Following my previous post about Windows Phone 7’s support for Exchange ActiveSync (EAS) security policies I’ve had some further conversations with MS on the subject.
They’ve sent through some more detailed information about what’s supported, what’s not supported and the thinking behind those decisions.
The big one is encryption, at present WP7 doesn’t support it. However there are some factors which help mitigate the risk of having data in plain text on the device.
Firstly WP7 doesn’t support accessing data on the device over USB. You can’t plug a WP7 phone into a PC and access it’s file system as you could with earlier Windows Mobile OS’s, so in that respect it behaves like an iPhone. In addition, WP7 doesn’t support the use of removal media such as Micro-SD cards, so in theory there’s no way of getting to the raw data.
In practice I’m not sure that’s the case. It looks like at least one device has a user accessible micro-SD card slot, and that WP7 does have at least some support for expanding storage in that way. Whether you could remove a card and recover anything useful from it is another question altogether. Initial reports would suggest not, but but that’s not certain.
The other slight concern was WP7’s limited support for MS Exchanges ActiveSync Policies. These allow an organisation to configure the security options on any device connecting into it for email. Or indeed block any device which doesn’t comply.
My previous post lists the policies that are supported, but MS have offered some additional info about some of the policies which aren’t.
- Encrypt storage card – With WP7 not supporting removable storage this isn’t needed
- Disable desktop ActiveSync – WP7 no longer supports desktop Sync for Email and Documents, and Zune software takes care of media sync’ing with a PC
- Disable removable storage – Again, WP7 doesn’t removable storage
- Disable IrDA – WP7 doesn’t have any Infrared support so the policy wouldn’t do anything
- Allow desktop sharing from device – Desktop Sync is no longer available or supported
- Allow unsigned applications – As all WP7 apps are delivered through marketplace, they are all signed and have to be in order to be installed. WP7 doesn’t allow loading or installation of apps through the browser as Windows Mobile used to.
- Allow unsigned CABs – WP7 does not support native applications delivered through CAB files so the policy is redundant
- Configure message formats (HTML or plain text) – plaintext messaging is not supported in WP7 anyway
- Allow mobile OTA update and Mobile OTA update mode – WP7 only supports app installation through marketplace, marketplace automatically notifies users if there is a new version of software
- Include past calendar items (Days) – This is only user controlled in WP7
- Require manual sync while roaming – Again this is user controlled in WP7, though I would imagine many organisations would like control over this – either to enforce it to minimise data charges or disable it.
- Allow attachment download (client side) – This is always on in WP7
- Application allow list and Application block list – All applications are installed through MarketPlace and currently there’s no way to explicitly allow or block the use of certain apps
Many of these do make sense, but whether the support offered will be enough to mitigate the security risks for large organisations who care about these things I’m not sure.
I think MS will need to demonstrate and prove the inherent security they are claiming around WP7’s internal storage, particularly where devices can be expanded through micro-SD cards. Previous versions of Windows Mobile have been pretty secure, indeed there are configurations that have passed Common Criteria evaluation. Whether MS is pursuing this with WP7 is unknown.