Finding security in Windows Mobile monoculture

Finding security in Windows Mobile monoculture
Finding security in Windows Mobile monoculture 

By Matt Hines
April 06, 2007

Without a doubt, the most influential factor driving the current state 
of IT security is the ubiquitous presence of Microsoft's dominant 
Windows operating system on a vast majority of the world's PCs.

Since an estimated 92 percent of the world's desktops were running on 
Windows products in 2006, according to researchers at Net Applications, 
it only makes sense that a similar majority of computer viruses have 
been aimed at users of the software.

However, as more enterprise businesses begin to adopt newer, more 
PC-like mobile devices, dubbed "smartphones," some IT department leaders 
say that they have been waiting to adopt Microsoft's Windows Mobile 
device OS based on security concerns.

Experts analyzing development of the nascent enterprise mobility sector 
have frequently cited the widespread use of a variety of operating 
systems as a major benefit to security of handhelds for the last few 

Security researchers refer to the popularity of handhelds running on 
software made not only by Microsoft, but also by Palm, Symbian, and 
Research in Motion, among others, as one of the factors that have led to 
the existence of very few malware attacks aimed at mobile devices.

Attackers cannot focus on a single dominant platform in the mobile 
space, making it less attractive than the world of Windows desktops, the 
thinking goes.

As more users adopt smartphones, that dynamic may shift, experts claim, 
but the lack of a single dominant handheld OS has served as a form of 

"As the addressable market for smartphones expands, there will be more 
attacks, as malware activity always moves to the areas of greatest 
impact, but the activity isn't comparable to the desktop today," said 
Jan Volzke, head of marketing for Mobile Security at San Jose, 
Calif.-based McAfee. "The number of operating systems in use today has 
likely had an effect on slowing attacks, as there is no single platform 
to write malware code to."

But enterprise users say that a range of factors are pushing them to 
marry their Windows desktop environments with their mobile device 
strategies, with security as one of the leading catalysts.

Fears of creating a Windows Mobile monoculture that may be more 
attractive to attackers are superseded by the need for a stable product 
with familiar characteristics and ties to existing infrastructure, some 

Chevron PetroChemical, a massive plastics manufacturer based in Houston, 
is currently in the process of rolling out Motorola and Samsung 
smartphones running on Windows Mobile because IT project managers feel 
the company can protect those handhelds more easily than those running 
on other operating systems.

Jonathan Perret, IT Remote Connectivity analyst at Chevron 
PetroChemical, a joint venture between parent company Chevron and 
ConocoPhillipsSP, said that his company has been actively banning its 
employees from using smartphones and PDAs -- including the popular 
Research In Motion BlackBerry -- for the last several years.

Despite many requests by individual users to bring their personal 
BlackBerry devices into the office, the firm waited until it could get 
in hand Windows Mobile devices that would allow for enforcement of the 
same types of policies it has created for securing its desktops.

"We knew we would only use Windows Mobile, and we waited for it because 
it's the platform we felt we could secure most easily and at the lowest 
cost," Perret said. "This process of adopting smartphones is all about 
extending your network onto a new platform and addressing the challenges 
of that platform, and we felt Windows Mobile presented fewer 

The reason why the company banned the use of BlackBerry handhelds was 
because its IT department wasn't ready to invest in the back-end systems 
needed to secure the devices, while it felt that Windows Mobile would 
offer the opportunity to do so with existing infrastructure.

The company is also using a mobile device security package offered by 
software maker Mobile Armor and provided through carrier Verizon to help 
keep its smartphones locked down. So far the firm has 130 of the devices 
distributed to its executives and sales force representatives, with 
plans to hand out many more.

"Security slowed down previous adoption of PDAs and even our current 
smartphone deployment because we were waiting for new tools; we were 
limiting devices because of an inability to secure them," Perret said. 
"Windows Mobile may not have advanced security features, but we can 
augment that with third-party applications, and we felt that it 
presented the best alternative compared to the other [platforms], which 
would be a lot harder for us to support."

Microsoft officials agreed that one of the best selling points of 
Windows Mobile from a security perspective is the handheld product's 
close ties to its other systems.

The software giant won't try to keep up with every security feature on 
the smartphone software market, but it believes its technologies can 
already provide the sort of baseline protection that enterprises are 

"We're not going to try to go tit-for-tat on every security feature. 
Some rivals might have more built in, but this process isn't all about 
features; it's how the technology can be implemented that makes the big 
difference," said Samir Kumar, mobile devices product manager at 
Redmond, Wash.-based Microsoft.

"It's not about Windows Mobile having more security features than any 
other platform; it's about enterprise customers who already see a need 
to align mobile security and device management with how they do things 
in the desktop world," he said. "If they have existing management tools 
and policies for Windows desktops and laptops, it's logical and 
effective to extend that to handheld devices."

Security experts contend that there are still far too many different 
products in people's hands and that Windows Mobile commands far too 
little share of the wireless market for there to be anything close to a 
similar level of risk as the dangers associated with today's Microsoft 
desktop monoculture.

As the OS does become more widely used, however, the risk of attack will 
grow, according to security specialists.

"It's true there haven't been many mobile viruses, and you can still 
debate whether those will ever be as prevalent as desktop attacks," said 
Curtis Cresta, general manager of anti-virus maker F-Secure North 
America. "But you can also look at the history of IT and decide what 
will happen as more users adopt each OS; as more smartphones become 
available and more people are using them, the pool for each OS gets 
bigger, and we believe there will also be a bigger pool of attacks."

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods