Microsoft claims analyst allegations that its mobile phone operating system has inherent security flaws are inaccurate and should never have been published.
Last week the software giant refused to explicitly deny a report from Jack Gold, of US analyst firm J Gold Associates, that suggested enterprises might be turned off using Windows Mobile 5.0 devices, as data sent to the handsets via Direct Push was not encrypted on the device itself.
At the time, Microsoft would only reiterate that data was sent to the handset using SSL encryption, and suggested that password protection, coupled with the ability to remotely or locally wipe the handset, showed that "companies can trust the relationship between Windows Mobile devices and an Exchange Server to help control vital information".
However, on Wednesday Microsoft contacted ZDNet UK with a more detailed rebuttal of J Gold Associates' claims. Microsoft's UK and EMEA mobility business manager, Jason Langridge, said the company had been "disappointed by [the report] because we had made them aware that there were inaccuracies [in it], but the authors still chose to publish". He also repeated the claim that "the feedback from customers is that they feel the protection from the PIN code on the device, or [the fact] that we can remotely wipe it, or it can self-wipe, manages the risk".
"We don't encrypt the mail store, but we do have third parties that we work with if you wish to do that," Langridge added, suggesting companies such as Pointsec and Credant as examples. He also criticised companies such as RIM — which does offer embedded encryption on its BlackBerry handsets — for relaying email via network operations centres, saying: "The reason RIM has to encrypt the data is because there isn't end-to-end encryption. [Our] RC4 or triple-DES encryption ensures data is transmitted in a secure way without having to pass through a third-party relay."
Approached for a response, Jack Gold told ZDNet UK that Microsoft had indeed contacted him with "minor corrections" to several paragraphs of the report he had "purposely" sent them, and he had then incorporated those corrections into the final version.
"Their corrections we re related to [push email enabler] AirSync vs [local synchronisation tool] ActiveSync and how they functioned. Never did they refute the fact that data on the devices is not encrypted. They indicated that the data across the connection is encrypted via SSL, which I agree is a safe way to send the data. They never refuted that fact that data remains unencrypted on the device itself, which is, in my opinion, a significant flaw in their design," he said on Wednesday.
Gold then went on to repeat his assertion that, although client-side encryption can be incorporated by third-party products, "it will break the Direct Push (AirSync) mechanism… If they do indeed add Credant or Pointsec, then they have to go with a different synching capability and forego use of Direct Push". He also suggested that remote wiping was an inadequate level of protection, as a device can be lost for hours or more before anyone realises it is missing and sends the "kill message".
As for Microsoft's comments on RIM's approach to push email, Gold explained: "On the BlackBerry, all data is also encrypted while stored on the device even after it is received from the [network operations centre], and decoded when used. That is a key difference, and a requirement for many security compliance tests."
"The bottom line is, we stand by our original contention that Microsoft Direct Push has a significant disadvantage over BlackBerry, Good, Sybase and others when it comes to security if you are a user who is concerned about data loss," Gold added.
Talkback
As a Blackberry, GoodLink & MS PUSH installer I have seen some horrifying sites when it comes to MS PUSH. Almost every company I have been to that has already installed Microsoft PUSH was running it without an SSL certificate. As you all would be aware this would result in usernames and passwords being sent “in the clear” over the internet, and this includes admin users details. Another issue I have with Microsoft PUSH is that companies that previously had no inbound ports on their firewall open are now opening their network up for possible attack (i.e. Blackberry only requires an outbound port to be opened). Basically I have a long list of issues with the security side of MS Push as it too easy to setup incorrectly, even by people claiming to be “Network or Security Engineers” (Note: Reading a manual/install guide does overcome most issues).
So in conclusion I believe that BlackBerry and Good are the best options for deploying wireless devices. My main reason being security, and yes I do know about the BB NOC etc etc but do you know how many servers your normal emails pass through before it gets to it’s destination anyway?
As a Blackberry, GoodLink & MS PUSH installer I have seen some horrifying sites when it comes to MS PUSH. Almost every company I have been to that has already installed Microsoft PUSH was running it without an SSL certificate. As you all would be aware this would result in usernames and passwords being sent “in the clear” over the internet, and this includes admin users details. Another issue I have with Microsoft PUSH is that companies that previously had no inbound ports on their firewall open are now opening their network up for possible attack (i.e. Blackberry only requires an outbound port to be opened). Basically I have a long list of issues with the security side of MS Push as it too easy to setup incorrectly, even by people claiming to be “Network or Security Engineers” (Note: Reading a manual/install guide does overcome most issues).
So in conclusion I believe that BlackBerry and Good are the best options for deploying wireless devices. My main reason being security, and yes I do know about the BB NOC etc etc but do you know how many servers your normal emails pass through before it gets to it’s destination anyway?
i install MS Push, and i use SSL.
That is one flaw in MS's arugment, not all MS Push mail is ciphered, only if you use your certs, when my company moves over to PDA devices then i am going to start using certificates, until then it is too hard to get them to work on the Smartphone devices!