DOC RABE Media - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What are the Windows Phone 8.1 security improvements?

Microsoft hardened its Windows 8.1 update to make it enterprise- and government-worthy. Expert Michael Cobb outlines the new and improved features.

I heard that Microsoft was going to harden its Windows Phone 8.1 in attempts to make it worthy of government use. What is different about version 8.1, and how will it affect security? Are there features enterprises should ask for in such devices?

The battle for market share in the lucrative enterprise mobile phone market is continuing to drive the industry's major players to improve core data security and privacy features. In response to offerings such as Samsung KNOX and BlackBerry Enterprise, Microsoft is hardening the architecture of its Windows Phone 8.1 mobile operating system and adding or improving various security features to help safeguard data from unauthorized access and prevent jailbreaking and malware attacks.

The Trusted Platform Module continues to be at the heart of many of Microsoft's security controls; certified devices running Windows 8.1 are required to have TPM installed. TPM is a tamper-resistant security processor used for digitally signing data. For example, the Unified Extensible Firmware Interface and the operating system can use TPM to store hashes which verify files on a device have not been changed. It also stores cryptographic keys for BitLocker volumes, virtual smart cards and other public key certificates.

Windows 8.1 introduces TPM key attestation to improve access control to corporate resources. A user certificate with a TPM-attested key provides higher security assurance due to the non-exportability, anti-hammering and key isolation provided by the TPM. This hardware-bound user identity is much stronger than software-based user identities, and can be used for device authentication onto a network based on mobile device management (MDM) enrollment.

Administrators have plenty of control over Windows 8.1 devices via the built-in MDM client. It can hook into an organization's chosen MDM technology while granular MDM policies provide extensive control over onboard hardware capabilities such as camera, Bluetooth, GPS and NFC -- all possible sources of data leaks -- while app whitelisting and blacklisting ensures only approved apps are installed. (XDA-developers have discovered a vulnerability which allows a trusted app that has been transferred to the SD card to be replaced, and the attacker's app to run using the privileges of the targeted app. Apps that can be moved to the SD card have limited access, so it doesn't lead to a full interop unlock.)

Administrators also have more choice in how they manage Windows 8.1 devices through the support of the Simple Certificate Enrollment Protocol (SCEP), which uses the Open Mobile Alliance Device Management (OMA DM) protocol. Windows 8 did not support SCEP, but Windows 8.1 exposes the OMA DM protocol so third-party mobile device management products can take advantage of the SCEP device management protocol.

To make secure access to resources sitting behind the corporate firewall easier for the end user, Windows Phone 8.1 has native VPN support. Connections can be provisioned by an MDM product and provide single sign-on access through certificate authentication. SSL-based plugins should be available for all the leading VPN providers, so organizations can still use their preferred VPN infrastructure to connect mobile devices to internal networks.

Email encryption is also simplified due to Windows Phone 8.1 industry-standard implementation of S/MIME>; users can sign in and encrypt email messages directly from the mail client on their phone. Enhancements made to the Windows Biometrics Framework in Windows 8.1 make fingerprint biometrics easier to implement and use, while encryption of the operating system volume is automatic and configured by default.

Microsoft is hoping that these new features will prove popular with government agencies and help ease concerns that increased mobility inevitably means increased risk. Safeguards against jailbreaking and malware assaults along with easier to use security controls will be popular with administrators and users alike. As long as a device has a TPM present, most Windows Phone 8 handsets should support the Windows Phone 8.1 update, which avoids the cost of buying new devices. The latest Windows Phone statistics from AdDuplex show that Windows Phone 8.1 was installed on just over 62% of all Windows Phone devices worldwide in January 2015.

Robust and easy-to-use security is finally being seen as a must-have feature, and competition will continue to improve the overall security of mobile devices. For example, Windows 10 due to be launched later in 2015 has built-in Multifactor authentication based on open standards from the FIDO Alliance. Enterprises may want to wait for this version of Windows as it will be Microsoft's first operating system that works on all types of devices.

Ask the Expert:
Have a question about application security? Send it via email today. (All questions are anonymous.)

Next Steps

Don't miss SearchConsumerization's guide to Window mobile devices in the enterprise

This was last published in April 2015

Dig Deeper on BYOD and mobile device security best practices