Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Understanding Windows Mobile Security : Page 2

Learn about the security provisioning of Windows Mobile devices and how you can provision your own Windows Mobile device using the Device Security Manager (included with Visual Studio 2008).


advertisement
Security Provisioning
To understand why the previous attempt to write to the registry fails, take a look in the Device Security Manager. In Visual Studio 2008, go to Tools—>Device Security Manager and launch it. Notice that the Windows Mobile 6 standard Emulator has the Custom security configuration.

Observe the various settings of the Custom security configuration. Basically, it means:

  • The emulator uses a two-tier security configuration (more on this later).
  • Users are not prompted when attempting to run unsigned applications. That means, unsigned application will be allowed to run.

Applications that are not signed will be allowed to run, but they run in Normal mode. In Normal mode, applications have access to most of the APIs, but access to privileged APIs will be denied. This article shows the list of privileged APIs in the Windows Mobile platform.



From this configuration, you can see that because your application has not been signed, it is allowed to run in Normal mode, and attempting to write to the registry (which is restricted) will thus be denied.

Now, select the Prompt One Tier security configuration in the Device Security Manager and click the Deploy to Device button to effect the change on the emulator (see Figure 3).

In the One-Tier Prompt security configuration:

  • All unsigned application (or signed with a normal certificate) are always prompted before allowed to execute.
  • When an application is allowed to execute, it runs in the Privileged Mode (that is, it can access all APIs).
Windows Mobile 6 Professional and Classic devices usually have this security configuration.


Figure 3. Prompt One Tier: Changing the security configuration of the emulator to Prompt One Tier.
 
Figure 4. One Tier Prompt: In the One Tier Prompt security configuration, applications that are allowed to execute run in privileged mode.

Rebuild the application and press F5 to deploy it onto the emulator again. You will now be prompted to allow the application to execute. Click Yes. When you now click the Write Registry menu item, the registry key will be created successfully (see Figure 4).

In the Device Security Manager, select the Prompt Two Tier security configuration and click the Deploy to Device button.

In the Prompt Two-Tier configuration:

  • All unsigned application (or signed with a normal certificate) are always prompted before allowed to execute.
  • Unsigned applications which are allowed to execute run in the Normal mode.
  • Signed applications (signed with a normal certificate) run in the Normal Mode.
  • Signed applications (signed with a privileged certificate) run in the Privileged Mode.
Windows Mobile 6 Standard devices usually have this security configuration.

Rebuild the SecureApp application and debug it by pressing F5 again. You will be prompted to run the application. Click Yes. When you now click the Write Registry menu item, you will be denied access again (see Figure 5).

Author's Note: Before you press F5 to debug the application, you need to remove the registry key that you have created earlier from the emulator before trying to create the registry key again. You can use the Remote Registry Editor shipped with Visual Studio 2008 to do so.

Figure 5. Access Denied: Access to the registry is denied.

To summarize, there are four common security configurations for Windows Mobile:

  • Security Off: Applications have access to all APIs on the device.
  • Prompt One-Tier: Applications that are not signed are prompted before execution. Applications are either blocked or execute in Privileged mode (when granted permission by the user to execute).
  • Prompt Two-Tier: Applications that are not signed are prompted before execution. Applications are either blocked, or execute in Normal mode or privileged mode depending on the certificates it has been signed with.
  • Mobile2Market locked: Applications that are not signed will not be allowed to execute. Only applications signed with the Mobile2Market certificate (will be discussed in the next section) are allowed to execute. The mode they execute in (Normal or Privileged) depends on the certificates it has been signed with.



Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap