Researchers Criticize Security of Windows Mobile

By failing to encrypt data stored on Windows Mobile devices, as it is protected on other popular handhelds, Microsoft is leaving users open to potential data leakage, wireless researchers say.

A new research report contends that by failing to offer onboard encryption for e-mail files stored on Windows Mobile devices, Microsoft may be putting itself at a competitive disadvantage and leaving users vulnerable to data loss.

According to the latest report published by J. Gold Associates, a Northborough, Mass.-based wireless research firm, Microsofts decision not to offer file encryption capabilities on its Windows Mobile platform reflects poorly on the technology compared to other popular wireless systems.

Unlike the push e-mail systems offered by rival mobile software makers including Good Technology, Research In Motion and Sybase, Microsofts wireless messaging technology doesnt include data protection beyond simple passwords, researchers said.

While the omission wont likely affect consumer adoption of Windows Mobile devices, which are so-called smart phones that offer more PC-like functions than most of todays popular handhelds, enterprises may choose to adopt other platforms based on the lack of more comprehensive security features, said Jack Gold, principal analyst with J. Gold Associates.

Windows Mobile provides for encryption of data while it is in transit to the device, but leaves sensitive corporate data open to access if one of the handhelds has its password hacked, the analyst said.

Gold specifically highlights an issue in Microsofts Direct Push technology, which is used to move data between the latest versions of Exchange Server and Windows Mobile devices.

Direct Push utilizes AirSync, a derivative of Microsofts ActiveSync, which is used to distribute data to Windows Mobile devices and provide a way for data stored on the devices to be synchronized with back end servers.

The current versions of ActiveSync and AirSync only support specially formatted data sets that meet certain Microsoft data specifications, which means that any transfer of data from Exchange Server to Microsofts Pocket Outlook must be done in an unencrypted file-state.

"The bottom line is that every enterprise is concerned about security these days, and it will be a significant consideration as they adopt new mobile devices," Gold said.

"The way that Microsoft has engineered mobile push e-mail the information is relatively out in the open, such as when doing a sync between Exchange and Pocket Outlook; the use of only a password is a pretty insecure approach, and companies will likely want the ability to encrypt all the data thats being stored there."

Microsoft didnt immediately respond to calls seeking comment on the criticism. However, the company has made a concerted effort to up the security in its next-generation desktop operating system, Vista.

If the company were to add functionality similar to the Windows BitLocker drive encryption feature it has added in Vista to Windows Mobile, users might view the wireless platforms security as more comparable to those offered by its rivals, the researcher said.

However, even if Redmond, Wash.-based Microsoft were to add such tools to Windows Mobile, Gold would like to see the ability for users to encrypt individual files, versus the blanket approach used in BitLocker.

"The problem with BitLocker is that youre forced to encrypt the entire disk or not to use the feature at all, and end users will need the ability to encrypt on a file-by-file basis," Gold said.

"This lack of encryption in Windows Mobile is an architectural flaw that Microsoft should have expected, and they will need to re-architect if they want companies with sensitive data adopt the platform."

Companies such as financial services firms and health care providers that operate under strict data-handling regulations could choose other technologies over Windows Mobile if the software maker doesnt add new encryption capabilities, said Gold.

The analyst would specifically like to see Microsoft re-engineer AirSync, ActiveSync and Pocket Outlook to provide additional security for data being passed through those applications.

Security for mobile devices is becoming a more high-profile issue as smart phones become more widely adopted.

/zimages/1/28571.gifClick here to read more about Nokias efforts to secure its smart phones.

Some 51 million smart phones were shipped in 2005, representing 6 percent of all wireless handsets, according to iGillottResearch. The research company predicts that the devices will account for 21 percent of all handhelds by 2010.

J. Gold Associates contends that smart phones will make up roughly 10 percent to 20 percent of wireless device shipments over the next four years, but expects that for business users the number will be much higher, accounting for as much as 50 percent to 60 percent of all handhelds.

In September, the Trusted Computing Groups Mobile Phone Work Group issued a draft of its Mobile Trusted Module standard, which is meant to establish guidelines that help wireless device and software makers improve the security of their products.

A final draft of the product specifications is expected to arrive before the end of 2006, and the effort aims to dovetail with other wireless security initiatives driven by groups including the Open Mobile Alliance, Open Mobile Terminal Platform and Mobile Industry Processor Interface Alliance.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.