Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/25/2010
05:59 PM
Rob Enderle
Rob Enderle
Commentary
50%
50%

Why Windows Phone 7 Could Be Most Secure Smartphone At Launch

One of the interesting things I learned from spending a few days with McAfee recently was that the iPhone is actually one of the most secure smartphones.

One of the interesting things I learned from spending a few days with McAfee recently was that the iPhone is actually one of the most secure smartphones.This is because of the heavy control Apple maintains and that many of us complain about actually provides a decent protection against malware unless the phone is jailbroken. Other phones, including older versions of Microsoft's platform, don't have this level of control and they are apparently less secure. If this is true, then isn't the Windows Phone 7 platform, at least initially, the most secure because none are yet jailbroken, few are likely even trying to write malware for the phone, and it has a hard tie to an application store?

Let's explore that and in the process perhaps better understand why securing Smartphones is different than it was with PCs.

PCs vs. Smartphones Smartphones are a lot like PCs were in the '80s and '90s, they have inadequate performance and anything running in the background can slow the device down substantially. This means that the phones can't handle a virus scanner or much of any resident background anti-malware technology. The protection has to come through restricting the phone. On a PC we call this locking the PC down, and it has always been one of the most secure ways of protecting a PC while also being one of the most annoying practices for users. But that was before there were smartphone-connected application stores, which return some of the missing flexibility while still providing a better security solution than a phone that allows side-loading would.

This is why the iPhone--even though it doesn't really focus on security--is in many ways the most secure of the shipping top smartphones because the applications in the Apple store are vetted and the phones are tied tightly to the application store.

Windows Phone 7 Largely because this product is new, there is no jailbroken problem yet with it. And Microsoft is specifically searching for malware in its vetting process because it has learned the hard way that if you don't build it in up front, you are only waiting for a disaster to happen. In addition, Microsoft has also built in a series of features in the free service package that comes with the phone, which allows for locating a phone (forced ring even if the phone is in silent mode) to find lost phones, remote wipe and management for users, and built-in storage encryption. These are the primary security advantages that stand out, along with the hard-enforced connection to the Microsoft Application Store.

I was going to provide a link to the phone's comprehensive list of security features, but apparently that list doesn't exist, so I'll list them below. But because this phone hasn't been jailbroken yet and actually has a number of security features designed into both the application store and the device itself, it could actually be the most secure smartphone at launch. My primary point is your best defense might be to avoid phones that allow side-loading, that are jailbroken, and that Apple and Microsoft might have the most secure products.

Windows Phone 7 Security Related Features and Settings: A Comprehensive List. Windows Phone 7 supports the following device management and security features:

    • Direct push • Email sync • Calendar sync • Contacts sync • Remote wipe • Sync multiple folders • GAL lookup • SSL encrypted transmission • User started remote wipe (server side) • Link access • HTML email • Set Out of Facility/Office (OOF) • Follow-up flags • Meeting attendee information • Auto Discover • Bandwidth reductions (compressed/ removed headers) • Reply state • Free/Busy lookup • Nickname cache • Block/Allow/Quarantine List (device info) • Allow attachment download (server side)

Windows Phone 7 supports the following Exchange ActiveSync policies:

    • Password enabled • Password expiration (days) • Enforce password history • Allow simple password • Minimum password length • Maximum inactivity time lock • Maximum failed password attempts

Exchange ActiveSync Policies that are not applicable for Windows Phone 7:

    • Encrypt storage card (WP has no removable storage) • Disable desktop ActiveSync (WP no longer supports desktop Sync for Email and Documents, Zune software for media sync with desktop) • Disable removable storage (WP has no removable storage) • Disable IrDA (IrDA is not supported in WP7) • Allow desktop sharing from device (Desktop Sync is no longer supported, RAPI) • Allow unsigned applications (All WP7 apps must be signed and installed from Marketplace, no side loading or installation of apps through browser) • Allow unsigned CABs (WP7 does not support native applications and thus CABs are NA) • Application allow list • Application block list (All applications are installed trough Windows Phone MarketPlace) • Configure message formats (HTML or plain text -- plaintext messaging is not supported) • Allow mobile OTA update • Mobile OTA update mode (WP7 only supports app installation thru marketplace; marketplace automatically notifies users if there is a new version of software) • Include past calendar items (Days)-- User Controlled • Require manual sync while roaming -- User Controlled • Allow attachment download (client side)-- Always on

-- Rob Enderle is president and founder of Enderle Group. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.