Microsoft's Push Security Problems
Analyst Jack Gold of J.Gold Associates has issued a report called "Microsoft's Direct Push Insecurity," which highlights possible security issues with the upgraded mobile messaging software. The potential flaws relate directly to the way the Excahnge SP2 email server update and latest version of Windows 5.0 transfer data.
The report states that the underlying "AirSync" code that is used to wirelessly update data between Exchange and the Pocket Outlook client can leave data on the device itself insecure.
"The current version of ActiveSync (and AirSync) can only do a file synch of specifically formatted datasets that meet certain Microsoft data requirements," says the report. "This means that any transfer of data, from Exchange Server to Pocket Outlook, for example, must be done in an unencrypted file state."
This isn't such a big issue while the file itself is being transferred -- over an SSL link -- but means that a user now has unencrypted files on their device. Microsoft has a password protection system for Outlook. Gold, however, says this isn't enough for potentially sensitive enterprise data.
"We believe that companies considering the use of Microsoft Direct Push Exchange technology should be very cautious," the report concludes.
A spokesman for Redmond tells Unstrung they are formulating a response to Gold's report. We'll update this story when we have answers from Microsoft.
— Dan Jones, Site Editor, Unstrung