Microsoft's Direct Push mobile email has at least one major security hole, and that should be a matter of concern for any company looking to use or deploy Windows Mobile-enabled devices.
According to Jack Gold, president and founder of Northborough, Mass.-based research and advisory firm J. Gold Associates, messages received through Microsoft's Direct Push Technology wireless email are encrypted over the air but stored on the device without encryption. The problem was found in Direct Push that uses the latest version of Exchange Server 2003 and devices running Windows Mobile.
"Anyone who can get into the device can read it," Gold said. "Microsoft will say that's not a flaw, but it is a significantly lower level of security when the files aren't encrypted on the device."
Media representatives for Windows Mobile and Direct Push did not return phone calls.
Direct Push works like this: It sends an email from the Exchange Server to the Windows Mobile Device; while in transit, the data is encrypted; when it reaches the device, it is decrypted and stored.
That model differs from other major push email providers such as Good Mobile Messaging and BlackBerry-maker Research In Motion Ltd., which encrypt everything in the local store.
"If you have confidential information, you want to have it encrypted on the device," Gold said. He noted that someone would probably need a password to log in to a device in order to access the unencrypted messages, but that would be the case only if device password protection were turned on.
"If you're Bank Of America, if you're Merrill Lynch, you want to have that second layer of security," he said. "Companies need to understand that this is a flaw and err on the side of more, not less, security."
Direct Push uses AirSync, an over-the-air derivative of ActiveSync. AirSync is used for synching data with all devices running Microsoft's Windows Mobile and provides a way for a data store on the device to be synchronized with a data store on a server or PC.
Gold said that the flaw arises because the current versions of AirSync and ActiveSync can only do a file synch of specially formatted datasets that meet certain Microsoft data specifications. For example, any transfer of data from Exchange Server to Pocket Outlook must be done in an unencrypted file-state because file encryption would not allow ActiveSync to perform properly. That means Direct Push, which uses AirSync, must transfer unencrypted data files between the server and device. While the transmission is secured using SSL encryption, it is stored on the device in an unencrypted state.
And even that SSL connection doesn't always do the trick.
Current Analysis analyst Kathryn Weldon noted, however, that Direct Push is still not technically push email anyway.
"In general, the differences [between Direct Push and other push email solutions] include the fact that Direct Push isn't really direct push, no matter what it's called," she said. "It's actually still frequent and automated pull."
Because of the way Direct Push is implemented, where an ActiveSync, or AirSync, session is set up to ask whether there are any updates on the server, and the TCP/IP session remains open, Windows Mobile devices also experience poor battery life.
Rysavy agreed, adding that Direct Push drains battery power because a lot of the data moves through the radio, and each byte consumes power.
"This is contrary to how the major wireless email third-party applications currently perform, where all data transferred to the device is in an encrypted file format in addition to encrypting the transmissions," Gold wrote. "In the Direct Push scenario, although the transmission of data files across a network is secure, the storage of data files on the devices is not."
Companies can buy add-ons that can encrypt everything on the device, according to Gold, but that disables the email's push capability, meaning that end users must log in and check their email. Weldon added that some software companies -- Sybase, for instance -- have added their own workarounds to their platforms to try and fix the problems with Direct Push.
"If you do that, you break direct push and go to pull," Gold said. "It's a mixed bag."
Companies need to be on-message, he said, and should take the time to think about whether using Direct Push is a wise choice.
"Most end users have sensitive data within their emails, and although devices can be protected with passwords, this is generally not a high enough level of protection for sensitive data," Gold said. "Companies with substantial information security needs -- financial services, healthcare, life sciences, government -- would do well to explore alternatives to Microsoft Direct Push wireless email until Microsoft has fixed the inherent security problems within the application and brought it up to par with the other wireless email solutions available on the market."