By David Meyer
08 Nov 2006
Microsoft claims analyst allegations that its mobile phone operating
system has inherent security flaws are inaccurate and should never have
Last week the software giant refused to explicitly deny a report from
Jack Gold, of US analyst firm J Gold Associates, that suggested
enterprises might be turned off using Windows Mobile 5.0 devices, as
data sent to the handsets via Direct Push was not encrypted on the
At the time, Microsoft would only reiterate that data was sent to the
handset using SSL encryption, and suggested that password protection,
coupled with the ability to remotely or locally wipe the handset, showed
that "companies can trust the relationship between Windows Mobile
devices and an Exchange Server to help control vital information".
However, on Wednesday Microsoft contacted ZDNet UK with a more detailed
rebuttal of J Gold Associates' claims. Microsoft's UK and EMEA mobility
business manager, Jason Langridge, said the company had been
"disappointed by [the report] because we had made them aware that there
were inaccuracies [in it], but the authors still chose to publish". He
also repeated the claim that "the feedback from customers is that they
feel the protection from the PIN code on the device, or [the fact] that
we can remotely wipe it, or it can self-wipe, manages the risk".
"We don't encrypt the mail store, but we do have third parties that we
work with if you wish to do that," Langridge added, suggesting companies
such as Pointsec and Credant as examples. He also criticised companies
such as RIM which does offer embedded encryption on its BlackBerry
handsets for relaying email via network operations centres, saying: "The
reason RIM has to encrypt the data is because there isn't end-to-end
encryption. [Our] RC4 or triple-DES encryption ensures data is
transmitted in a secure way without having to pass through a third-party
Approached for a response, Jack Gold told ZDNet UK that Microsoft had
indeed contacted him with "minor corrections" to several paragraphs of
the report he had "purposely" sent them, and he had then incorporated
those corrections into the final version.
"Their corrections we re related to [push email enabler] AirSync vs
[local synchronisation tool] ActiveSync and how they functioned. Never
did they refute the fact that data on the devices is not encrypted. They
indicated that the data across the connection is encrypted via SSL,
which I agree is a safe way to send the data. They never refuted that
fact that data remains unencrypted on the device itself, which is, in my
opinion, a significant flaw in their design," he said on Wednesday.
Gold then went on to repeat his assertion that, although client-side
encryption can be incorporated by third-party products, "it will break
the Direct Push (AirSync) mechanism If they do indeed add Credant or
Pointsec, then they have to go with a different synching capability and
forego use of Direct Push". He also suggested that remote wiping was an
inadequate level of protection, as a device can be lost for hours or
more before anyone realises it is missing and sends the "kill message".
As for Microsoft's comments on RIM's approach to push email, Gold
explained: "On the BlackBerry, all data is also encrypted while stored
on the device even after it is received from the [network operations
centre], and decoded when used. That is a key difference, and a
requirement for many security compliance tests."
"The bottom line is, we stand by our original contention that Microsoft
Direct Push has a significant disadvantage over BlackBerry, Good, Sybase
and others when it comes to security if you are a user who is concerned
about data loss," Gold added.
Visit the InfoSec News store!