In the past week Jack Gold Associates published a report entitled “Microsoft’s Direct Push Insecurity”

This latest FUD (Fear Uncertainty and Doubt) centres around some security concerns over Windows Mobile.

To get access to the report you do unfortunately you have to subscribe to read it however a couple of online reports have been published from it.  One of them is over at Eweek.

The report focuses on 3 areas of concern which are:

1.  ‘….any transfer of data between Exchange and Outlook Mobile must be done in an unencrypted file-state’.

Well the entire data stream between the device and Exchange Server is encrypted using SSL.   We can also use 3DES as the encryption algorithm if required.

2.  ‘… the use of only a password is a pretty insecure approach.’

An option to avoid this is to use Certificate-based authentication whcih can be used instead of a password.

3.  ‘..third parties who wish to use an encrypted process must build their own synching mechanism.. or build their own client instead.’

This is a big misunderstanding as 3^rd parties can use published Windows Mobile file system extensions to encrypt data as it is written to the file store.   (SQL Mobile as an example uses this)

ActiveSync, Outlook and 3^rd party apps can continue to use the standard file system API’s while protecting the content through encryption.

I think the fundamental mis-understanding here is that the comparison is being made against two different architectures in that RIM, GoodLink and other solutions use a Network Operations Centre or intermediary server so they have to encrypt the payload as there isn't a single end-to-end channel that can be encrypted. 

I also had to do a press interview late last week with Ken Young who has published our discussion on this very topic HERE.