Ah, Windows Phone. I’ve never personally owned a Windows Phone device, but it was nice knowing you. As of July 11, Microsoft has ceased supporting Windows Phone 8.1. With only about 20% of Windows Phone devices running Windows Phone 10 – and Windows Phone in total having less than 1% of the overall mobile market – observers predict that support for the platform will soon stop completely. Now is the time to consider the history of Windows Phone, and what the cybersecurity world may have lost.
It all started with Windows CE, otherwise known as Windows Embedded or Windows Embedded CE. Development began in 1992. The first version of Windows CE launched in November 1996, appearing in some PDA devices of the era – and Windows CE also appeared in the Sega Dreamcast, Sega’s last attempt in the video game console market, which was released in Japan in 1998, and worldwide in 1999.
The Windows CE 3.0 kernel was used in the first version of Windows Mobile, originally named Pocket PC 2000, appearing in more advanced PDA devices and smartphones. The platform ran from the first version of Pocket PC 2000 in April 2000, through to Windows Mobile 6.5 in May 2009.
Windows Mobile 6.5 was going to be followed by Windows Mobile 7, but with the massive success of Apple’s iPhone, which launched in 2007, and smartphones running Android (the first Android phone was T-Mobile’s G1, which launched in October 2008), Microsoft changed direction.
During Mobile World Congress in February 2010, Microsoft announced Windows Phone 7. This new version of the OS was designed to be optimized for touchscreen smartphones, featuring Microsoft’s Metro design language. In my opinion, smartphones and tablets are the devices that the Metro UI is appropriate for. I never personally liked it on the desktop in Windows 8 and 10, Windows Server 2012 and 2016, or on the Xbox 360 and Xbox One, but to each their own.
Although Windows Phone 7, 8, and 10 were actually pretty good operating systems, Microsoft may have released the platform too late to acquire major mobile marketshare, even with their historic Nokia partnership in 2011. What interests me is that some cybersecurity experts believe that Windows Phone is the most secure mobile operating system.
Penetration tester Steve Lord of Mandalorian Security Services analyzed Windows Phone for himself, telling WhatMobile.net:
All have benefits and drawbacks. Currently Windows Phone seems to be the hardest nut to crack. Blackberry has a long history of being very security-focused. If I have physical access to the device, I find Android’s usually the easiest target. Then comes iPhone, then older versions of BlackBerry. If it’s over a network or I have to attack via email or message, Android’s usually the softest target.
Older smartphones tend be considered less secure as they’re usually affected by known weaknesses. If you’re using an older phone you’re better off with a classic dumb phone. If you have to have an older smartphone, use an older BB10-based Blackberry, or a Windows Phone running Windows Phone 8 or newer.”
Simon Reed, Sophos’s own security guru, says:
History shows that Windows Phones were low-risk devices to use. How much of this was due to the inherent security of the device vs the cybercriminals focusing on the high-volume platforms, we will never know.
With the death of the Windows Phone platform, this leaves mobile users exposed in two ways. Firstly, those people who continue to use an out-of-date product need to think about what this means to their security posture going forward. Up to now, cybercriminals typically ignored the WP due to low market adoption.
Secondly, in the rush to move to an alternative platform (iPhone or Android) users need to consider the impact of migrating from a platform that mostly cybercriminals ignored, to ones they are focused on.
So now those of us in the cybersecurity world can reminisce about what we may be losing in a world with no more Windows Phone. Windows Phone, it was nice knowing you.