1 Windows Phone 8 Security Overview This white paper is part of a series of technical papers designed to help IT professionals evaluate Windows Phone 8 and understand how it can play a role in their organizations. It discusses and contains information about Windows Phone 8 security. October 2012
3 Legal Disclaimer 2012 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Published: October 2012
4 Table of Contents WINDOWS PHONE SECURITY GOALS SYSTEM INTEGRITY APP PLATFORM SECURITY DATA PROTECTION SECURED ACCESS CONCLUSION RESOURCES
5 Windows Phone security goals Distributed computer networks and increasing numbers of smartphones help organizations be productive and competitive, but these technologies also require increased security vigilance. The pervasive threat of malicious software, or malware, and the need to prevent data leaks are two of the reasons why a thoughtful, comprehensive security design is essential. Organizations require smartphones that protect data when it is stored and when it is communicated, not only because their business partners and customers expect it but also because of the need to comply with the increasing number of laws and regulations that require security, privacy, and confidentiality. Windows Phone 8 uses a defense-in-depth approach that addresses security requirements in numerous ways. 1 System integrity Secure boot and code signing help assure platform integrity of Windows Phone 8. These features help to protect the Windows Phone 8 boot process and operating system from malware attacks, especially rootkits, by allowing only validated software components to execute. These features help deliver a secured platform for application developers and corporate customers alike, and help assure consumers that the information they care about is safe. Secure boot Secure boot is a technology that validates firmware images on Windows Phone devices before they are allowed to load the operating system. Secure boot builds on a chain of trust that extends to the hardware/firmware. All boot components have digital signatures that are cryptographically validated from the pre-uefi (Unified Extensible Firmware Interface) boot loaders to the UEFI environment. Secure boot helps to ensure that only authorized code can execute to initialize the device and load the Windows Phone operating system. Windows Phone architecture uses a System-on-a-Chip (SoC) design provided by SoC vendors. The pre-uefi boot loaders and the UEFI environment are provided by the SoC vendor and device manufacturers. The UEFI environment implements the UEFI secure boot standard described in section 27 of the UEFI specification
6 (http://www.uefi.org/specs/). This standard describes a process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI runtime variable before they are executed. The UEFI and Windows (http://msdn.microsoft.com/enus/windows/hardware/gg aspx) document on MSDN describes the advantages of using UEFI and how UEFI is supported by desktop versions of the Windows operating system. Although the document focuses on UEFI and Windows, most of the information in the document also applies to Windows Phone. 2 Extended secure boot Microsoft provides the Windows Phone boot manager in the UEFI environment. After the pre-uefi and UEFI components complete their boot processes, the boot manager takes over to complete the boot process so the user can start using the smartphone. All code in the Windows Phone operating system is signed by Microsoft, including OEM drivers and applications. Also, applications that are added after manufacturing or installed from the Windows Phone Store or a private enterprise store must be properly signed to execute. Secure boot and code signing are the primary ways that Windows Phone 8 helps to protect the integrity of the operating system, but they are not the only security controls built into the phone to help prevent malware from taking over. App platform security Viruses and other forms of malware on some smartphone platforms are a growing concern for IT professionals today, in addition to concerns about information disclosure and compliance. These concerns are amplified by the increasing number of smartphones that are used to connect to corporate networks. Microsoft takes a multi-pronged approach to help protect Windows Phone 8 devices against malware. One aspect of this approach is the secure boot process described in the previous section that helps to prevent rootkit installation. Chambers and capabilities The Windows Phone security model utilizes a chamber concept, which is based on the principle of least privilege and uses isolation to achieve it; each chamber
7 provides a security boundary and, through configuration, an isolation boundary within which a process can run. Each chamber is defined and implemented using a policy system. The security policy of a specific chamber defines what operating system capabilities the processes in that chamber can use. A capability is a resource for which user privacy, security, cost, or business concerns exist with regard to Windows Phone use. Examples of capabilities include geographical location information, camera, microphone, networking, and sensors. 3 Every app on Windows Phone (including both Microsoft apps and non-microsoft apps) runs in its own isolated chamber that is defined by the declared capabilities that the app needs to function. A basic set of permissions is granted to all app chambers by default, including access to isolated storage. However, the set of permissions for a chamber can be expanded by using capabilities that are granted during app installation. App permissions cannot be elevated at run time. The chamber concept is advantageous for the following reasons: Attack surface reduction. Each app receives capabilities needed to perform all its use cases, but no more. User consent and control. Each app discloses its capabilities to the user on the app details page in the Windows Phone Store, and it provides an explicit prompt upon app installation for those capabilities that have legal requirements for explicit disclosure and specific consent collection, such as geographic location. Isolation. No communication channels exist between apps on the phone other than through the cloud. Apps are isolated from each other and cannot access memory used or data stored by other applications, including the keyboard cache. The browser Windows Phone 8 includes Internet Explorer 10 for Windows Phone. Because viruses can be downloaded by merely visiting infected websites, Microsoft took the approach of making the browsing experience safer. Internet Explorer helps to protect the user because it runs in an isolated chamber and prevents web apps from accessing other app resources. In addition, Internet Explorer does not support a plug-in model, so malicious plug-ins cannot be installed. Finally, the SmartScreen technology that was available in previous versions of Internet Explorer is now also available in Internet Explorer for Windows Phone. This technology warns users of websites that are known to be malicious.
8 Windows Phone Store Microsoft uses a carefully architected Store submission and approval process to prevent malware from reaching the Store. All Windows Phone apps submitted to the Store are certified before they are made available to users for downloading and installation. The developer is validated and the certification process checks Windows Phone apps for inappropriate content, Store policies, and security issues. This process plays an important role in protecting Windows Phones against malware. In addition, Microsoft scans all apps for viruses before publication. Although most malware exists on the Internet, apps that are developed in unmanaged environments with minimal security precautions could be unwitting transmitters of malware. Apps are also signed during the certification process, which is required for apps to be installed and run on Windows Phones. 4 Enterprise line-of-business (LOB) apps Although users obtain apps from the Windows Phone Store, organizations want the ability to distribute custom LOB apps that have been developed for their employees. With Windows Phone 8, Microsoft delivers this capability. Organizations can register with Microsoft to obtain the tools to privately sign and distribute apps, and they are no longer required to submit business apps to the Windows Phone Store before deploying them. With registration comes the ability to privately develop, package, sign, and distribute apps to employees using a validated process. Windows Phone updates The Windows Phone update service is the only source of updates for the Windows Phone operating system. Microsoft manages and distributes feature updates and bug fixes that originate from hardware manufacturers and the Windows Phone engineering team. In addition, the Windows Phone team has developed security review processes with the Microsoft Security Response Center to deliver critical security updates to all Windows Phones globally if high-impact vulnerabilities are discovered. Also, Windows Phone was designed using the Microsoft Security Development Lifecycle (SDL). SDL is a software development security assurance process used by all Microsoft engineering teams that includes extensive threat modeling, penetration
9 testing, and security development practices, all of which help prevent unauthorized access to phone resources. Data protection Microsoft understands that organizations of all sizes need to protect the confidentiality and integrity of their data. Users who store personal information or conduct transactions using their smartphones have the same need. The Windows Phone security design addresses the need for data protection by mitigating the risk of unauthorized data access or unintended information disclosure. 5 In addition, every Windows Phone includes by design the same set of management and security controls, regardless of hardware manufacturer, which enables organizations to manage all Windows Phones in a consistent, predictable way to mitigate risk. Device access and security policies As a first line of defense, access to a Windows Phone can be controlled through a PIN or password. A user can set a PIN or password via the settings panel to lock their phone. In addition, IT departments can use Exchange ActiveSync policies to require users to set PINs or passwords, and also to configure additional password policies to manage password length, complexity, and other parameters. Exchange ActiveSync policies can also be used to configure additional security functionality. Many organizations worldwide currently use Exchange Server, so Microsoft chose to focus on Exchange infrastructure to achieve the broadest possible reach. Exchange ActiveSync is communications protocol that provides Windows Phone users with mailbox synchronization functionality. Windows Phone 8 is compatible with version 14.1 of the Exchange ActiveSync protocol and supports synchronizing , calendar, task, and contact information with Exchange Server 2003 SP2 and subsequent releases or with Microsoft Office 365. In addition, Windows Phone 8 has a built-in device management client that can be used by a mobile device management system to set policy on the phone. More details will be available at a later date. If a Windows Phone is lost or stolen, IT professionals can initiate a remote wipe of the device by using the Exchange Server Management Console, and users can initiate a remote wipe of the device by using Outlook Web App. In addition, users
10 can locate a lost phone, map its location, make it ring, and wipe its data if they register the phone with windowsphone.com. Device encryption To help keep everything from documents to passwords safe, Windows Phone 8 encrypts the internal storage of the device, including the operating system and data partitions. Device encryption is enabled by EAS or device management policy. 6 Device encryption in Windows Phone 8 uses BitLocker technology to encrypt all internal data storage on the phone. Once enabled, BitLocker conversion automatically starts encrypting the internal storage. With both PIN-lock and BitLocker enabled, the combination of data encryption and device lock would make it extremely difficult for an attacker to recover sensitive information from a device. Removable storage Windows Phone 8 supports removable storage using micro SD cards, so users can easily extend the memory of their phones to store pictures, movies, or music when needed. However, the Windows Phone operating system prevents users from storing anything but media files on SD cards. Although the Windows Phone 8 operating system and user data partitions are encrypted, files on SD cards that are inserted in the phone are not encrypted. IT professionals can prevent the use of external storage cards on Windows Phones by configuring a policy setting. Data leak prevention IT professionals wanting to prevent leaks of intellectual property should consider using Information Rights Management (IRM), which allows content creators to assign rights to documents that they send to others. The data in rights-protected documents is encrypted so that it can be viewed only by authorized users. In addition, a rights-protected document stores an issuance license that specifies the rights that users have to the content. For example, authors can specify that the document is read-only, that text in the document cannot be copied, or that the document cannot be printed. IRM relies on Windows Rights Management Services (RMS), a Windows Serverbased technology that IT pros can configure to create the issuance license and
11 perform the encryption and decryption of rights-protected documents. In addition, RMS can be applied to so that messages can circulate in a protected environment but not be forwarded outside of the organization. RMS can also be applied to documents that are attached to or stored on Microsoft SharePoint servers, limiting distribution and editing capabilities and helping to prevent information from being leaked to unauthorized personnel. Windows Phone users can fully participate in IRM conversations and read IRM documents on their phones. Windows Phone is the only smartphone currently available that includes a built-in capability to handle rights-protected and documents. 7 Secured access Windows Phone is built to take full advantage of cloud-based services. At first use, the user is prompted to enter Microsoft account information to access and connect to web services that enable many of its engaging capabilities, such as access to personal , the Windows Phone Store, SkyDrive, and many more. Data synchronization between Windows Phone and most cloud services or onpremises servers uses an SSL connection. All network traffic for critical Windows Phone business apps, such as Exchange Server and SharePoint, is encrypted using 128-bit or 256-bit AES encryption. This use of encryption applies to on-premises server deployments as well as to Office 365 deployments. And most third-party or custom business apps on Windows Phone also use the SSL encryption infrastructure to protect information in transit. Conclusion Because mobile devices are used to communicate and store corporate data, personally identifiable information, and intellectual property, Microsoft has applied the strictest security standards to design and develop Windows Phone. Windows Phone 8 secure boot and code signing provide system integrity, and the chambered security model is the foundation for protecting confidential data. Building on this foundation, the combination of full-device encryption and device access policies establishes a powerful security model that can withstand many attacks. In-depth protection against mobile malware creates an environment that creates trust.
12 Resources For more information about all the aspects of using Windows Phone in your company, see, Windows Phone for Business (http://www.windowsphone.com/en- US/business/for-business). To learn more about the Security Development Lifecycle, see Additional information is available in the following articles: 8 Understanding Information Rights Management at How IRM works in Office and Exchange Server at Understanding IRM with Exchange ActiveSync at
Windows Firewall with Advanced Security Design Guide and Deployment Guide Microsoft Corporation Published: October 2008 Author: Dave Bishop Editor: Allyson Adley Reviewers: Bilal Aijazi, Boyd Benson, Shalaka
Symantec Encryption Management Server Administrator's Guide 3.3 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
RSA Authentication Manager 8.1 Planning Guide Revision 1 Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm Trademarks
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
IT@Intel White Paper Intel IT IT Best Practices Cloud Computing and Information Security January 2012 Virtualizing High-Security Servers in a Private Cloud Executive Overview Our HTZ architecture and design
New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller
THE OFFICE OF ENTERPRISE TECHNOLOGY STRATEGIES Statewide Technical Architecture Implementation Guidelines: Red Hat Enterprise Linux Implementation Guidelines: Red Hat Enterprise Linux Revised Date: Version:
Enterprise Mobility Management: A Data Security Checklist Executive Summary Secure file sharing, syncing and productivity solutions enable mobile workers to access the files they need from any source at
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
Table of contents 1: Improved application security 4: Tighter integration with operating system architectures 5: Easier deployment and administration for reduced total cost of ownership 6: Content security
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
V 1.0 November, 2010 CYBERSECURITY The protection of data and systems in networks that connect to the Internet 10 Best Practices For The Small Healthcare Environment Your Regional Extension Center Contact
Siebel Security Guide Siebel Innovation Pack 2013 Version 8.1/8.2 September 2013 Copyright 2005, 2013 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
WHITE PAPER Informatica Cloud Architecture and Security Overview Independent Analysis of the Architecture and Security Features of Informatica Cloud Prepared by Mercury Consulting, a leader in Ground to
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
Symantec.cloud Getting Started Guide Symantec.cloud Getting Started Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of
Card-Not-Present Fraud Working Committee White Paper: Near-Term Solutions to Address the Growing Threat of Card-Not-Present Fraud Version 1.0 Date: April 2015 About the EMV Migration Forum The EMV Migration