Gartner slams Pocket PC security

Analyst Gartner has slammed Microsoft's Pocket PC 2002 handheld operating system (OS) as unsuitable for enterprise computing, warning that it lacks even basic security features.

In a new report, the analyst disputes Microsoft's contention that Pocket PC is designed as a platform for enterprise solutions.

It said that enterprises face a significant risk of exposure due to these security shortcomings, and advises them to install third-party security software.

In its report What does trustworthy computing mean for Pocket PC?, the analyst said: "Some of the most basic security features required by an enterprise are noticeably lacking in the Pocket PC."

Among the basic security weaknesses listed by the report are:

• A default setting of no password, and password handling which is inconsistent with other Windows products, meaning that, once access is gained, every application is run without restriction
• The Pocket PC configuration is modifiable at any time so that enterprises cannot be sure of settings, even after an administrator has configured them
• Unauthorised or unknown Pocket PC devices are installable on a machine without requiring a password or new connection, after which they can access Microsoft Outlook data and other files.

But Microsoft has vehemently rejected the findings outright. Douglas Dedo, lead product manager of Microsoft Mobility, said: "This is a rogue report, not up to Gartner's usual high standard. It is a 'mischaracterisation' right from the start."

He said that, in the UK, Pocket PC had around 50 per cent of the enterprise market for handhelds, and that users were happy with security. Some were used in very secure situations, he added.

But Gartner believes that the ever-increasing use of PDAs and mobile phones poses a serious threat to enterprises' sensitive data. About 250,000 PDAs were left behind or lost in US airports alone in 2001, according to the report.

Microsoft has made a broad commitment to enterprise security through its Trustworthy Computing (TWC) initiative. But Gartner's commentary said bluntly: "Microsoft's [TWC] promise remains hollow for the Pocket PC platform."

According to Gartner, Microsoft had no plans to address many of the basic security issues to raise security to enterprise level until the next major release.

But Dedo described this as crazy. "Pocket PC has added security every step of the way and this will continue. It has the most security of any of the handheld operating systems," he said.

The report also warned of a knock-on security effect on other enterprise operating systems - especially Windows 2000 and XP - caused by the Pocket PC opening up access to data that would otherwise be protected.

But Pocket PC's competitors do not fare well for security either. Symbian and Symantec are working on a more secure version of Symbian OS used widely in mobile phones, while Palm OS 5 supports 128-bit file encryption.