Gartner: Pocket PC doesn’t make security grade

Microsoft Corp.’s Pocket PC 2002 software does not address critical security issues and could make sensitive corporate data stored on PDAs (personal digital assistants) and desktop PCs vulnerable to theft and loss, market analyst firm Gartner Inc. warned in a recent research note.

Companies that use Pocket PC-based devices should turn to third-party products to protect their data, the research note said.

Microsoft officials contested the accuracy of Gartner’s analysis of Pocket PC’s security. “Gartner mistakenly blames the Pocket PC for potential security breaches that are in reality related to insecure usage of desktop PCs,” said Microsoft spokesperson Bridget Yau, in an e-mail.

Improving security has been a major focus for Microsoft since January, when the Redmond, Wash., company’s Chairman and Chief Software Architect, Bill Gates, said building an environment of “trustworthy computing” should be Microsoft’s top priority, eclipsing the addition of new features to its product line.

But while Microsoft has put the security of many of its flagship products, such as the Windows operating system, Office and Visual Studio .Net, under the microscope, Pocket PC is not yet part of its Trustworthy Computing initiative and ignores critical security issues which will not be addressed until the release of the next version of the software, expected in 18 months to 24 months from now, Gartner said.

Security shortcomings associated with Pocket PC are slowing adoption of handhelds based on the software by many companies, the research note said.

Among the vulnerabilities that Gartner’s research note identified with Pocket PC, the default setting does not require a password and passwords and the password policy cannot be synchronized with a desktop PC. In addition, configuration settings of Pocket PC-based devices cannot be secured and when the system is reset all settings are lost.

Other areas of vulnerability include:

– the ability to install a Pocket PC device on a desktop PC without requiring a password, which gives the device the ability to access data in Outlook, as well as other applications;

– users cannot encrypt files with the Crypto API (application programming interface) that is included in Pocket PC;

– no security is provided for removable storage devices, such as memory cards;

– and the software lacks policy features that could be used to restrict a user’s ability to run applications on a Pocket PC-based device.

Microsoft’s Yau disputed whether a Pocket PC device can be easily installed on a computer and used to download data from applications such as Outlook, calling Gartner’s claim “incorrect.”

“A Pocket PC cannot be installed onto a password-protected PC without using the PC’s password to secure access,” she said. “A PC without password protection is at a much greater risk of data loss to high-capacity storage cards than with a Pocket PC.”

For other areas of concern, both Microsoft and Gartner agreed that third-party applications can be used to address many of the security vulnerabilities identified in the research note. But Gartner said that relying on third-party products was not a sufficient answer for many corporate users and urged Microsoft to take steps to improve the security of Pocket PC.

“These (third-party) solutions come at additional cost and are sometimes not available in local languages,” the research note said.

“Many larger enterprises, such as banking and financial institutions, have very strict policies when it comes to acquiring software, requiring extensive audits of the software, vendor viability and support options – often taking more than three months to be approved,” it said.