<div class='os_post_top_link'><a href='http://www.eweek.com/article2/0,1759,2040754,00.asp?kc=EWRSS03119TX1K0000594' target='_blank'>http://www.eweek.com/article2/0,175...3119TX1K0000594</a><br /><br /></div><i>"A new research report contends that by failing to offer onboard encryption for e-mail files stored on Windows Mobile devices, Microsoft may be putting itself at a competitive disadvantage and leaving users vulnerable to data loss...According to the latest report published by J. Gold Associates, a Northborough, Mass.-based wireless research firm, Microsoft's decision not to offer file encryption capabilities on its Windows Mobile platform reflects poorly on the technology compared to other popular wireless systems...Windows Mobile provides for encryption of data while it is in transit to the device, but leaves sensitive corporate data open to access if one of the handhelds has its password hacked, the analyst said. Gold specifically highlights an issue in Microsoft's Direct Push technology, which is used to move data between the latest versions of Exchange Server and Windows Mobile devices."</i><br /><br />It's hard to figure out what exactly the reporter is saying in this incredibly poorly-written article, and the original report <a href="http://www.jgoldassociates.com/recentresearch.html">isn't free</a>, but after Googling around and finding <a href="http://www.unstrung.com/document.asp?doc_id=109034&WT.svl=news2_1">another writeup</a>, I <i>think</i> J. Gold Associates is expressing concern that Server ActiveSync/Direct Push writes to an <i>unencrypted</i> Pocket Outlook email store, and that theft or loss of the device leaves only a brute-forceable device password between an adversary and the secure email content on the device, and that is a serious problem with WM security as opposed to RIM devices and others.<br /><br />I don't know what RIM does beyond the usual password control, and I really can't comment on the report itself, but... this doesn't surprise me. Pervasive storage encryption takes up a significant amount of CPU and slows down device performance, and as it stands, WM devices are pretty slow working out of flash. Second, this is a mitigable situation; out of the box, WM5+MSFP devices have Remote Wipe capability, plus one can implement a password policy that will wipe the unit after a number of tries. So, unless we get more details, I'm forced to conclude this is an inflammatory article that doesn't really illustrate security <i>or</i> the lack thereof with respect to Server ActiveSync and Direct Push. :?

Not a problem as far as I see, just spreading FUD

Windows Mobile has products availabel to layer on top to provide the device encryption he talks about form vendors such as BeCrypt, Pointsec and Credant.

7es, encryption of Windows\Messaging is possible with 3rd party tools. also, remote wiping is possible

out of the box, WM5+MSFP devices have Remote Wipe capability, plus one can implement a password policy that will wipe the unit after a number of tries. The remote wipe capability is through Exchange and hardly of use to non-corporate users.
The password policy interests me...How do I implement that?

The remote wipe capability is through Exchange and hardly of use to non-corporate users.
The password policy interests me...How do I implement that?
Well, this whole discussion revolves around the Server ActiveSync platform for Exchange. In fact, the password policy is implemented as part of MSFP and requires Exchange as well.

If you're looking for fancier password policy than is built into Pocket PC without an Exchange deployment, you'll have to look at a third-party solution.

--janak

The in-build password protection on WM5 is not sufficient for most enterprises IMO (allowing the setting of a 'hint' for passwords - which pops up after x wrong attempts, allowing retrying the password multiple times via cradling with activesync, etc.).

Remote wipe doesn't wipe the SD card which is where many people store sensitive data such as attachments.

3rd party applications which secure the device are great but with direct push you have no easy way currently to:
* push security applications / updates to those apps to the devices
* ensuring a user that is connecting has security software enabled on their device before transmitting sensitive data (otherwise the user can just hard reset to remove that 'slow' security software and then connect back up to exchange)

So a lot of people are potentially left with sensitive data in unencrypted form on their devices whilst their IT team turn a blind eye and hope they don't get left in a taxi.

Third parties like Good Technology keep the sync'ed data encrypted on the device and allow third party app's to be pushed to the device and to be verified (make sure they are installed) before data is transferred.

I think that is what the report is on about...