As I have spent some time researching and developing a WP8 application security testing methodology and process, I have come up with three key security features that are missing from Microsoft’s Windows Phone 8. From an offensive security perspective, these feature are good to have for testing but from an end user perspective, they are much more important:
- VPN Support
- HTTP Proxy Authentication
- Digital Certificate Management
When testing a mobile app, a tester often wants to see all of the apps traffic not just the HTTP traffic. This is generally done with a VPN connection using a tool like Mallory. Unfortunately, Windows Phone 8 does not support VPN. There is no where to configure a VPN connection! Thankfully there are other ways to see all of the Windows Phone 8 traffic and I will cover that in a future post.
HTTP Proxy Authentication
Windows Phone 8 allows you to configure HTTP and HTTPS traffic to go through a proxy but it does not allow you to authenticate to that proxy. As you can see below, proxy configuration is per Wi-Fi network but only allows configuring an IP and Port. There is no place to configure authentication:
Windows Phone 8 has no ability to manage digital certificates that have been installed on a device. In a previous post I explained how to install a certificate on a WP8. Unfortunately, there is no way to remove the certificate.
I identified all three of these missing security feature of Windows Phone 8 because I was testing WP8 apps. These features come standard in iOS and Android and it is strange they are not included in Windows Phone 8 by Microsoft. All three of these features have valid business uses to ensure security for the device, especially if it is owned by an organization and will be used on a corporate network.