image

Windows Phone security goals

As organizations of all sizes expand their support for an increasingly mobile workforce, privacy and security are essential. Windows Phone was primarily designed with security in mind for both users and organizations. The result is a feature-rich and flexible smartphone that emerged from a holistic approach to security design.

Distributed computer networks and increasing numbers of smartphones help organizations be productive and competitive, but these technologies also require increased security vigilance. The pervasive threat of malicious software, or malware, and the need to prevent data leakage are two of the reasons why a thoughtful, comprehensive security design is essential. Organizations require smartphones that protect data when it is stored and when it is communicated, not only because their business partners and customers expect it but also because of the need to comply with the increasing number of laws and regulations that require security, privacy, and confidentiality.

Windows Phone 8 uses a defense-in-depth approach that addresses security requirements in numerous ways. The result is a smartphone with security features that are unique in today’s marketplace.

Trusted Boot & Code Signing
Trusted Boot and code signing help assure platform integrity of Windows Phone 8. These features help to protect the Windows Phone 8 boot process and operating system from malware attacks, especially rootkits, by allowing only validated software components to execute. These features help deliver a secured platform for application developers and corporate customers alike, and helps assure consumers that the information they care about is safe.

Trusted Boot is a technology that validates firmware images on Windows Phone devices before they are allowed to load the operating system. Trusted Boot builds on a chain of trust that extends to the hardware/firmware. All boot components have digital signatures that are cryptographically validated from the pre-UEFI (Unified Extensible Firmware Interface) boot loaders to the UEFI environment. Trusted Boot helps to ensure that only authorized code can execute to initialize the device and load the Windows Phone operating system.

Microsoft provides the Windows Phone boot manager in the UEFI environment. After the pre-UEFI and UEFI components complete their boot processes, the Windows Phone boot manager takes over to complete the Windows Phone 8 boot process so the user can start using the smartphone. All code in the Windows Phone operating system is signed by Microsoft, including OEM drivers and applications. Also, applications that are added after manufacturing or installed from the Windows Phone Store or a private enterprise store must be properly signed to execute.

Trusted Boot and code signing are the primary ways that Windows Phone 8 helps to protect the integrity of the operating system, but they are not the only security controls built into the phone to help prevent malware from taking over

Chambers and capabilities
The Windows Phone 7 security model introduced the chamber concept, which is based on the principle of least privilege and uses isolation to achieve it; each chamber provides a security boundary and, through configuration, an isolation boundary within which a process can run. Each chamber is defined and implemented using a policy system. The security policy of a specific chamber defines what operating system capabilities the processes in that chamber can call. A capability is a resource for which user privacy, security, cost, or business concerns exist with regard to Windows Phone usage. Examples of capabilities include geographical location information, camera, microphone, networking, and sensors.

Every app on Windows Phone (including Microsoft apps and non-Microsoft apps) runs in its own isolated chamber that is defined by the declared capabilities that the app needs to function. A basic set of permissions is granted to all app chambers by default, including access to isolated storage. However, the set of permissions for a chamber can be expanded by using capabilities that are granted during app installation. App permissions cannot be elevated at run time.

The browser
Windows Phone 8 includes Internet Explorer 10 for Windows Phone. Because viruses can be downloaded by merely visiting infected websites, Microsoft took the approach of making the browsing experience safer.

Internet Explorer helps to protect the user because it runs in an isolated chamber and prevents web apps from accessing other app resources. In addition, Internet Explorer does not support a plug-in model, so malicious plug-ins cannot be installed.

Finally, the SmartScreen technology that was available in previous versions of Internet Explorer is now also available in Internet Explorer for Windows Phone. This technology warns users of websites that are known to be malicious.

Windows Phone Store
Other smartphone platforms have proven that malware can be installed by users from an app store. Microsoft uses a carefully architected Store submission and approval process to prevent malware from reaching the marketplace. All Windows Phone apps submitted to the Store are certified before they are made available to users for downloading and installation. The developer is validated and the certification process checks Windows Phone apps for inappropriate content, Store policies, and security issues. This process plays an important role in protecting Windows Phones against malware. In addition, Microsoft scans all apps for viruses before publication. Although most malware exists on the Internet, apps that are developed in unmanaged environments with minimal security precautions could be unwitting transmitters of malware. Apps are also signed during the certification process, which is required for apps to be installed and run on Windows Phones.

Windows Phone updates
The Windows Phone update service is the only source of updates for the Windows Phone operating system. Microsoft manages and distributes feature updates and bug fixes that originate from hardware manufacturers, mobile operators, and the Windows Phone engineering team. In addition, the Windows Phone team has developed security review processes with the industry-leading Microsoft Security Response Center to deliver critical security updates to all Windows Phones globally if high-impact vulnerabilities are discovered.

Device access and security policies
As a first line of defense, access to a Windows Phone can be controlled through a PIN or password. A user can set a PIN or password via the settings panel to lock their phone.

In addition, IT departments can use Exchange ActiveSync policies to require users to set PINs or passwords, and also to configure additional password policies to manage password length, complexity, and other parameters. Exchange ActiveSync policies can also be used to configure additional security functionality.

If a Windows Phone is lost or stolen, IT professionals can initiate a remote wipe of the device by using the Exchange Server Management Console, and users can initiate a remote wipe of the device by using Outlook Web App. In addition, users can locate a lost phone, map its location, make it ring, and wipe its data if necessary if they register the phone with windowsphone.com.

Device encryption
To help keep everything from documents to passwords safe, Windows Phone 8 includes a device encryption feature.

Device encryption in Windows Phone 8 utilizes BitLocker technology to encrypt all internal data storage on the phone with AES 128. Encryption is enabled by either EAS policy (RequireDeviceEncryption) or device management policy, and once enabled, BitLocker conversion automatically begins encrypting the internal storage. The encryption key is protected by the Trust Platform Module (TPM) which is bound to UEFI Trusted Boot to ensure the encryption key will only be released to trusted boot components.

With both PIN-lock and BitLocker enabled, the combination of data encryption and device lock would make it extremely difficult for an attacker to recover sensitive information from a device.

Data leak prevention
IT professionals who want to prevent leaks of intellectual property should consider using Information Rights Management (IRM), which allows content creators to assign rights to documents that they send to others. The data in rights-protected documents is encrypted so that it can be viewed only by authorized users. In addition, a rights-protected document stores an issuance license that specifies the rights that users have to the content. For example, authors can specify that the document is read-only, that text in the document cannot be copied, or that the document cannot be printed.

IRM relies on Windows Rights Management Services (RMS), a Windows Server based technology that IT pros can configure to create the issuance license and perform the encryption and decryption of rights-protected documents. In addition, RMS can be applied to email so that messages can circulate in a protected environment but not be forwarded outside of the organization. RMS can also be applied to documents that are attached to email or stored on Microsoft SharePoint servers, limiting distribution and editing capabilities and preventing information from being leaked to unauthorized personnel.

 

For more details and in-depth review please refer to the source document:
http://www.microsoft.com/en-us/download/details.aspx?id=36173