Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/25/2010
05:59 PM
Rob Enderle
Rob Enderle
Commentary
50%
50%

Why Windows Phone 7 Could Be Most Secure Smartphone At Launch

One of the interesting things I learned from spending a few days with McAfee recently was that the iPhone is actually one of the most secure smartphones.

One of the interesting things I learned from spending a few days with McAfee recently was that the iPhone is actually one of the most secure smartphones.This is because of the heavy control Apple maintains and that many of us complain about actually provides a decent protection against malware unless the phone is jailbroken. Other phones, including older versions of Microsoft's platform, don't have this level of control and they are apparently less secure. If this is true, then isn't the Windows Phone 7 platform, at least initially, the most secure because none are yet jailbroken, few are likely even trying to write malware for the phone, and it has a hard tie to an application store?

Let's explore that and in the process perhaps better understand why securing Smartphones is different than it was with PCs.

PCs vs. Smartphones Smartphones are a lot like PCs were in the '80s and '90s, they have inadequate performance and anything running in the background can slow the device down substantially. This means that the phones can't handle a virus scanner or much of any resident background anti-malware technology. The protection has to come through restricting the phone. On a PC we call this locking the PC down, and it has always been one of the most secure ways of protecting a PC while also being one of the most annoying practices for users. But that was before there were smartphone-connected application stores, which return some of the missing flexibility while still providing a better security solution than a phone that allows side-loading would.

This is why the iPhone--even though it doesn't really focus on security--is in many ways the most secure of the shipping top smartphones because the applications in the Apple store are vetted and the phones are tied tightly to the application store.

Windows Phone 7 Largely because this product is new, there is no jailbroken problem yet with it. And Microsoft is specifically searching for malware in its vetting process because it has learned the hard way that if you don't build it in up front, you are only waiting for a disaster to happen. In addition, Microsoft has also built in a series of features in the free service package that comes with the phone, which allows for locating a phone (forced ring even if the phone is in silent mode) to find lost phones, remote wipe and management for users, and built-in storage encryption. These are the primary security advantages that stand out, along with the hard-enforced connection to the Microsoft Application Store.

I was going to provide a link to the phone's comprehensive list of security features, but apparently that list doesn't exist, so I'll list them below. But because this phone hasn't been jailbroken yet and actually has a number of security features designed into both the application store and the device itself, it could actually be the most secure smartphone at launch. My primary point is your best defense might be to avoid phones that allow side-loading, that are jailbroken, and that Apple and Microsoft might have the most secure products.

Windows Phone 7 Security Related Features and Settings: A Comprehensive List. Windows Phone 7 supports the following device management and security features:

    • Direct push • Email sync • Calendar sync • Contacts sync • Remote wipe • Sync multiple folders • GAL lookup • SSL encrypted transmission • User started remote wipe (server side) • Link access • HTML email • Set Out of Facility/Office (OOF) • Follow-up flags • Meeting attendee information • Auto Discover • Bandwidth reductions (compressed/ removed headers) • Reply state • Free/Busy lookup • Nickname cache • Block/Allow/Quarantine List (device info) • Allow attachment download (server side)

Windows Phone 7 supports the following Exchange ActiveSync policies:

    • Password enabled • Password expiration (days) • Enforce password history • Allow simple password • Minimum password length • Maximum inactivity time lock • Maximum failed password attempts

Exchange ActiveSync Policies that are not applicable for Windows Phone 7:

    • Encrypt storage card (WP has no removable storage) • Disable desktop ActiveSync (WP no longer supports desktop Sync for Email and Documents, Zune software for media sync with desktop) • Disable removable storage (WP has no removable storage) • Disable IrDA (IrDA is not supported in WP7) • Allow desktop sharing from device (Desktop Sync is no longer supported, RAPI) • Allow unsigned applications (All WP7 apps must be signed and installed from Marketplace, no side loading or installation of apps through browser) • Allow unsigned CABs (WP7 does not support native applications and thus CABs are NA) • Application allow list • Application block list (All applications are installed trough Windows Phone MarketPlace) • Configure message formats (HTML or plain text -- plaintext messaging is not supported) • Allow mobile OTA update • Mobile OTA update mode (WP7 only supports app installation thru marketplace; marketplace automatically notifies users if there is a new version of software) • Include past calendar items (Days)-- User Controlled • Require manual sync while roaming -- User Controlled • Allow attachment download (client side)-- Always on

-- Rob Enderle is president and founder of Enderle Group. Special to Dark Reading.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
CVE-2020-16170
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.