Share via

DIRECT PUSH SECURITY FUD

  • Article

In the past week Jack Gold Associates published a report entitled “Microsoft’s Direct Push Insecurity”

This latest FUD (Fear Uncertainty and Doubt) centres around some security concerns over Windows Mobile.

To get access to the report you do unfortunately you have to subscribe to read it however a couple of online reports have been published from it.  One of them is over at Eweek.

 

The report focuses on 3 areas of concern which are:

1. ‘….any transfer of data between Exchange and Outlook Mobile must be done in an unencrypted file-state’.

Well the entire data stream between the device and Exchange Server is encrypted using SSL.   We can also use 3DES as the encryption algorithm if required.

2. ‘… the use of only a password is a pretty insecure approach.’

An option to avoid this is to use Certificate-based authentication whcih can be used instead of a password.

3. ‘..third parties who wish to use an encrypted process must build their own synching mechanism.. or build their own client instead.’

This is a big misunderstanding as 3rd parties can use published Windows Mobile file system extensions to encrypt data as it is written to the file store.   (SQL Mobile as an example uses this)

ActiveSync, Outlook and 3rd party apps can continue to use the standard file system API’s while protecting the content through encryption.

I think the fundamental mis-understanding here is that the comparison is being made against two different architectures in that RIM, GoodLink and other solutions use a Network Operations Centre or intermediary server so they have to encrypt the payload as there isn't a single end-to-end channel that can be encrypted. 

I also had to do a press interview late last week with Ken Young who has published our discussion on this very topic HERE.

Comments

  • Anonymous
    November 05, 2006
    PingBack from http://justanothermobilemonday.com/Wordpress/2006/11/06/mr-mobile-answers-claims-of-direct-push-insecurity/

  • Anonymous
    November 05, 2006
    The Mobigeeks website discuss abiut a report from  J. Gold Associates... (in french) http://www.mobigeeks.fr/forum/viewtopic.php?pid=2774#p2774

  • Anonymous
    November 06, 2006
    Jason, Can you help with the following security questions that I haven't been able to get good answers to as yet: a) If users are allowed to authenticate using their domain credentials? What key is used to encrypt the user's credentials when they are stored on the device? Are they truly encrypted or just obfuscated? b) How do you centrally (with a policy) disable the 'hint' feature that allows users to set a hint for their 'power on' password on a mobile device (which pops up when they get the password wrong)? c) How do I prevent Direct Push users from doing an Activesync with their home PC and uploading potentially sensitive corporate info. d) If we use a third party security package to encrypt devices. How can I deploy this centrally to all my mobile users and how do you ensure the user has this installed before they are allow to connect to their corporate account? e) If you use certificates. What is the best practice to deploy them to users who have had to hard reset their devices in the field or bought new devices but are not in the office? f) How do I prevent users from connecting extra unsupported devices to their mailbox without IT permission?

  • Anonymous
    November 06, 2006
    Pete - let me try and answer your questions: a) If a user uses domain credentials we store a hashed double encrypted version of the password on the device using RC4 encryption. b) Not sure what hint you are referring to?  I haven't seen that... c) This is a really tricky one as I don't think this is possible. d) You should look at solutions like Credant who can help here. e) Right now if you do use certificates you will have to cradle the device once to get the cert - there isn't a way round this right now but lots of customers do like this as it stops people using personal/individual purchase devices f) You can't right now - in Exchange 2007 you can allow/disallow by Device ID

  • Anonymous
    November 06, 2006
    a little contribution: e) Importing certificate with activesync is the most secure way but other solutions exist (have a look here: http://www.jacco2.dds.nl/networking/crtimprt.html) . But I would not recommand storing certificate with private key in a mobile device to be able to restore it. f) If you look Microsoft Mobile Admin (http://www.microsoft.com/downloads/details.aspx?FamilyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&DisplayLang=en) you are able to list devices that a user use, and initiate a Remote wipe if needed...I can assume that a little dev can automate the task. Andre

  • Anonymous
    November 07, 2006
    Speaking of Windows Mobile security, Jason Langridge also makes some very valid points. Check out his

  • Anonymous
    November 07, 2006
    Jason - a little help with c) - basically same answer as d! 3rd party vendors e.g. Credant can help here also as with some you can, basically, set an trust relationship between the device and a local gatekeeper that can be configured to stop any sync with an 'unauthenticated PC' Unless the user had the solution on the home PC as well then ActiveSync would be blocked. However - this may be too extreme a solution.

  • Anonymous
    November 08, 2006
    The comment has been removed

  • Anonymous
    November 08, 2006
    While the discussion here is great but the fact is WM platform lacks enterprise level security and management capabilities compare to the competition, and has not progress much since WM 2003. Security "has" to be built-in and not as an add-on.  Unlike a Windows desktop a mobile device is not physically located nor connected to a trusted network or known location, making content security vital and should be a standard, not as an add-on. Management capability allows administrators to manage these dumb, not user-friendly, and a lot of the times not connected devices, a mandatory requirement in order to effectively deploy and manage a mobile work force.  Again, this should be part of any mobile platform, not as add-on. The WM platform, combining with MS backoffice solutions such as Exchange SP2, SMS Server and ISA Server does not provide an adaquate solution to meet the above requirements for an enterprise mobile deployment. Sorry, but MS has a long way to go.

  • Anonymous
    November 13, 2006
    The comment has been removed