I was always a fan of this one until when a few days back I decided to find out why most of the organizations go with BES or any other services for mail synchronization and again Microsoft shocked me with the shortcomings of one of their oldest product
Active Sync was launched in 1996 by Microsoft with the hope to be a mainstream product for synchronizing mails with mobile devices but well let’s just say they day dreamt. It’s a pity to see that one of the best product of Microsoft i.e. Exchange using other services for mail synchronization with Mobile Devices
So Why Microsoft active Sync is neglected by Major Organisations - Let us find out
Well, it wasn't that Microsoft didn't try to make it full proof. There are certain out of box security features it imparted with active-sync but like most of its products it left Achilles' heel in every option leaving them vulnerable. Few of the options are below
1) Device password policies: As a first level of security they gave us the option to Force the device to have password with desired password strength. Also, automatic Data Deletion after multiple wrong password attempts can be enabled
2)Remote wipe: Remote wipe feature was also given as an out of box option which can help to remotely delete all data from mobile device on a single command from the Exchange Server computer or from any Web browser by using Outlook Web App in case the device is stolen or lost.
3) Device encryption policies:There are a number of mobile device encryption policies that can be enforced for a group of users.Encryption can be enforced on Device internal storage as well as storage cards
Well, we can see Microsoft tried but then why did organizations switched to other technologies then. Well I have two funny theories
1)My favourite is this on-:Maybe Bill Gates sat in time machine and went to future to see everyone using Lumia's and Surface's and launched the product but Then again Jobs being Jobs(or Out of Job) went to past and created a butterfly effect to crush that future and replaced Lumia's with Apple's and Ipad's
2) Or they didn’t know what were they doing or wanted blackberry to Survive since they left the reporting back part to the client itself which is not a reliable way.
ActiveSync Client on the mobile device is tasked with both enforcing the policies dictated by the ActiveSync Server as well with informing the ActiveSync Server that it is compliant, Meanwhile the Server has no mechanism to check the device itself and confirm the settings. So anyone can root the device fool active sync and just have their way with the policies.
Let us explore other vulnerabilities
1) Active-Sync does have security controls that can be deployed, but unless Windows Mobile is used, many of those security controls aren't available. For example, while Active-sync has settings to allow you to disable Bluetooth or a camera, most Android and iPhones or HP/Palm devices do not support those capabilities and will just ignore the instruction (or won't connect because of it).
2)ActiveSync has no way of determining whether the device is rooted or jailbroken which is a major issue since rooted access can be used to fool Exchange Server that these policies are enforced when actually they are not .Please find the CWSi Article link below where they tricked the exchange server in doing so
3) It needs viable abilities for driving clients to redesign their gadgets to the most recent OS and application forms or risk being obstructed from system access. That is a basic prerequisite in security. This restriction implies that possibly several basic OS and application vulnerabilities could open an organization to exorbitant and superfluous risk.
4) Although Active-sync does have an option to encrypt data-at-rest on employee devices butit neglects to satisfactorily bolster that strategy. The powerlessness to compel gadgets to install and run the most recent rendition of their mobile OS implies that clients' as far as anyone knows scrambled information could in any case be defenseless.
5) Another risk is data storage. Active-sync does has a remote wipe capability, and it also allows us to require a password but how the email is stored on the device and what other applications can access it, or contacts or calendar items is subject to the device & end user, not the mail administrator.
6) There is one more Risk which i have myself seen in action. With Active Sync a single device can send a multiple Requests to active sync server with HTTP error code 503 which may simulate the behaviour of DOS attack. Imagine if this issue occurs with multiple devices at the same time, it could be disastrous to email server and can lead to disruption of the services. (https://support.microsoft.com/en-in/kb/2469722)
All this can be summarized in the below points
- No containerization support for work information, applications and use cases
- Application arrangement/fixing is not bolstered
- Data-at-rest encryption is conflicting
- Active-Sync security policies can be circumvented/ignored
Well if someone says mail synchronization, I still can only hear active sync since it is too good at what it does i.e. sync mails, Perfection in Simplicity I may add, but the thing is Microsoft failed to see the potential for this product. It failed to promote it as a main stream product and Active Sync became a victim of its own creator.
Authored by Divyanshu Yadav