Gartner and Microsoft row over Pocket PC security

Analyst group Gartner has claimed that Microsoft 's Pocket PC 2002 software does not address critical security issues and could...

Analyst group Gartner has claimed that Microsoft 's Pocket PC 2002 software does not address critical security issues and could make sensitive corporate data stored on personal digital assistants and desktop PCs vulnerable to theft and loss.

Companies that use Pocket PC-based devices should turn to third-party products to protect their data, a Gartner research note said.

Microsoft is contesting Gartner's analysis of Pocket PC security. "Gartner mistakenly blames the Pocket PC for potential security breaches that are, in reality, related to insecure usage of desktop PCs," a Microsoft representative said.

Improving security has been a major focus for Microsoft since January, when company chairman and chief software architect Bill Gates said building an environment of "trustworthy computing" should be Microsoft's top priority.

But while Microsoft has put the security of many of its flagship products, such as the Windows operating system, Office and Visual Studio .net, under the microscope, Pocket PC is not yet part of its Trustworthy Computing initiative, according to Gartner.

One vulnerability identified by Gartner is that the Pocket PC default setting does not require a password and passwords and the password policy cannot be synchronised with a desktop PC. In addition, configuration settings of Pocket PC-based devices cannot be secured and when the system is reset all settings are lost.

Other areas of vulnerability claimed by Gartner include:
  • The ability to install a Pocket PC device on a desktop PC without requiring a password, which gives the device the ability to access data in Outlook, as well as other applications.
  • Users cannot encrypt files with the Crypto API (application programming interface) that is included in Pocket PC.
  • No security is provided for removable storage devices, such as memory cards;
  • The software lacks policy features that could be used to restrict a user's ability to run applications on a Pocket PC-based device.

Microsoft said Gartner was "incorrect" to claim that a Pocket PC device could be easily installed on a computer and used to download data from applications such as Outlook.

"A Pocket PC cannot be installed onto a password-protected PC without using the PC's password to secure access," a spokesman said.

"A PC without password protection is at a much greater risk of data loss to high-capacity storage cards than with a Pocket PC."

For other areas of concern, both Microsoft and Gartner agreed that third-party applications could be used to address many of the security vulnerabilities identified in the research note.

But Gartner said that relying on third-party products was not a sufficient answer for many corporate users and urged Microsoft to take steps to improve the security of Pocket PC.

Read more on PC hardware