Securing Windows Mobile

I tend to get a lot of questions about Windows Mobile security and it always seems the same questions get asked: data transmission, local store, local authentication, loss of device etc. I just answered another question from a Microsoft consultant in Switzerland and though it might be useful to blog the answers here - these are by no means complete answer to security on mobile, but might prove useful to some.

1 – Exchange and mail transfers.

            Windows Mobile exchange client (Inbox) supports https connections device to server so the data transfer can be considered secure. The local data store on the device for email is not secure at this time (clear text storage in a hidden db). There are a number of 3^rd party solutions that cover this space and we are looking at this functionality for the next version of Windows Mobile.

2 – Secure transport of data from server bank to the mobile device.

            The device has a full list of transport encryption and authentication technologies including https, vpn (PPTP and IPSEC), CHAP, LEAP and EAP. Most of this is covered in this paper: https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnppcgen/html/wmdeploy.asp

3 – Local security on the device.

            This can be a bit more interesting. Windows CE has no concept of user identity and so there is no such thing as an ACL in the OS. Providing local security is about implementing some mechanism for capturing user identity and applying the concept of access control in code at a sufficient level to mitigate your risks - don’t over do things though, security is very often a trade off with usability. For full device security a power on password replacement is often a great place to start – capture user ID & password to generate a user ‘key’ that unlocks relevant data for the application.

            There are many products in the 3^rd party space here that provide data encryption etc.

            Are you familiar with Smarthone security model? https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsmtphn2k3/html/smartphone_security.asp This security model can be configured to only run applications that are signed with a specific cert thus preventing malicious code (or just any non approved software) from running on the device. This model is coming to Pocket PC with the next version of Windows Mobile and will allow enterprises to install a certificate on the device and only run their apps. This significantly reduces attack surface for mobile devices.

4 – Lock or delete the data on the device when stolen.

            This is generally better dealt with in code – e.g. three failed logins and the local store is deleted. In general it’s not loosing the apps that are the problem; it’s the risk of loosing the data behind them.

            There are again 3^rd party solutions for specific hardware that provide device bomb functionality.

5 – Firewall and all security stuff for mobile wince and smartphone.

            Firewall and AV is 3^rd party territory still. No plans that I am aware of for MS to step in here.

6 – What is planned in the next 6 months?

            In this timeframe start looking to Windows Mobile v.Next and the improvements around security like the code signing stuff.

7 - Do we have some case study about mobile device and security in banks or medical infrastructure?

            Don’t know. Check here to see if there is anything useful https://www.microsoft.com/windowsmobile/business/casestudies/default.mspx

 

For most of the 3^rd party bits I mentioned you should check out this paper by Doug: https://www.microsoft.com/windowsmobile/business/whitepapers/security.mspx

 

Maybe I will blog more completely on some of these areas later.

Marcus