate support and a remote management utility that lets an Exchange administrator wipe the devices main memory after too many failed password attempts.

A separate facility has also been added to allow an administrator to instruct the device to wipe itself the next time it connects via TCP/IP to the server.

Several policy and configuration-management enhancements have also been included, along with patch support, to avoid having to "reflash" the entire memory, and better Exchange integration through established Outlook Web Access technology and push-based e-mail.

But, according to Wiggins and Ingelbrecht, wiping the devices memory is "of limited use" because data on removable media is not erased and remains exposed.

"Because mobile devices have limited storage capacity, most users store data on media, such as memory cards, that can simply be removed from one device and read in another. Data encryption is required to secure the device," the analysts argue.

"The crypto-application programming interfaces are already built into the operating system, so such a feature should have been easy to implement."

The Microsoft spokesperson said the company is "working on many levels to help address the growing importance of mobile device security" and stressed that the creation of a complete mobile security experience for customers requires "strong technical features, tight integration with industry partners and education on end-user behavior."

He said the new feature pack adds significant security enhancements, including support for SSL (Secure Sockets Layer) encryption of all Exchange data—Inbox, Contacts, Calendar, Tasks—and support for S/MIME (Secure Multipurpose Internet Mail Extension) e-mail encryption.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.