Microsoft's dog-and-bone OS - smart and safe?

2005-07-01

Juha Saarinen

Independent technology writer, New Zealand
Editor: Helen Martin

Abstract

Juha Saarinen looks at security issues related to mobile phones running on the Windows OS


Introduction

So, I got myself a smartphone with a 400 MHz Intel Xscale CPU, 128 MB of memory and a fast, EV-DO Internet connection that hits 7-800kbit/s at times. It's brilliant. With it, you can load and edit Word and Excel files, run a fair few executables and read your email, as well as wonder why website designers don't take into account us poor sods with 320 x 240 screens (yes, I know about Bitstream Thunderhawk and its 800 x 600 virtual resolution display).

Sites do load fast though, even if I can't actually make out a great deal of many. On top of that, the music, video, MSN IM, and Skype capabilities mean that I hardly ever use the smartphone for making mobile phone calls.

The phone is, however, a device that runs Windows as its operating system. More specifically, Windows Mobile 2003 Second Edition build 14132. I'm cool with that, but where's that Windows Update function to keep it safe and sound? After all, it does run Internet Explorer (albeit sans active content) and Outlook.

Before the current smartphone, I had another one that ran (and still runs) Windows for Pocket PC 2002. However, I can't upgrade that to Windows Mobile 2003 SE.

Does this lack of updates mean that Microsoft's programmers have created an impenetrable device with which I can stumble around the Internet? I understand that this is an entirely different hardware platform from Intel IA32, but still, it has a powerful processor and fast Internet access, so surely it must be a juicy target for malware writers.

Voicing concerns

I decided to put my concerns to Microsoft. My first port of call was Microsoft's New Zealand office (MSNZ), where I was told that it is the vendor and/or the device manufacturer's responsibility to furnish customers with updates. Next, I tried contacting the vendor and the manufacturer of the smartphone with my concerns, but drew a blank with both, so I went back toMicrosoft with my doubts.

This time around, Brett Roberts, MSNZ's manager of platform strategy and security, took some time to explain how it all works and to allay my fears of a hacked smartphone with thousand dollar bills (the monopoly telco in New Zealand charges an arm and a leg for mobile data).

First, Brett told me: 'the first thing to consider is the difference between Windows Mobile and our operating system on the desktop, and in turn the resulting difference in upgrade venues and frequency.'

He added: 'Microsoft's relationship with PC owners is direct in many ways - we update software through Windows Update. In the mobile world the operator or device maker owns the device image and is responsible for updating the software.'

He was keen to stress Microsoft's dedication to improving software and security though, saying, 'I stress that Microsoft is continually updating its software and providing updates to operators and OEMs which they, in turn, can use for new devices and those already in the hands of customers. The updates we provide are mostly based upon direct customer (OEM, Operator) feedback in terms of 'fixes'.'

Q & A

I didn't feel that the answers I had been given had really told me very much, so I decided to fire some more specific questions at Brett regarding smartphone updating. In the following dialogue I am Mr Q, and Brett is Mr A.

Q: Is it safe to use my Windows Mobile device without updates?
Q: What is different about the Pocket PC that makes it 'invulnerable' so that it does not require regular updates?
Q: Why is it so easy to update Windows (and other OS) regularly, and why is it not the same for the Pocket PC?
Q: Does Microsoft have any plans to provide an update service like Windows Update for Windows Mobile-based devices?
Q: Sony provides regular updates to its mobile phone operating systems, incidentally. Should, perhaps, Microsoft work with vendors to ensure that they release regular updates and not just abandon year-old products?
Q: Could you elaborate on Microsoft's commitment to security on the Windows Mobile platform?
Q:

Is it safe to use my Windows Mobile device without updates?

A:

'Strategically, there are three key areas with respect to security on the Windows Mobile platform:

  1. Protecting access to the device.

  2. Securing data on the device.

  3. Securing the connections used to exchange data.

'Across each of these areas are secure software development processes, training and testing as part of the larger Microsoft Trustworthy Computing Initiative to help ensure that Windows Mobile software is secure. Additionally, Microsoft works to ensure that we enable a rich ecosystem of third-party security providers to provide additional security that may be required beyond what is provided natively in the platform.

'As an end-user, two of the most important things you can do to protect your device are:

  1. Ensure perimeter security.

  2. Know the source of the applications you are downloading.

'Perimeter defence can be as simple as taking advantage of the strong password support provided natively in the platform or employing third-party solutions that enable you to wipe the device data if too many incorrect passwords are entered. Similarly, just as you exercise caution in the type of applications you download on to your PC, you should exercise the same care with your mobile device. If you don't trust the source of the application, you should not download it.'

Q:

What is different about the Pocket PC that makes it 'invulnerable' so that it does not require regular updates?

A:

'Microsoft believes that no software is invulnerable to security threats. As mentioned above, employing the functionality that exists natively is the primary line of defence. Using a device PIN for perimeter security and knowing the source of the applications you download and run are the most important things that an end user can control.

'Depending on the nature of security required, third-party security solutions may provide an additional level of security - for example, data encryption. Microsoft does provide periodic updates to the Windows Mobile software to our device-maker partners. Depending on where device makers are in their development cycle and commercialisation process, they may or may not elect to make these updates available.'

Q:

Why is it so easy to update Windows (and other OS) regularly, and why is it not the same for the Pocket PC?

A:

'The ease of updates for Windows on the desktop has been a convergence of two important factors:

  1. The great work by the Windows division on Windows Update technology.

  2. The evolution and standardisation of PC hardware over the last 20 years. There is no question that the hardware standardisation has made it easier to create and deploy universal software updates to the existing PC base.

'Windows Mobile software is different in several ways from that of the desktop software with respect to updates. First, it is important to understand how the handheld device differs from the PC. Windows Mobile is a rich platform that provides an integrated telephony, PIM (Protocol Independent Multicast) experience. The robustness of the platform also enables unique solutions and applications to be built upon it. When a device manufacturer creates a Windows Mobile-based device, they integrate the Windows Mobile software with their own hardware, ensuring that the drivers (which interface between the software and the hardware) are optimised for their hardware and ensure integration with any applications or solutions experiences they might be adding.

'For connected devices (i.e. telephony-enabled devices), further optimisations may be required for each device model for each mobile operator network, in effect creating numerous similar, yet distinct products. Because the smartphone/connected-device space is so nascent, there is still a lack of standardisation of device drivers between hardware manufacturers. In addition, unlike PCs where the operating system is on a hard drive, Windows Mobile images are flashed to ROM, meaning that the update process requires a unique flashing mechanism on each hardware platform.

'This has significant implications on ubiquitous updates: mobile software updates must work seamlessly across a permutation of unique hardware and mobile operators' network optimisations. Accordingly, any software update must currently occur via tight integration of the software provider, the device maker and the mobile operator.

'Until the mobile device hardware reaches a sufficient level of maturity, the most effective and reliable way to deploy updates is for the platform provider to provide a software update to the device maker, who in turn creates a specific update for a specific device on a specific mobile operator, who then would roll out to the end customer.'

Q:

Does Microsoft have any plans to provide an update service like Windows Update for Windows Mobile-based devices?

A:

'While we cannot comment on specific plans for future releases, Microsoft continues to investigate ways to provide a more seamless update experience of Windows Mobile-based devices for device makers, mobile operators and end users.'

Q:

Sony provides regular updates to its mobile phone operating systems, incidentally. Should, perhaps, Microsoft work with vendors to ensure that they release regular updates and not just abandon year-old products?

A:

'While we cannot comment on competitors' practices, for Windows Mobile products, we certainly make upgrades available to OEMs who have in the past offered it to end users. However, the decision on whether or not to make an upgrade available to their customers is a decision on the part of the device maker who must create the upgrade and the mobile operator who will help roll it out.'

Q:

Could you elaborate on Microsoft's commitment to security on the Windows Mobile platform?

A:

'Microsoft takes the security across all of its products seriously and Windows Mobile is no exception. Windows Mobile software is part of Microsoft's larger Trustworthy Computing Initiative. As part of that initiative, later versions of Windows Mobile software have been undergoing rigorous security reviews during development and developers are given special training on secure software development practices. We also strive to provide a rich open platform that enables our valued partner ecosystem to develop additional software applications and solutions to help respond to security needs in the marketplace.

'Microsoft utilises a multi-pronged strategy to empower businesses and users with a more secure mobile computing experience.

  • Threat modelling: Microsoft conducts threat modelling as a regular piece of our security program. This includes our own internal code review plus extensive testing by third parties.

  • Two-tier access: Windows Mobile for Smartphone supports a two-tier access model (Privileged/ Unprivileged) that is flexible in order to meet varying operator network requirements and provides strong security options to ensure end user satisfaction. This technology can be used to control which applications can install and execute on a device.

  • Third-party solutions: a number of Microsoft partners offer a wide range of security solutions for Windows Mobile-based devices, including Computer Associates, F-Secure, Symantec and McAfee, JP-Mobile Developer One, Information Security Corp. and Ilium Software.

  • End-user education: in addition to utilizing the technical security features in Windows Mobile software, Microsoft recommends that users employ the following safeguards to help protect the data stored on their devices:

    - Activate password protection on the device.

    - Install software and accept files only from reputable sources.'

Between the lines...

Righto, no worries in other words, and no need to check for that ARM port of OpenBSD with telephony features.

Note

In next month's issue of VB, Michael Moser takes a long hard look at the statements made here by Microsoft and gives us his interpretation.

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest articles:

VB99 paper: Giving the EICAR test file some teeth

There are situations that warrant the use of live viruses. There are also situations where the use of live viruses is unwarranted. Specifically, live viruses should not be used when safer and equally effective methods can be used to obtain the…

Powering the distribution of Tesla stealer with PowerShell and VBA macros

Since their return more than four years ago, Office macros have been one of the most common ways to spread malware. In this paper, Aditya K Sood and Rohit Bansal analyse a campaign in which VBA macros are used to execute PowerShell code, which in…

VB2017 paper: Android reverse engineering tools: not the usual suspects

In the Android security field, all reverse engineers will probably have used some of the most well-known analysis tools such as apktool, smali, baksmali, dex2jar, etc. These tools are indeed must‑haves for Android application analysis. However, there…

VB2017 paper: Exploring the virtual worlds of advergaming

As adverts in gaming (‘advergaming’) ecosystems continue to become more sophisticated, so the potential complications grow for parents, children and gamers, who just want to play without having to worry about where their data is going (and how it is…

Distinguishing between malicious app collusion and benign app collaboration: a machine-learning approach

Two or more mobile apps, viewed independently, may not appear to be malicious - but in combination, they could become harmful by exchanging information with one another and by performing malicious activities together. In this paper we look at how…


Bulletin Archive