informa
/
Risk
Commentary

Why Windows Phone 7 Could Be Most Secure Smartphone At Launch

One of the interesting things I learned from spending a few days with McAfee recently was that the iPhone is actually one of the most secure smartphones.
One of the interesting things I learned from spending a few days with McAfee recently was that the iPhone is actually one of the most secure smartphones.This is because of the heavy control Apple maintains and that many of us complain about actually provides a decent protection against malware unless the phone is jailbroken. Other phones, including older versions of Microsoft's platform, don't have this level of control and they are apparently less secure. If this is true, then isn't the Windows Phone 7 platform, at least initially, the most secure because none are yet jailbroken, few are likely even trying to write malware for the phone, and it has a hard tie to an application store?

Let's explore that and in the process perhaps better understand why securing Smartphones is different than it was with PCs.

PCs vs. Smartphones Smartphones are a lot like PCs were in the '80s and '90s, they have inadequate performance and anything running in the background can slow the device down substantially. This means that the phones can't handle a virus scanner or much of any resident background anti-malware technology. The protection has to come through restricting the phone. On a PC we call this locking the PC down, and it has always been one of the most secure ways of protecting a PC while also being one of the most annoying practices for users. But that was before there were smartphone-connected application stores, which return some of the missing flexibility while still providing a better security solution than a phone that allows side-loading would.

This is why the iPhone--even though it doesn't really focus on security--is in many ways the most secure of the shipping top smartphones because the applications in the Apple store are vetted and the phones are tied tightly to the application store.

Windows Phone 7 Largely because this product is new, there is no jailbroken problem yet with it. And Microsoft is specifically searching for malware in its vetting process because it has learned the hard way that if you don't build it in up front, you are only waiting for a disaster to happen. In addition, Microsoft has also built in a series of features in the free service package that comes with the phone, which allows for locating a phone (forced ring even if the phone is in silent mode) to find lost phones, remote wipe and management for users, and built-in storage encryption. These are the primary security advantages that stand out, along with the hard-enforced connection to the Microsoft Application Store.

I was going to provide a link to the phone's comprehensive list of security features, but apparently that list doesn't exist, so I'll list them below. But because this phone hasn't been jailbroken yet and actually has a number of security features designed into both the application store and the device itself, it could actually be the most secure smartphone at launch. My primary point is your best defense might be to avoid phones that allow side-loading, that are jailbroken, and that Apple and Microsoft might have the most secure products.

Windows Phone 7 Security Related Features and Settings: A Comprehensive List. Windows Phone 7 supports the following device management and security features:

    • Direct push • Email sync • Calendar sync • Contacts sync • Remote wipe • Sync multiple folders • GAL lookup • SSL encrypted transmission • User started remote wipe (server side) • Link access • HTML email • Set Out of Facility/Office (OOF) • Follow-up flags • Meeting attendee information • Auto Discover • Bandwidth reductions (compressed/ removed headers) • Reply state • Free/Busy lookup • Nickname cache • Block/Allow/Quarantine List (device info) • Allow attachment download (server side)

Windows Phone 7 supports the following Exchange ActiveSync policies:

    • Password enabled • Password expiration (days) • Enforce password history • Allow simple password • Minimum password length • Maximum inactivity time lock • Maximum failed password attempts

Exchange ActiveSync Policies that are not applicable for Windows Phone 7:

    • Encrypt storage card (WP has no removable storage) • Disable desktop ActiveSync (WP no longer supports desktop Sync for Email and Documents, Zune software for media sync with desktop) • Disable removable storage (WP has no removable storage) • Disable IrDA (IrDA is not supported in WP7) • Allow desktop sharing from device (Desktop Sync is no longer supported, RAPI) • Allow unsigned applications (All WP7 apps must be signed and installed from Marketplace, no side loading or installation of apps through browser) • Allow unsigned CABs (WP7 does not support native applications and thus CABs are NA) • Application allow list • Application block list (All applications are installed trough Windows Phone MarketPlace) • Configure message formats (HTML or plain text -- plaintext messaging is not supported) • Allow mobile OTA update • Mobile OTA update mode (WP7 only supports app installation thru marketplace; marketplace automatically notifies users if there is a new version of software) • Include past calendar items (Days)-- User Controlled • Require manual sync while roaming -- User Controlled • Allow attachment download (client side)-- Always on

-- Rob Enderle is president and founder of Enderle Group. Special to Dark Reading.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5