Finding security in Windows Mobile monoculture

While experts have long highlighted OS diversity as a major benefit to mobile device security, some enterprise users have actually been waiting to adopt Microsoft's mobile OS, based on concerns for protecting their smartphones

Without a doubt, the most influential factor driving the current state of IT security is the ubiquitous presence of Microsoft's dominant Windows operating system on a vast majority of the world's PCs.

Since an estimated 92 percent of the world's desktops were running on Windows products in 2006, according to researchers at Net Applications, it only makes sense that a similar majority of computer viruses have been aimed at users of the software.

However, as more enterprise businesses begin to adopt newer, more PC-like mobile devices, dubbed "smartphones," some IT department leaders say that they have been waiting to adopt Microsoft's Windows Mobile device OS based on security concerns.

Experts analyzing development of the nascent enterprise mobility sector have frequently cited the widespread use of a variety of operating systems as a major benefit to security of handhelds for the last few years.

Security researchers refer to the popularity of handhelds running on software made not only by Microsoft, but also by Palm, Symbian, and Research in Motion, among others, as one of the factors that have led to the existence of very few malware attacks aimed at mobile devices.

Attackers cannot focus on a single dominant platform in the mobile space, making it less attractive than the world of Windows desktops, the thinking goes.

As more users adopt smartphones, that dynamic may shift, experts claim, but the lack of a single dominant handheld OS has served as a form of protection.

"As the addressable market for smartphones expands, there will be more attacks, as malware activity always moves to the areas of greatest impact, but the activity isn't comparable to the desktop today," said Jan Volzke, head of marketing for Mobile Security at San Jose, Calif.-based McAfee. "The number of operating systems in use today has likely had an effect on slowing attacks, as there is no single platform to write malware code to."

But enterprise users say that a range of factors are pushing them to marry their Windows desktop environments with their mobile device strategies, with security as one of the leading catalysts.

Fears of creating a Windows Mobile monoculture that may be more attractive to attackers are superseded by the need for a stable product with familiar characteristics and ties to existing infrastructure, some say.

Chevron PetroChemical, a massive plastics manufacturer based in Houston, is currently in the process of rolling out Motorola and Samsung smartphones running on Windows Mobile because IT project managers feel the company can protect those handhelds more easily than those running on other operating systems.

Jonathan Perret, IT Remote Connectivity analyst at Chevron PetroChemical, a joint venture between parent company Chevron and ConocoPhillipsSP, said that his company has been actively banning its employees from using smartphones and PDAs -- including the popular Research In Motion BlackBerry -- for the last several years.

Despite many requests by individual users to bring their personal BlackBerry devices into the office, the firm waited until it could get in hand Windows Mobile devices that would allow for enforcement of the same types of policies it has created for securing its desktops.

"We knew we would only use Windows Mobile, and we waited for it because it's the platform we felt we could secure most easily and at the lowest cost," Perret said. "This process of adopting smartphones is all about extending your network onto a new platform and addressing the challenges of that platform, and we felt Windows Mobile presented fewer challenges."

The reason why the company banned the use of BlackBerry handhelds was because its IT department wasn't ready to invest in the back-end systems needed to secure the devices, while it felt that Windows Mobile would offer the opportunity to do so with existing infrastructure.

The company is also using a mobile device security package offered by software maker Trust Digital and provided through carrier Verizon to help keep its smartphones locked down. So far the firm has 130 of the devices distributed to its executives and sales force representatives, with plans to hand out many more.

"Security slowed down previous adoption of PDAs and even our current smartphone deployment because we were waiting for new tools; we were limiting devices because of an inability to secure them," Perret said. "Windows Mobile may not have advanced security features, but we can augment that with third-party applications, and we felt that it presented the best alternative compared to the other [platforms], which would be a lot harder for us to support."

Microsoft officials agreed that one of the best selling points of Windows Mobile from a security perspective is the handheld product's close ties to its other systems.

The software giant won't try to keep up with every security feature on the smartphone software market, but it believes its technologies can already provide the sort of baseline protection that enterprises are seeking.

"We're not going to try to go tit-for-tat on every security feature. Some rivals might have more built in, but this process isn't all about features; it's how the technology can be implemented that makes the big difference," said Samir Kumar, mobile devices product manager at Redmond, Wash.-based Microsoft.

"It's not about Windows Mobile having more security features than any other platform; it's about enterprise customers who already see a need to align mobile security and device management with how they do things in the desktop world," he said. "If they have existing management tools and policies for Windows desktops and laptops, it's logical and effective to extend that to handheld devices."

Security experts contend that there are still far too many different products in people's hands and that Windows Mobile commands far too little share of the wireless market for there to be anything close to a similar level of risk as the dangers associated with today's Microsoft desktop monoculture.

As the OS does become more widely used, however, the risk of attack will grow, according to security specialists.

"It's true there haven't been many mobile viruses, and you can still debate whether those will ever be as prevalent as desktop attacks," said Curtis Cresta, general manager of anti-virus maker F-Secure North America. "But you can also look at the history of IT and decide what will happen as more users adopt each OS; as more smartphones become available and more people are using them, the pool for each OS gets bigger, and we believe there will also be a bigger pool of attacks."