Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/25/2010
05:59 PM
Rob Enderle
Rob Enderle
Commentary
50%
50%

Why Windows Phone 7 Could Be Most Secure Smartphone At Launch

One of the interesting things I learned from spending a few days with McAfee recently was that the iPhone is actually one of the most secure smartphones.

One of the interesting things I learned from spending a few days with McAfee recently was that the iPhone is actually one of the most secure smartphones.This is because of the heavy control Apple maintains and that many of us complain about actually provides a decent protection against malware unless the phone is jailbroken. Other phones, including older versions of Microsoft's platform, don't have this level of control and they are apparently less secure. If this is true, then isn't the Windows Phone 7 platform, at least initially, the most secure because none are yet jailbroken, few are likely even trying to write malware for the phone, and it has a hard tie to an application store?

Let's explore that and in the process perhaps better understand why securing Smartphones is different than it was with PCs.

PCs vs. Smartphones Smartphones are a lot like PCs were in the '80s and '90s, they have inadequate performance and anything running in the background can slow the device down substantially. This means that the phones can't handle a virus scanner or much of any resident background anti-malware technology. The protection has to come through restricting the phone. On a PC we call this locking the PC down, and it has always been one of the most secure ways of protecting a PC while also being one of the most annoying practices for users. But that was before there were smartphone-connected application stores, which return some of the missing flexibility while still providing a better security solution than a phone that allows side-loading would.

This is why the iPhone--even though it doesn't really focus on security--is in many ways the most secure of the shipping top smartphones because the applications in the Apple store are vetted and the phones are tied tightly to the application store.

Windows Phone 7 Largely because this product is new, there is no jailbroken problem yet with it. And Microsoft is specifically searching for malware in its vetting process because it has learned the hard way that if you don't build it in up front, you are only waiting for a disaster to happen. In addition, Microsoft has also built in a series of features in the free service package that comes with the phone, which allows for locating a phone (forced ring even if the phone is in silent mode) to find lost phones, remote wipe and management for users, and built-in storage encryption. These are the primary security advantages that stand out, along with the hard-enforced connection to the Microsoft Application Store.

I was going to provide a link to the phone's comprehensive list of security features, but apparently that list doesn't exist, so I'll list them below. But because this phone hasn't been jailbroken yet and actually has a number of security features designed into both the application store and the device itself, it could actually be the most secure smartphone at launch. My primary point is your best defense might be to avoid phones that allow side-loading, that are jailbroken, and that Apple and Microsoft might have the most secure products.

Windows Phone 7 Security Related Features and Settings: A Comprehensive List. Windows Phone 7 supports the following device management and security features:

    • Direct push • Email sync • Calendar sync • Contacts sync • Remote wipe • Sync multiple folders • GAL lookup • SSL encrypted transmission • User started remote wipe (server side) • Link access • HTML email • Set Out of Facility/Office (OOF) • Follow-up flags • Meeting attendee information • Auto Discover • Bandwidth reductions (compressed/ removed headers) • Reply state • Free/Busy lookup • Nickname cache • Block/Allow/Quarantine List (device info) • Allow attachment download (server side)

Windows Phone 7 supports the following Exchange ActiveSync policies:

    • Password enabled • Password expiration (days) • Enforce password history • Allow simple password • Minimum password length • Maximum inactivity time lock • Maximum failed password attempts

Exchange ActiveSync Policies that are not applicable for Windows Phone 7:

    • Encrypt storage card (WP has no removable storage) • Disable desktop ActiveSync (WP no longer supports desktop Sync for Email and Documents, Zune software for media sync with desktop) • Disable removable storage (WP has no removable storage) • Disable IrDA (IrDA is not supported in WP7) • Allow desktop sharing from device (Desktop Sync is no longer supported, RAPI) • Allow unsigned applications (All WP7 apps must be signed and installed from Marketplace, no side loading or installation of apps through browser) • Allow unsigned CABs (WP7 does not support native applications and thus CABs are NA) • Application allow list • Application block list (All applications are installed trough Windows Phone MarketPlace) • Configure message formats (HTML or plain text -- plaintext messaging is not supported) • Allow mobile OTA update • Mobile OTA update mode (WP7 only supports app installation thru marketplace; marketplace automatically notifies users if there is a new version of software) • Include past calendar items (Days)-- User Controlled • Require manual sync while roaming -- User Controlled • Allow attachment download (client side)-- Always on

-- Rob Enderle is president and founder of Enderle Group. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Google Lets iPhone Users Turn Device into Security Key
Kelly Sheridan, Staff Editor, Dark Reading,  1/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16270
PUBLISHED: 2020-01-22
Samsung Galaxy Gear series before build RE2 includes the hcidump utility with no privilege or permission restriction. This allows an unprivileged process to dump Bluetooth HCI packets to an arbitrary file path.
CVE-2018-16271
PUBLISHED: 2020-01-22
The wemail_consumer_service (from the built-in application wemail) in Samsung Galaxy Gear series allows an unprivileged process to manipulate a user's mailbox, due to improper D-Bus security policy configurations. An arbitrary email can also be sent from the mailbox via the paired smartphone. This a...
CVE-2018-16272
PUBLISHED: 2020-01-22
The wpa_supplicant system service in Samsung Galaxy Gear series allows an unprivileged process to fully control the Wi-Fi interface, due to the lack of its D-Bus security policy configurations. This affects Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.
CVE-2019-10780
PUBLISHED: 2020-01-22
BibTeX-ruby before 5.1.0 allows shell command injection due to unsanitized user input being passed directly to the built-in Ruby Kernel.open method through BibTeX.open.
CVE-2019-10781
PUBLISHED: 2020-01-22
In schema-inspector before 1.6.9, a maliciously crafted JavaScript object can bypass the `sanitize()` and the `validate()` function used within schema-inspector.