Direct Push security questionable

By Andrew R. Hickey, Senior News Writer 08 Nov 2006 | SearchMobileComputing.com

News on networking, mobility and voice Digg This!     StumbleUpon     Del.icio.us

According to Jack Gold, president and founder of Northborough, Mass.-based research and advisory firm J. Gold Associates, messages received through Microsoft's Direct Push Technology wireless email are encrypted over the air but stored on the device without encryption. The problem was found in Direct Push that uses the latest version of Exchange Server 2003 and devices running Windows Mobile.

"Anyone who can get into the device can read it," Gold said. "Microsoft will say that's not a flaw, but it is a significantly lower level of security when the files aren't encrypted on the device."

Media representatives for Windows Mobile and Direct Push did not return phone calls.

Direct Push works like this: It sends an email from the Exchange Server to the Windows Mobile Device; while in transit, the data is encrypted; when it reaches the device, it is decrypted and stored.

That model differs from other major push email providers such as Good Mobile Messaging and BlackBerry-maker Research In Motion Ltd., which encrypt everything in the local store.

"If you have confidential information, you want to have it encrypted on the device," Gold said. He noted that someone would probably need a password to log in to a device in order to access the unencrypted messages, but that would be the case only if device password protection were turned on.

"If you're Bank Of America, if you're Merrill Lynch, you want to have that second layer of security," he said. "Companies need to understand that this is a flaw and err on the side of more, not less, security."

Direct Push uses AirSync, an over-the-air derivative of ActiveSync. AirSync is used for synching data with all devices running Microsoft's Windows Mobile and provides a way for a data store on the device to be synchronized with a data store on a server or PC.

Gold said that the flaw arises because the current versions of AirSync and ActiveSync can only do a file synch of specially formatted datasets that meet certain Microsoft data specifications. For example, any transfer of data from Exchange Server to Pocket Outlook must be done in an unencrypted file-state because file encryption would not allow ActiveSync to perform properly. That means Direct Push, which uses AirSync, must transfer unencrypted data files between the server and device. While the transmission is secured using SSL encryption, it is stored on the device in an unencrypted state.

And even that SSL connection doesn't always do the trick.

For more information Read about Windows Mobile in our mobile platforms series Check out how Windows Mobile could unseat BlackBerry

Peter Rysavy, president of Rysavy Research, a consulting firm specializing in wireless networking, said recent trials with Direct Push found that a misconfiguration could disable the SSL connection of Direct Push and transfer data in the open, unprotected. If that happened, he said, it would be unbeknownst to end users.

Current Analysis analyst Kathryn Weldon noted, however, that Direct Push is still not technically push email anyway.

"In general, the differences [between Direct Push and other push email solutions] include the fact that Direct Push isn't really direct push, no matter what it's called," she said. "It's actually still frequent and automated pull."

Because of the way Direct Push is implemented, where an ActiveSync, or AirSync, session is set up to ask whether there are any updates on the server, and the TCP/IP session remains open, Windows Mobile devices also experience poor battery life.

Rysavy agreed, adding that Direct Push drains battery power because a lot of the data moves through the radio, and each byte consumes power.

"This is contrary to how the major wireless email third-party applications currently perform, where all data transferred to the device is in an encrypted file format in addition to encrypting the transmissions," Gold wrote. "In the Direct Push scenario, although the transmission of data files across a network is secure, the storage of data files on the devices is not."

Companies can buy add-ons that can encrypt everything on the device, according to Gold, but that disables the email's push capability, meaning that end users must log in and check their email. Weldon added that some software companies -- Sybase, for instance -- have added their own workarounds to their platforms to try and fix the problems with Direct Push.

"If you do that, you break direct push and go to pull," Gold said. "It's a mixed bag."

Companies need to be on-message, he said, and should take the time to think about whether using Direct Push is a wise choice.

"Most end users have sensitive data within their emails, and although devices can be protected with passwords, this is generally not a high enough level of protection for sensitive data," Gold said. "Companies with substantial information security needs -- financial services, healthcare, life sciences, government -- would do well to explore alternatives to Microsoft Direct Push wireless email until Microsoft has fixed the inherent security problems within the application and brought it up to par with the other wireless email solutions available on the market."

Tags: Mobile Authentication and Encryption,  Microsoft Windows Mobile,  Mobile Device Security,  Mobile E-mail and Calendaring,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile Authentication and Encryption Sybase offers enterprise-ready iPhone solution on the App Store Two-factor authentication: Mobile security at your fingertips RIM makes hostile takeover bid for encryption vendor Certicom In-the-cloud defenses for mobile malware Podcast: The truth about network security and mobile device access iPhone encryption is a must for the security-conscious enterprise Sybase iAnywhere launches productivity suite that tunnels critical business apps through email Mobile voice encryption gets cheaper, easier to do Avoiding data breaches through mobile encryption Mobile device security: Improving mobile authentication Mobile Authentication and Encryption Research Microsoft Windows Mobile Palm says goodbye to Windows Mobile devices Untethering the smartphone with an enterprise application store First look at Windows Mobile 6.5 There will be fewer Windows Mobile models in the future Microsoft trying to grab Verizon's mobile search from Google Microsoft purchase of BlackBerry maker possible but hard to swallow Securing your Windows Mobile devices Mobile security: Protecting your data, not just your devices Windows Mobile vs. RIM: Platform experiences compared Palm Treo Pro with Windows Mobile officially announced Mobile Device Security Fingerprint recognition and mobile security Traditional security threats coming soon to mobile device near you Securing your Windows Mobile devices Mobile security: Protecting your data, not just your devices Prevent mobile malware: Learn how to protect your enterprise and devices Podcast: The truth about network security and mobile device access Protecting data on your BlackBerry Going green: Recycling and energy saving tips for mobile devices -- podcast New challenges in mobile device discovery Quiz: Mobile Device Security -- Who else can hear me now? Mobile Device Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CCMP  (SearchMobileComputing.com) drive-by spamming  (SearchMobileComputing.com) LEAP (Lightweight Extensible Authentication Protocol)  (SearchMobileComputing.com) Open System Authentication (OSA)  (SearchMobileComputing.com) SIM card  (SearchMobileComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary