It’s no surprise that mobile phone usage has exploded over the past decade. According to a study by the International Telecommunications Union (ITU), there are roughly 6.8 billion mobile cellular subscriptions worldwide today. As technology becomes more and more woven into the fabric of society, smartphone usage has become an increasingly common extension for desktop computing devices. Employees are configuring their personal smartphones to access company information and IT Professionals often struggle with how to manage the protection of corporate data.
This dynamic has created new opportunities for cybercrime. Cybercriminals are increasingly targeting smartphone devices using a variety of tactics for malicious intent. These tactics include the repackaging of popular applications with malicious code for download in app stores or marketplaces, malicious URLs designed to deceive users into downloading apps or provide personal information, or leveraging erroneous SMS messages or “smishing” as a means to drive up a smartphone subscriber’s bill.
To help alleviate the growing challenges IT Professionals face in a rapidly evolving BYOD (Bring Your Own Device) environment, Microsoft employs its Security Development Lifecycle (SDL) when developing its products. The SDL is a security-assurance methodology used by Microsoft engineering teams that includes extensive threat modeling, fuzz testing, and other security-focused software development practices, all of which help prevent unauthorized access to phone resources. It administers strict standards and a multilayered, in-depth approach to defense to help protect against malware, data leakage, and other threats.
In designing security defenses in Windows Phone 8, we took a multilayered approach.
- We began with a secure boot process and code signing, which help assure platform integrity, allowing only validated software to execute and help prevent rootkits from taking hold.
- We implemented a chambered security model based on the principles of isolation and least privilege, which help minimize attack surface, maximize user consent and control, and prevent apps from accessing the memory used or data stored by other apps.
- We took steps to reduce the risk of malicious websites by utilizing Microsoft Smart Screen.
- We check apps submitted to the Windows Phone Store for malicious characteristics and ensure digital signatures are applied before being made available. We also ensure that companies who want to privately sign and deliver their own line-of-business apps have the tools to do so.
- We addressed the software update process, establishing a single, controlled channel for the delivery of feature updates and bug fixes across hardware manufacturers, mobile operators, and the Windows Phone engineering team.
- We established processes with the industry-leading Microsoft Security Response Center to deliver critical updates to all Windows Phones globally if high-impact vulnerabilities are discovered.
- We implemented a combination of device encryption and robust device access policies — including those to enforce the use of a PIN or password, to remotely wipe a phone, and to prevent the use of removable memory cards.
- We also built-in native support for Information Rights Management (IRM), as a means to protect sensitive information contained in email and Microsoft Office documents.
The end result of all these efforts is a more secure smartphone that IT professionals can easily integrate into their existing Windows infrastructure. For in-depth information, I encourage you to visit http://www.windowsphone.com/business/ and download the “Windows Phone 8 Security Overview” whitepaper.