Security considerations for Windows Phone 7

Windows Phone 7 is coming to a user near you -- regardless if your enterprise supports it or not. Make sure you prepare for this new threat to enterprise security.

The enterprise is filled with a plethora of operating systems and devices, mobile and otherwise. Microsoft -- a longtime culprit behind the complexities of business IT -- recently threw another platform into the mix: Windows Phone 7.

It wasn't Microsoft's intent to further complicate things. After all, Windows Phone 7 (WP7) is aimed at consumers. But IT managers know what's coming. Look at the headway iPhones and Droid-based smartphones have made into the enterprise.

It's not just that Microsoft has a new phone operating system; it's also the security risks that come with it. For example, a program called ChevronWP7 allowed the installation of unauthorized WP7 applications. While this app was recently pulled by its developers, the elephant in the room is that there's now another way for rogue software to enter the enterprise. Since these mobile devices are the new desktop, they're going to continue creating enterprise IT and security management headaches.

There is also the issue of patching. Software updates to WP7 will be delivered via Microsoft Update. My experience with Windows Mobile 6.x is that this process worked well -- but there weren't very many updates, so it was hard to really test its effectiveness. Another consideration is all the other software on these devices. With the proliferation of third-party apps, they're going to need to be maintained as well. I believe that the lack of third-party software patching is one of the greatest gaps in security -- at least on legacy desktops. Such updates will be handled via the Windows Phone Marketplace, so it's important to keep an eye on that.

In addition, WP7 doesn't have certain application programming interfaces (APIs), preventing third-party applications from accessing the video camera, compass and Personal Information Manager on the phone. I'm not sure of the motivation here, but Microsoft could be trying to preempt security and privacy problems.

But the biggest jaw-dropper with WP7 is that it lacks device encryption. Windows Mobile 6 had it, but the capability isn't available (yet) on Windows Phone 7. Call it ridiculous, shortsighted, you name it, but again, Windows Phone 7 is a consumer-centric platform. This is still going to be a problem in the enterprise.

WP7 is several years late to the new world order of smartphones -- but we are talking about Microsoft here. Although the company hasn't been able to come up with a long-lasting name for its smartphone OS, it's here to stay. That said, I doubt we'll see enterprise adoption on a level similar to that of the BlackBerry, iPhone and Droid.

Windows Phone 7 may be a competitive OS with neat apps, but it may not be right for your enterprise. Whether or not you're planning on adopting or officially supporting it, WP7 is coming to a user near you, so it's worth learning the basics of the platform.

ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. With over 21 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly-updated Hacking for Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com, and you can follow in on Twitter at @kevinbeaver.


 

This was first published in December 2010
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchEnterpriseDesktop

SearchVirtualDesktop

SearchVMware

SearchCIO

SearchSecurity

Close