During our most recent HackLab Day – a quarterly event where Compass analysts research new security topics or solutions – I have investigated Microsoft’s next version of its mobile operating system “Windows Phone 8” (WP8). This update to the previously released Windows Phone 7 version integrates a complete new Kernel (shared with Windows 8 ) and is supposed to have a much stronger focus on the needs of businesses.
One question I have asked myself is, whether this new system has the potential to gain traction in the business environment and possibly, cut a slice of cake from Apple’s iPhone market share. For this to happen, WP8 would need to focus more on the integration into existing MDM solutions and offer more than just plain Exchange ActiveSync support.

Please have a read of my small presentation containing all important updates, changes and additions made for WP8.

Please download the slides at:  compass_security_windows_phone_8_security_v1.0

A few notes about Windows Phone 8

Mobile Device Management –  Microsoft really has taken feedback serious and now allows MDM providers such as Good Technologies, MobileIron and AirWatch to enroll phones to their servers. However, Microsoft’s approach is different compared to how iPhones support MDM: Instead of having an MDM provider write his own application, a ready-to-use MDM client is already built into the WP8 operating system (called “Company Apps”). The user simply enters his credentials (not necessarily his Active Directory ones) and the application communicates with the MDM server.
However, the MDM providers are not yet ready to manage WP8 devices. But it is expected that, by the end of this or start of next year, solutions will be ready.

Updated Chamber System – Windows Phone has always been using so called chambers (details from Nokia), in which an application can run. All applications from the Windows Phone Store were always executed in the least privileged chamber (called Least Privilege Chamber, LPC). Pre-installed applications such as Outlook and OEM apps had additional rights (chamber Standard Rights). Since they weren’t cryptographically signed they have been target for attacks up until now (see MWR’s advisory).  Applications that require to run with even higher rights/capabilities ran in the so called Elevated Rights chambers. These were usually applications like services for listening music or media sharing services. The chamber with the most rights was the Trusted Computing Base (TCB). Here only the Kernel and drivers were allowed to run.
In Windows Phone 8, only two chambers will be available: Trusted Computing Base and Least Privilege Chamber. All applications and even some drivers will run in the LPC and therefore pose little risk to attacks, as a vulnerability in that application would only permit access to the described capabilities.

Enhanced Capabilities – These are descriptions of features of a phone (hardware and software wise). A developer has to explicitly declare what capabilities his application requires. At run- and access-time, those declared capabilities will be compared to the ones requested. If there is no match, the action can not complete.
Due to the updated chamber system, many new capabilities have been added to Windows Phone 8. An overview  can be found on the Microsoft Developer Network.

Side loading of Applications –  A complete new feature in Windows Phone 8 is the ability to side load (installing applications from other places than the Windows Phone Store) applications. This allows companies to deploy custom applications to WP8 users without having to publish them to the entire world. It also permits MDM solutions to install a private app catalog for its employees. Two ways exist to install applications on a mobile phone:

  • Copy an application to the micro SD card. Windows Phone 8 will detect the new app and ask if it should be installed.
  • At enrollment, the process allows the installation of one application. According to Microsoft, an app catalog or app discovery application should be pushed. This app can then be used to install other applications or display company information

No matter how the application gets deployed, it must be signed by a trusted certificate authority. If a company considers deploying custom apps, it has to register at Microsoft to receive the required tools and certificates.

Conclusion: Microsoft really pushes aggressively to achieve further business integration. Two major concerns with Windows Phone 7 have been attacked: The lack of MDM support and missing device encryption. However, with the current possibilities in WP8, Microsoft is still behind iOS with respect to support in the MDM world. Many business features such as VPN configuration, W-LAN configuration or a larger API for MDM solutions have yet to come. But a first step has been made and Microsoft is now ready to build upon this new foundation.

I hope this gives you a short overview of the new security features Windows Phone 8 has to offer. If you have any more questions, please feel free to contact us.