Log in

View Full Version : Why I am Scared of the Verizon Wireless Sync; And You Should be Too


Kris Kumar
07-20-2006, 06:00 PM
Ever since BlackBerry introduced the push email technology for delivering emails to the mobile device, others in the industry have tried to offer the same. Microsoft, Good Technology, SEVEN Networks and Visto are the few companies that come to mind when I think about push email and wireless sync of contacts, calendars and tasks. Some like Microsoft, Good and BlackBerry offer server based sync functionality; what it means is that your corporation or email provider has to install a special server to enable mobile sync. On the other hand companies like SEVEN offer something called the <i>desktop re-director,</i> which installs on your desktop that has access to the mail server. Unlike the server based solution which centralizes the sync functionality for all users on to one system, the desktop re-director approach requires each user, who wishes to perform sync, to install the solution on their computer. I myself rely on Cingularís Xpress Mail which is powered by SEVENís technology. There are features I wish it had but I am comfortable with the current solution. Recently I got the chance to try out Verizonís Wireless Sync solution. Armed with the Moto Q and a new Verizon account, I effortlessly installed and configured the Wireless Sync solution to synchronize my email, contacts, calendar and contacts. I was happy to see that the calendar entry that created on the Q showed up in the Outlook on my desktop computer. Emails were being delivered to the inbox on my device within seconds of them arriving in my Exchange based mail box.<br /><br /> <img src="http://www.smartphonethoughts.com/images/Kris-jul06-VerizonWirelessSync.jpg" alt="User submitted image" title="User submitted image"/> <br /><br />The happiness was short-lived as I realized how the solution was working behind the scenes to perform the synchronization. The Verizon Wireless Sync is based on the desktop re-director approach. This application kept tabs on my Exchange based account and monitored it for any changes like new email or new calendar item. This is something that most of the desktop computer based sync solutions do, including the one from SEVEN. The big difference was that instead of synchronizing the information directly with the mobile device, like in the case of the SEVENís solution, the Verizon Wireless Sync was sending all my personal information to a server hosted on the Internet by Verizon.<!> Verizon claims that the information, which by the way is several MBs worth of corporate email, 300+ contacts, my entire calendar and notes, is stored in a secure manner; and I am sure the information is stored in a very secure manner. My problem is Ė <i>why are they keeping a copy of all my information to begin with?</i> This approach is not IT friendly. In fact I found out later that our IT department does not like this sync software for this very reason and they will take action against anyone found using this software. <br /><br />Some might argue that it is okay for Verizon to store the information up on their servers as along as the sync functionality is provided and it works flawlessly. I donít think I can argue with that point. The solution does work well and I donít think I had any issues with the sync itself. Also there is an advantage, unlike the other systems like Cingularís Xpress Mail, where I have to keep my desktop computer running all the time with the re-director software to access the information; with Verizonís system I can view the last synchronized information anytime, even when the desktop software is not running. So if you are okay with it and your company is okay with the way it works, then there are no reasons not to like it. Well almost, what happens when you decide to terminate your cell phone account with Verizon? Or if the cell phone is provided by your work place and you have to return it or transfer it to someone else. Donít you think you should be allowed to delete all your personal information before you terminate the account? You will be sorry to hear that there is no provision in the Wireless Sync system for the user to delete their personal information using a couple of clicks. I spent a long time on the phone talking to the technical support specialists:<br /><i>"We apologize that we do not have a simplified procedure in place to purge your Exchange information for you. You can clear you Wireless Sync account data by deleting information manually or by calling in for assistance with deleting the account from the server. If you cancel your service the account will be automatically deleted from the server."</i> <br />What they recommended was deleting all my emails, contacts, calendar items, tasks and notes I-N-D-I-V-I-D-U-A-L-L-Y. I had more than 100 emails, around 300 contacts, 20 tasks, 28 notes and I donít even know the total number of calendar items. I deleted all of them page by page using the Wireless Sync web interface, using the ďcheck-allĒ option on each page to select the items, and then deleting the items using the delete button; but when I got to the calendar items, I got stuck as there was no list view for me to select a page full of items and delete them. Verizonís answer was to visit each day in my calendar and click the little trash icon next to each calendar item! The only other alternative was to wait for up to 48 hours after I cancel my Verizon service and then the Wireless Sync account will get deleted automatically. This approach will not work if you were transferring the phone to someone else or returning it back to your workplace. Needless to say I gave up on the idea of deleting the calendar items manually and decided to leave the calendar items in the account, and prayed that the Verizon servers will do a good job of cleaning the information when they terminate my account. <br /><br />Security does not mean adding firewalls to a server and encrypting userís personal data. Security is about making the user feel comfortable with the system and feel in control of their information. That is where Verizonís system fails. Another thing I found by accident was that in case you install the desktop re-director software on another computer and hook it up to another Exchange account. The dumb Wireless Sync software running on the two desktops will sync with the common account on the Verizonís server and guess what, it will sync the information between the two Exchange accounts. You will end up with the emails and other information from the first Exchange account corrupting the second account and vice versa. The software does not even warn the user, when it is configured on the second desktop that the information on the Verizon server belongs to a different email/Exchange account. I would have expected the software to detect the presence of two accounts and prompt me with a question before proceeding with the sync. It can be seen as a feature; to me it is a hassle and a security risk. Corporate users and IT department should take note of this fact and ensure that the data is wiped clean before handing the phone to another worker.<br /><br />While every system or solution has its own set of flaws, I like to be in control of my information; I do not like my personal information to be duplicated on systems that I do not have control over. In fact I like to keep the number of copies to an absolute minimum. That is why Verizonís Wireless Sync scares me and if you are using it, then you should be concerned too.

sojourner753
07-20-2006, 06:57 PM
I think this is another example of how we really have no idea where our personal information is.

Personal information is something that I would prefer to keep seperate from services providers. I currently use 4smartphone.net. So if I ever leave Cingular, its not a problem. Its bad enough that my email address is tied to my Cable service. I've been trying to think about what kind of process I could undertake to migrate to a neutral email.

Anyway, why use Verizon's service? If you already have an exchange account, then why not just use the Microsoft push process?

I don't use Cingular's XpressMail at all. All I need is MSFP on my device and I get push. Currently I have my AS synching every 1/2 hour.

Rocco Augusto
07-20-2006, 07:49 PM
this is why i use 4smartphone.net as well. i just do not feel comfortable keeping all my eggs in one basket... mostly because more often than not, especially after working in wireless for almost a decade, i have noticed that the carrier usually always messes something up.

Pete Paxton
07-20-2006, 08:26 PM
I'm a 4smartphone.net user as well. I really liket it. Now if Tmobile will get the MSFP going, I'd be all set.

qyv42
07-20-2006, 08:30 PM
Some like Microsoft, Good and BlackBerry offer server based sync functionality; what it means is that your corporation or email provider has to install a special server to enable mobile sync.

This is not actually the case with Exchange if your company is running Exchange 2003 - the functionality is native, unlike Good and Blackberry. For push e-mail specifically, you need Exchange 2003 SP2 installed as well.

This might be seen as a technicality, but in the context of your article, it's actually potentially significant. One of the selling points of Windows Mobile + Exchange from Microsoft's standpoint is that your data never passes through anyone else's datacenter (as it does with RIM, for example), so there's one less concern from a privacy standpoint.

Kris Kumar
07-20-2006, 10:52 PM
Anyway, why use Verizon's service? If you already have an exchange account, then why not just use the Microsoft push process?

Well my big corporation's slow moving IT department is currently stuck on BlackBerry Enterprise Server. They are testing Exchange push system but have not rolled it out to the workers. :-(

Kris Kumar
07-20-2006, 11:08 PM
This might be seen as a technicality, but in the context of your article, it's actually potentially significant. One of the selling points of Windows Mobile + Exchange from Microsoft's standpoint is that your data never passes through anyone else's datacenter (as it does with RIM, for example), so there's one less concern from a privacy standpoint.

I would have myself argued that it is mere technicality; :) but you have a good argument. Microsoft Exchange solution is definitely the best because it supports the mobile device directly and as you mentioned the user's data is not required to pass thru another server like Good or BES. Good point.

The only drawback to Microsoft's solution is - "trust." The advantage that you mentioned, single server does everything, is the problem. Here is why - IT department does not trust Microsoft solutions as bullet proof, definitely not the IT department of my company. By putting all the eggs in the Microsoft basket and opening the corporate firewall (even though it is one lousy port) to the Exchange server, the IT department is paranoid about attacks. With BlackBerry, Good or any other server providing mobile support, they are not worried because those server are not tightly integrated into the internal corporate network, those servers can act as buffers to hack attacks. But by opening up the Exchange to the external network for mobile support, you are opening up a critical internal server that has access to the network, the Active Directory information etc.

Bottomline, this is the reason why the IT department of my company is moving slowly with caution to verify that things will be fine when the Exchange is enabled for mobile access. Please if you are Microsoft Exchange supporter don't flame me, I am just raising a point. I myself would like to see the Exchange mobile access be enabled but understand the risks (I have worked a lot with Microsoft technologies ;-) ).

Overall I just wanted to beat up Verizon Wireless Sync. :evil: It should not have implemented the sync the way it did and wanted to caution other users.

Jason Dunn
07-20-2006, 11:21 PM
Great article Kris! It is indeed a bit scary when you stop and think about a complete copy of your data sitting up on a server somewhere, when you didn't ask it to be copied. 8O

Kris Kumar
07-20-2006, 11:51 PM
Just in case anyone is interested in the interesting terms and conditions, (https://www34.wirelesssync.vzw.com/en/tos.asp) here it is:

"(d) YOU AGREE THAT NEITHER INTELLISYNC NOR VERIZON WIRELESS ASSUMES
RESPONSIBILITY OR LIABILITY FOR LOSS OR DAMAGE TO YOUR DATA OR FOR THE
FAILURE TO STORE OR TRANSMIT ANY MESSAGES AND OTHER COMMUNICATIONS OR OTHER
CONTENT MAINTAINED OR TRANSMITTED BY THE INTELLISYNC SERVICE. You are solely
responsible for the data, files, and settings in Your Account and for the
data and files that You store, retrieve, transmit or synchronize within or to
Your Account or other websites, services or devices or with respect to which
You attempt to do so (such data is Your "Synchronized Information"). ... You also agree not to access or attempt to access any Service accounts that
You do not have access authorization for or gain unauthorized access to any
of the servers or systems controlled by Intellisync."

People rarely read the terms and conditions, neither did I. :oops: So can someone interpret the above; does it not say that Verizon is not at fault for any loss of information, I believe that would include hack attacks? :roll:

Mike Temporale
07-21-2006, 01:35 AM
Sure sounds that way to me. Although, "terms" only go so far. I'm sure a good lawyer could show negligence on Verizons part to properly educate and inform the user as well as patch and secure the server and transmission of data.

Jerry Raia
07-21-2006, 03:54 PM
For as long as Verizon takes to roll out updates for our phones it is interesting how casual they are about our data and information. I wouldn't use anything like this from them.

Kirkaiya
07-21-2006, 05:47 PM
For people interested in doing over-the-air (OTA) sync using the ActiveSync on the WM5 smartphones to a server other than Exchange, you can also do it if you have a Zimbra account (either running your own Zimbra Network Edition, or a hosted account with someplace like zioffice).

Right now, Zimbra mimics Exchange Server (you can enter a zimbra server URL as the "Exchange Server Source") and sync your Calendar and Contacts with scheduled syncs (not the same as direct push, I know, but if you don't mind hourly polling over an Edge or 3G connection, it's fine - works great for me over EDGE).

For email, I use a scheduled IMAP4 account on my StrTrk phone, but when Zimbra releases 3.2 next month, it will support full OTA sync using ActiveSync for email, contacts and calendar (and possibly tasks as well, not sure yet).

Anyway - choices are always good, and I love the extremely fast searching on the Zimbra web-interface (it indexes everything, including attachments).

I know there are some other mail servers that can do activeSync OTA with WM5 also, if anybody has info on those, I'd be interested to hear them.

The One Eyed Man
07-25-2006, 01:21 AM
From the IT perspective, we try to take all of these factors in to account when trying to recommend a solution.

From an architecture standpoint, MS Exchange makes the most sense, because it correctly isolates "external" access from the "internal" e-mail system, which is a shortfall of the other solutions that are mentioned. In a correctly architected solution, the phone connects over the internet, passing through a firewall, intrusion detection, Microsoft ISA server (application firewall), and connects to an ActiveSync "external" Front-End Exchange server that does not actually store or process e-mail. Once the connection is authenticated and the request verified, the "external" Exchange server connects to the "internal" Exchange database server.

None of the other solutions provide this level of security or assurance.

Most companies have contractual or regulatory obligations to control information passing externally, or hosted on third-party systems. If you work for a bank or a hospital, and you use the Verizon service to synchronize e-mail and contacts, you may be breaking at least one federal law.

Most cellular providers don't quite grasp the concept that they have multiple audiences. In the context of the consumer market, they could be selling to teenagers who have a desire to be constantly connected, or grandparents that need a cell phone for "emergency only". Consequently, the cellular providers have a wide variety of ever-evolving products and services to address such a wide audience.

On the corporate side, the business value of a product or service has to take in to account total cost of ownership, which increases with each "whiz-bang" feature added to the handset. Every new feature = x calls to a corporate support person, and each call costs $y. When you start talking about synchronizing data and installing software, then you start talking about risk, and risk mitigation also has a cost. The good corporate solution, which none of the cellular vendors seem to understand, is a small, long-lived family of handsets consisting of "small", "medium", and "large" feature sets, and central management through existing infrastructure or back-end solutions (e.g. management of software installation settings through corporate policy).

The corporate market is one that Blackberry understands very well, but executes poorly, and my opinion is that Microsoft is closing the gap very quickly.

If the hardware vendors can manage to provide consistent, high-quality handset offerings, Blackberry will be virtually dead in 2 years.

Mike Temporale
07-25-2006, 04:02 AM
If the hardware vendors can manage to provide consistent, high-quality handset offerings, Blackberry will be virtually dead in 2 years.

I would say that sounds about right. The hardware has come along way in the last 8-12 months. So it seems reasonable.

Kris Kumar
07-26-2006, 03:48 AM
From an architecture standpoint, MS Exchange makes the most sense, because it correctly isolates "external" access from the "internal" e-mail system, which is a shortfall of the other solutions that are mentioned. In a correctly architected solution, the phone connects over the internet, passing through a firewall, intrusion detection, Microsoft ISA server (application firewall), and connects to an ActiveSync "external" Front-End Exchange server that does not actually store or process e-mail. Once the connection is authenticated and the request verified, the "external" Exchange server connects to the "internal" Exchange database server.

Thanks for explaining the Exchange deployment, I was not aware of the front and back end Exchange. Most of the Microsoft documentation seems to convey the message that you need only one Exchange server. I am guessing by having two, the security and performance is enhanced.

Also glad that you mentioned the ISA server.

Kris Kumar
07-26-2006, 03:52 AM
If the hardware vendors can manage to provide consistent, high-quality handset offerings, Blackberry will be virtually dead in 2 years.

I also agree with that statement.

BlackBerry does a few things really well. And as you said those are the things that the head of the IT department really cares about.

Hopefully the future Exchange versions and MSFP Version 2.0 will offer more IT friendly features.

Rocco Augusto
07-26-2006, 06:30 AM
i can tell you first hand, from someone who has sold phones, blackberry sales have drop incredibly in the last two years. i remember when people would buy them left and right. now virtually ever smartphone that is sold is either a treo, pocket pc or wm smartphone. i cannot remember the last time i even sold a nokia smartphone :?

recently i have noticed smartphone sales climbing drastically in my city, i could easily sell two or more 2125s a week. it is a great time to be a smartphone user :)

dturneratf
08-17-2006, 04:02 AM
I have been shopping for a smartphone after seeing my brother's Blackberry sync flawlessly with his PCs Outlook without connecting the device via USB or Bluetooth. I really liked that and have been trying to figure out how to do the same thing with Entourage on my wife's and my macs.

Your article helped clarify that what I saw was probably due to something his corpoarte server makes happen and will be harder for me to do. Add to this that I'm on Verizon Wireless and Wireless Sync doesn't work on the Mac and I seem to be tied to USB or Bluetooth for syncing. Oh well....

mobilityguru
08-21-2006, 06:59 PM
I am completely fascinated by these posts. The ignorance here is what is truly frightening.
Wireless Sync is a FREE offering from Verizon Wireless. It is designed to allow consumers and small businesses an affordable way to access their email from a mobile device. Yes, Verizon Wireless "hosts" this data, so that another feature of this product is made available. That is real time web based access to your email. Funny thing is, the Cingular Xpress mail offers web based access to your email as well...quite frankly Mr. Kumar, the only way they can do this is to be hosting the email in a NOC somewhere...so your arguments against Wireless Sync are completely unfounded. Not to mention, your email is fully encrypted with Wireless Sync using 128 bit AES encryption- the highest level of encryption available- in fact it is the same encryption standard that both RIMM and Goodlink use in their NOC solutions. The data sitting in Verizon's NOC is completely encrypted and cannot be "hacked" into - any more than than your company's exchange servers can be hacked into.

However, if you are interested in a solution that is completely behind the firewall without any data storage in a NOC, you have the option of purchasing the Wireless Sync Server solution from Verizon Wireless. If you are so concerned with controlling your security, I would think that spending $1999 on this solution would be a worthwile investment. I noticed that your original post doesn't mention anything about this alternative. You also don't seem to have any issue with Verizon Wireless "hosting" your voicemail. Where does you think all those voicemails live before they are listened to or deleted???

Now the real ignorance in many of these posts is in regard to the new alternative with Microsoft SP2 &amp; Active Sync...Do your homework, this solution is seriously lacking in security controls for the enterprise which is the real reason many IT departments are moving so slow to deploy. While the architecture for the platform seams simple and FREE it is anything but.

Microsoft only uses SSL encryption- the weakest form. Additonally, there are very few device management options for the IT administrator. This is where the real security issues exist. In order to effectly deploy a mobile infrastructure IT must have real time access to all devices and be able to set security policies for these devices. Device Configuration, Policy Based Administration, Software managment, Asset Management, Device Audits &amp; Device Security - Microsoft has none of this and the smart IT managers know it, which is why they are deploying solutions like the Server version of Wireless Sync. It has the most robust set of IT device management capabilities, which makes it more secure than virtually any other platform out there- including Blackberry &amp; Good. The Wireless Sync Server does not use a NOC, all information is maintained in the customers internal network, behind the firewall. Additionally, the software is based on the Intellisync Mobile Suite platform, which in case you weren't aware, was recently acquired by Nokia. I can't imagine Nokia would have acquired a platform if it wasn't first class.

Also, Mr. Kumar, do you have a hotmail, yahoo, aol or other free mail account for personal use, like the millions of other folks out there? What makes you so sure that your FREE email from these 3rd party providers is so secure? How about all the companies out there using a hosted exchange provider? The Verizon Wireless hosted Wireless Sync solution is no different...it is a FREE service that Verizon provides to its customers. Not to mention that this solution not only works for customers who purchase the expensive advanced devices, but it also works on many of their consumer devices.

Funny how you mention the really great feature of Wireless Sync is that unlike other "re-director" products, you don't have to leave your computer on to receive your email. This is a huge advantage over the other solutions and is what gives meaning to mobility. How on earth from a technical perspective do you think this works with out relaying the email to a NOC??? You can't have your cake and eat it to.

My company spent over a year evaluating all of our options for mobility. We started out with the Wireless Sync hosted solution to test with a small user group in a test environment to build our mobility plan. We then moved to the Wireless Sync Enterprise Server and have migrated most of our old Blackberry users to this platform. They love the capabilities of the advanced devices. With Wireless Sync we have been able to deploy many software applications out to the devices over the air, so that our busy executives don't have to figure out how to install apps on their devices. We have now moved beyond basic mobility and are using the Wireless Sync File Sync application to distribute prices lists and inventory to our sales teams. None of the other platforms we tested had these capabilities.

So before you go and slam a product, I suggest you do a little bit more homework.
--Mobility Guru

scottb
08-21-2006, 09:48 PM
@mobilityguru,

This is obviously a well thought out (but with an angry tone) response--thanks for posting it. I used Wireless Sync for a long time with no problems. In fact, I suggested others try it on other forums. Suddenly (about the time Nokia came into the picture) I started having problems with "locked folders" and lost data. I also read of others currently having these problems.

I would much prefer syncing wirelessly instead of doing it with a USB cable tethered to my PC, but I don't want to risk losing data again because there's no way to fix a "locked folder" without deleting the device profile and starting from scratch.

I realize this is not really related to the security concerns, but it's all part of Wireless Sync's problems these days.

Kris Kumar
08-23-2006, 11:41 AM
Hi mobilityguru, sorry I have been keeping busy and haven't had a chance to post my response. Will do it soon.

Quick comments, I do know about the Wireless Sync Server based solution, but I thought that the server solution got rid of the desktop re-directors and not the Web based data cache. I could be wrong on that one.

Cingular and T-Mobile mail systems do have a Web based view for the emails and contacts. But that does not mean that they both cache the data on the server. They have a very ingenious system, when a user or mobile device requests for the mail, the system pulls it from the desktop. It is an on-demand system.

As for Web based emails like Hotmail etc, yes they are a security risk, that is why corporations or business users do not use them for their business. It is only used for personal emails at the most. I would not keep too much of personal stuff on them.

Bottomline - my frustration with Verizon Wireless Sync is more about:
- Caching of information. (without warning the user) I don't like duplication of data when it is not needed. I already have my critical data on corporate server and on my mobile device. I dont want a third copy.
- No ability to clean up the data in their Web cache. Have you tried that or tried talking to the Verizon folks? I can tell you it is fun.
- No system is really secure, you have to reduce the risks. To me having my data duplicated on a third system, not in my control, not in control of my IT department is a risk.

Kris Kumar
08-23-2006, 11:42 AM
Wow, wasn't planning on a response, but couldn't stop typing.

Kris Kumar
08-23-2006, 11:45 AM
Yes, there are alternatives. I must admit that I should have done my home work and posted about them. But the idea of this post was to highlight the weakness of the Verizon system, how the Verizon support (does not) helps you out.

I am currently using the Microsoft Push Email system. I agree it may not have the best remote wipe system; but I like the fact that I am not using Cingular XpressMail (even though it does not use cache) and definitely happy that I am not using Verizon's solution. ;-)