In light of the recent controversy with the entire collection of Apple devices of a prominent journalist being remote wiped, this study on the security of remote wipes presented at Blackhat 2012 becomes more relevant. In that study, security researcher Peter Hannay shows how to use a man in the middle attack with a rogue network router to force an Android or iOS device to wipe itself.
In a corporate environment, employees typically access their corporate email from their phones by connecting to an exchange server. This server is authenticated with a certificate, which can be self-signed by the business, or can be purchased from a trusted certificate provider. In his experiments, Peter found that it is possible to force iOS devices to wipe themselves even if the certificate was authorized from a trusted cert authority. Android devices got wiped when the exchange server used a self-signed certificate, but not with trusted certificates. Windows Phone 7.5 did not get wiped, because the only way WP7 trusts a new certificate is if the user explicitly installs it.
We’ll chalk this one up as another win for Windows Phones in the corporate environment.