How secure is Windows Phone?

[Muralidhar Parimi]

Hi,

I am having a doubt, recently I had been for a Hacking Demo class... He said we can hack any android phone in 10 min. But copying the data is depends on the encryption. But he did not said anything about windows phone. So my question is does our windows phone can be hackable just like that?

 

[psoham777]

re:

Hi,





I am having a doubt, recently I had been for a Hacking Demo class... He said we can hack any android phone in 10 min. But copying the data is depends on the encryption. But he did not said anything about windows phone. So my question is does our windows phone can be hackable just like that?

It is, every OS can be hacked. Its just that WP has a reputation of not getting a virus, no lag etc. It has a better security as compared to Android. One of my friend has hacked his WP, downloads apps/games from unknown sources, still his phone works pretty well.

 

[a5cent]

Meh. Yes and No...



There are of course institutions that own installations similar to cell towers, which exist only as a means to intercept wireless traffic. If you are in the vicinity of such an antenna and haven't got a modified/secured/encrypted smartphone (none of the normal devices are), then nothing you do is secure or private. I wouldn't really call this hacking though, because it doesn't target a specific device, and although it lays bare all communications, it doesn't provide access to a device... well... at least not that I know of.



Then we have software that is developed for institutions like the CIA or FBI which are basically automated hacking tools. Most governments have such abilities, and Android is pretty much defenseless and completely open to them. It's clear that their abilities to attack WP or iOS aren't quite as "extensive", but I don't know what the differences are.



Finally, we have everything else, and here I'd say that 10 minute hacking claim doesn't apply. At the very least you need some prior knowledge about the user+device, or the user must have installed a malicious app. Even then though, the damage you can do against Android is far more severe than what would be possible against iOS or WP. I have not yet heard of a successful remote attack against WP.

 

[Muralidhar Parimi]

So I think the anti Virus software is also not needed. But is it possible to encrypt a windows phone now? Because my company policy is asking me to encrypt the phone. Else I can not use office data on my personal smart phone.

 

[a5cent]

Not needed is an understatement. There actually is no anti-malware software for WP. The way WP compartmentalizes apps, including system apps, makes it impossible for a malicious app to destroy anything but itself, and for the same reasons, anti-malware software couldn't scan anything but itself.







WP is probably the most secure consumer OS ever built, including BB. This is the best (publicly available) document I'm aware of:







https://forums.windowscentral.com/e...ad%2Fdetails.aspx%3Fid%3D36173&token=vE5bDqYL







WP supports full device encryption using MS well known/understood BitLocker technology, but enabling full device encryption requires you setup a relationship to some type of MDM software (Exchange ActiveSync policy, Windows Intune or System Center Configuration Manager).

 

[envio]

WP does a pretty good job at isolating apps from the system. However, the Bitlocker encryption was touted as a major feature for WP8/8.1 and yet, it can't be simply enabled by the end-user in combination with your phone's numeric password (AKA iPhone). It has be enabled remotely in partnership with an enterprise solution like MS Exchange or MDM - that is a shortcoming IMHO.

Security isn't just about the physical device though. The attack surface these days is much more social and you can, just by visiting a bogus mobile website link, have your details phished. So it depends on your definition and scope of term secure. Here again, WP has some good protections including Smartscreen filtering on all websites and every download attempt, cookie rejection and DoNotTrack on website history. It would be difficult to see how a third-party tool could meaningfully improve on the built-in features of the phone but again, never say never.

 

[ams963]

We must remember there is no security for data on microSD card for WP. With WP 8.1 everyone installs apps, games and data (pics, videos, documents) on microSD cards. But encryption for the cards. Anyone can access the data if they get their hands on the card. Correct me if I'm wrong.

 

[Funky Cricket]

Well, there is cracking, breaking into the phone, pushing malicious code to exploit a vulnerability and then gaining access to data remotely. This is pretty much not going to happen on Windows Phone as it sits now. There are always exceptions, but it pretty much can't happen because if something got in using an exploit in another app, the worst they could do was use that apps permissions, IE: get location data, and/or access media files, but nothing else.

You can't always be protected from man in the middle attacks, but I tested mine and most traffic passing through a man in the middle is https, and unless you have something that can pass fake certs on initial connection to do SSL decrypt, no ones getting anything other than what web sites you are visiting. That has nothing to do with phone though and all to do with how you are connecting.

Each app runs in it's own memory space and disk space and can't access anything else, USB only presents media types and doesn't show disk level access. I believe the core OS is protected somehow, but I can't recall what I read. The web browser runs flash and active-x, but there is no disk to copy malicious files to. It won't run unsigned code from outside the store unless you do something to your phone to allow it, and that is not easy and can't be done remotely (again, exceptions, but I've not heard of anything).

For the most part, it is about as secure as you can get for a consumer device and still allow it to be usable. The security is why a lot of "features" of android are not available. It's not possible to do it with how the apps are allowed to run, and what they are allowed to access.

 

[Funky Cricket]

EDIT: I didn't quote right: regarding installing applications on the SD card and someone getting their hands on that card.


Can someone test. I believe the actual installed data is not presented as readable data. I don't have a phone that uses an SD card to test. Again, that will only allow someone to access what is IN that application install, and not running a malicious application on the phone. That is not really hacking, that is just stealing a drive.