Top 10 Security concerns of Deploying Windows Mobile (and How to overcome them)

One of my sessions at our Mobile and Embedded Developer Conference (MEDC) is entitled the Top 10 Security Objections to Deploying Windows Mobile (and how to overcome them).  I’m pulling together my content for this session and wondered if people had comments on:

a) The Top 10 that I’ve picked.

b) The priority in which you might place them…

c) Any I’ve missed?

The current list isn’t in any priority order at the moment.


1.We really don’t want to have incoming ports being opened….

2.How can we stop untrusted devices accessing Exchange?

3.We have to implement 2 Factor Authentication..

4.Do we really need to use ISA Server?

5.We don’t want to cache passwords on the device..

6.There is no way we’ll allow this solution as you can download attachments

7.We must have on-device encryption…

8.What is wiped when you remote wipe a Windows Mobile device?

9.What about Anti-Virus support?

10.Couldn’t someone perform a Denial of Service (DOS) Attack?


Love to hear your thoughts….. feel free to post a comment

Comments (14)
  1. Fixer says:

    I like point 2. if a knowledgeable worker discovers your exchange settings and your are using a public certificate then it is difficult to detect. In some ways having a local certificate is a better option but less practical.

    On point 4 my company uses a unix reverse proxy instead of ISA though I think ISA has more functionality.

  2. PatrickJ says:

    I think Number 7 (on-device encryption) should maybe be higher up. Also, I think there needs to be something in here about locking down what runs on the devices – no silly apps getting on there etc, as everyone treats their phone as such a ‘personal’item.

  3. Peter Mohr says:

    Fixer (and others): On theres a great cook book on setting this up using Exchange 2007. Very nice.


  4. Guy Gregory says:

    Jason, what’s your take on firewall software for Windows Mobile devices? How do you think future trends are going to affect this aspect?

  5. I agree with PatrickJ that application lockdown should be on the list

  6. Rory says:

    Ive deployed with a PIX 515 instead of ISA and it was a simple task. Im using ISA 2006 now though, as its easier to do the pre-authentication and timeout changes.

  7. MSDNArchive says:

    Guy – with the limited number of ports/services on a device (unlike a PC) few customers I’ve seen have deployed Personal Firewalls.  Solutions do exist like those in bluefire…

    Keep the comments coming!

  8. Andy says:

    Some that I’m not sure you’ve covered

    – Stopping users from removing security software via a hard reset and then just reconnecting to Exchange with an unsecured device

    – Users being able to sync corporate content off the device on to a home PC using Activesync

    – Multiple attempts at a device password using Activesync (more than allowed in Exchange settings)

    – Difficultly in stopping apps such as malware from emailing everyone in your contacts list on the device (i.e. restricting application access to the native PIM applications)

    – Recovering data from a card encrypted with WM6 encryption if the device is hard reset

    – Stopping users from having the option to send their credentials in clear text

    – Remove the ‘hint’ option from the password lock screen

    – Allow enforcement of policies to specific groups of users via a simple interface rather than xml

    – Simpler interface to enable some users for push but not everyone

    – Simple view to see who has which device at any one time

  9. adebilloez says:

    11. Prevent connecting corporate device to home PC (ft, soft install, …)

  10. lynxlynx says:

    I like what you have sofar..and some VERY good comments too.

    I also like to have device encryption higher up!!!

    also would like to add a better enroll procedure!

    I will have to wait and see what my applications packers can do with the new 4.5 AS but it looks to be too complicated for the average user.

    Also I would like to have a clientcert/rootcert for a 2 way authentication as a option and easy setup(same for both standard and professional)and can we pls have a out of exchange control center for non exchange they also can enjoy the security offered by a CAS 2007 server??

  11. gerryR says:

    any chance on a sneak preview of answer to no. 8?

    I’ve asked this in a few places but never got an answer.  I also remote wiped my own device as a test and was shocked at how little was actually wiped but am hoping I just did something wrong.

  12. Andy – On your comment, you say:

    – Simpler interface to enable some users for push but not everyone

    Curious: Why do you want to do this?  Are you thinking of SMS/text-message-based push?

    Note that my company’s Trust Digital v7 product can deal with just about everthing else you mention in your posting (plus many [most?] of the items in Jason’s original list).


  13. Uli Zug says:

    Our security would like to see the possiblity to restrict internet access to one profile, so that we can ensure all traffic is routed through our private APN.

    two factor authentication, device authentication and encryption are the most important from our view.

Comments are closed.