Windows Mobile Security and Patch
If you work in Information Technology or have been using Windows on your desktop you are aware that security and patch management are critical tasks that must be addressed especially on any device where you store information. With Windows Mobile you cannot afford to ignore security and patch management either. This article provides an overview of the latest in Windows Mobile 5.0 security and patch management. Also, where appropriate I have included my recommendations to improve security. As with any recommendation, you must consider what is best for your environment and security requirements.
During last summer, Microsoft decided to remove all versions of ActiveSync 3.x from their website. Later it was released on the web via Microsoft blogs that there were security concerns regarding ActiveSync 3.x. I was surprised that Microsoft did not use its Trustworthy Computing approach to issue a Security Advisory (http://www.microsoft.com/technet/security/advisory/archive.mspx) for ActiveSync 3.8.
Some security issues with ActiveSync 3.8 have been known for about a year before Microsoft pulled ActiveSync 3.x. Airscanner published Remote Password Compromise of Microsoft Active Sync 3.7.1 & 3.8 (http://www.airscanner.com/security/activesync371.htm) which explained how a hacker could use the network synchronization option in ActiveSync to attempt to break your password or prevent you from synchronizing. For a comprehensive list of ActiveSync security issues reported by 3rd parties see http://www.pocketpcfaq.com/faqs/activesync/securityadvisories.htm
Recommended ActiveSync Security
At this time, I recommend that users upgrade to ActiveSync 4.5 to avoid these security issues. If you insist on using ActiveSync 3.x because you want to sync over your network connection then I suggest that you create a static IP address for your Windows Mobile Device and configure your desktop PC’s firewall to only allow the static address and 192.168.55.101 subnet 255.255.255.0 to use ActiveSync via the network and USB.
Windows Mobile Device Security
Power-on Password Security
With Windows Mobile 5.0 Messaging and Security Feature Pack (MSFP) and Exchange 2003 or 2007 you can require users to implement a power-on password. With Exchange you can specify the length of the password as well as erase the device if the password is typed incorrectly after a number of tries. The erase of the device does not erase any data stored on a storage card.
With Windows Mobile 5.0 and MSFP users devices can be remotely erased in case they are lost or stolen. However in order for the remote erase to work, the device must be attached to the internet and connect to the Exchange server. So if a device is stolen and never connected to the internet or the Exchange server connection is deleted the device’s data is not erased. Further the Remote Wipe does not erase any data stored in flash cards.
I highly recommend that network administrators implement and support Windows Mobile 5.0 MSFP devices only and configure Exchange to offer the level of security that mirrors their corporate standards. If you choose to support 2003 devices then you will not be able to enforce password security.
Device Stored Password Security
One of the issues to watch out for on a Windows Mobile 5.0 device is the ability for users to store network and website passwords on their device. Although the user can store the password, there is no administrative option to prevent them from doing so. Further the only way to delete the passwords that are stored is by performing a hard reset.
So I do not recommend “recycling” a Windows Mobile Device without performing a hard reset on it. This is the only way to guarantee that the user’s data and any stored passwords on the device have been deleted. Also, I suggest that all users be warned not to store passwords on their device regardless of the option to do so.
Just like Windows Vista, Microsoft has recommended that CAB files for Windows Mobile 5.0 be digitally signed by developers. Users can still install unsigned CAB files however they are prompted that the CAB file is unsigned. Also, if they download CAB files from the internet, they are prompted to save or run the file. The same digital signing and prompting occurs for ActiveX controls as well.
I recommend that users are told not to install CAB files or ActiveX controls from the internet. Ideally the IT department should install the appropriate applications for the user prior to deploying the device. This will avoid getting the user in the habit of installing applications on their device.
Windows Mobile Patch Management
Even though Microsoft created the operating system and each operating system has “bugs”, you cannot get patches from Microsoft for your device. So when it comes to patch management with Windows Mobile 5.0, you are really at the mercy of your OEM or carrier. Right now each OEM and carrier has a different process for releasing updates,
Most updates are new roms which require the user to erase all their data and install the rom. So make sure you have a backup copy of critical files and you have synchronized with Outlook before performing a rom upgrade.
Adaption Kit Updates (AKUs) – Microsoft’s Patches for Windows Mobile
As a background note, Microsoft releases patches as Adaption Kit Updates (AKUs) . Normally AKUs are used to provide patches however Microsoft has decided to include new features with them. Also, Microsoft has never published a list of the AKUs that have been released and what features have been included. You can see a list of AKUs at http://www.mobile-review.com/pda/articles/wm-aku-en.shtml Microsoft only releases AKUs to OEMs. It is up to each OEM to decide whether or not to offer an upgrade which includes AKUs for it’s customers.
What AKU am I running?
So in order to know what AKU version you have installed, take a look at Start – Settings – System – About and look at the build of Windows Mobile that is installed. The main build number is 14847.w.x.y where w is the major version and x is the minor version of the AKU. One important AKU to be aware of is 2.2 which is the Messaging and Security Feature Pack which provides push e-mail.
Example User Issue and Patches
An example of an issue that Windows Mobile users will encounter later this year is the new daylight savings time which Congress passed last year. Well if you are lucky enough to have a Windows Mobile 5.0 device with AKU3 you already have the new daylight savings time updates. For the rest of us, Microsoft has provided a KB article http://support.microsoft.com/Default.aspx?id=923953 which explains how to create .CAB file to fix the problem. This is a classic example of the pain that users experience with updating Windows Mobile. Microsoft releases and update and it is up to the OEM to release it to you and me. So we are at the mercy of the OEM to release critical updates like this. Ideally wouldn’t it be best for customers if Microsoft would release updates like this to customers directly? Well since Microsoft doesn’t sell devices to users and does not want to directly support users this is not going to happen because it costs too much.
Update - Microsoft now offers a patch for Windows Mobile to address the new Daylight Savings Time for 2007.
Overall I am disappointed that the licensing process between Microsoft and the OEM is preventing the best user experience. This patch process feels like we are playing telephone and we seem to have similar results. Also, Microsoft has never released a security advisory for Windows Mobile or ActiveSync. This concerns me because they pulled ActiveSync 3.x due to security concerns but they won’t tell you the risk if you continue to use it. With these approaches to security and patch management, enterprise users are really dependent more than ever on OEMs and carriers to ensure their security.