Securing Windows Mobile Applications Marcus Perryman

“Building secure software is now critical to protecting our future, and every software developer must learn how to integrate security into all projects” Writing Secure Code 2 Michael Howard, David LeBlanc

Agenda The Security Story Mobile device security Practical use of security Perimeter security Data Transmission Data Storage Futures Summary

The Security Story Secure code is designed to withstand malicious attack. Design to be secure, not a bolt on. Trustworthy Computing “Helping ensure a safe and reliable computing experience that is both expected and taken for granted.“ Security- Resilient to attack Privacy- Controlling data access Reliability- Dependable systems Business Integrity

Enterprise Implications Tiered Enterprise Application Data Source Private IF Public IF Mobile IF Customer / User Call Centre Worker Delivery Authorisation. Secure Data Transfer Protection from attack Authorisation. Secure Data Transfer Protection from attack Authorisation. Secure Data Transfer Protection from attack Authorisation. Secure Data Transfer Protection from attack Loss of Device?

Security – General Approach Security vs Usability trade-off Decide where to secure Target most important areas Match security to risk Risk analysis as part of system design Consider areas most at risk / highest impact Probability * Impact = Risk List mitigations to reduce impact or probability Track risk through project (it changes!)

Risk Analysis Threat ProbImpRisk Unauthorised user steals or acquires deviceMedHigh Unauthorised user gains access to local data held on device MedHigh Unauthorised user gains access to network, via device Unauthorised user gains access to backend data/systems, via device MedHigh Trusted user uses device for unapproved purposesMedLow Trusted user exports data or synchronises with unapproved system LowHighMed …

Device Specific Security Password Protection / Data Encryption Application1 Application2 Windows CE OS SQL CE Perimeter Security File System Filter Object Store CAPI Libraries OEM Security Layer

Practical use of security

Device Security Devices today are NOT Secure by Default PC’s today are improving (i.e. Win2003) Where to put security? Secure at perimeter Secure data storage Data Transmission privacy Secure at the service level

General Advice Don’t make your own security algorithm Care when storing secrets Don’t transmit secrets! Sign Code App 1 App 2 SendMessage, Socket,File, Memory App 3

UK Police Mobile Solution Vision: To put 100 additional officers back on the beat in the next 12 months. Provide mobile solution for office based applications: Police National Computer search, Name Address search, Firearms register etc. Risk analysis highlighted data privacy. Transferring confidential information over GPRS Storing confidential information on mobile device. Smart Client solution chosen for disconnected working

SmartBeat Application (n-tier SOA) Solution Design: Data Source Key Data RADIUS RSA Firewall S&F Req/Resp Store RSA Dial Code Input/ Display Screen Choose A Key. Encrypt Data Key Data Server Device UserKey Data Data Data

Police Solution

Power On Password Replace the inbuilt password for Pocket PC: LPTSTR PromptForPasswd(HWND,BOOL) LONG CALLBACK CPlApplet(HWND,UINT,LONG,LONG) Update the Registry: HKLM\controlpanel\password Redirect = \windows\password.cpl Call device password API’s BOOL CheckPassword(PasswordText); BOOL SetPassword( OldPwd, NewPwd); SetPasswordActive( TRUE, PasswordText); Challenges: Device implementations do differ Work with your device vendor Pocket PC 2000 requires password.cpl Use this name for backward compatability

Power On Password Benefits: Finer control of password complexity Force password ON Generate access key (don’t store secrets!) Store protection – SQLCE / File System Filter Server Authentication / Authorization Destroy private data on password fail i.e. 5 strikes and out! Device State management Start applications / check install state

Power On Password

WiFi / GPRS IrDA Bluetooth Active Sync Other Perimeter Restrictions

General Principal: HKLM\Drivers\BuiltIn\ Controlling Removable Media Disable SD Card: HKLM\Drivers\Builtin\SDBusDriver Disable CF Card: HKLM\Drivers\BuiltIn\PCMCIA Restrict via File System Filter or 3 rd party tools Disable Bluetooth – OEM specific HKLM\Drivers\BuiltIn\ASIC5_BTUR (for XDA II) Disable IrDA HKLM\Comm\AFD\Stack – remove irdastk Active Sync Machine generated password Other Perimeter Restrictions

Locking Down the Device

Data Transmission Windows Mobile 2003 Certificate Store Enables many more device scenarios Using SLL (HTTPS) SSL 2.0 / 3.0, SGC PPP (RAS), 802.1x EAP, EAP-TLS, PEAP, LEAP support Virtual Private Network PPTP and L2TP/IPSec support

On Device Data Protection SQL CE Password protection per database (file store) 128 bit encryption of the store 3 rd party protected store applications Roll your own File System Filter Application based store security

Vodafone Media Trial Vision: Research for consumption of video media on mobile device. Provide mobile device with media on SD Card. Daily video’s displayed in sequence with questionnaire. Risk analysis highlighted data privacy. Video contents copyright, needed basic protection – DRM ideal solution! Windows Media Player solution required for timescales.

Solution Architecture MediaData MediaData File System Filter Device Unique Device ID

File System Filter Filter layer above file system Hooks all high level store access API’s CreateFile, ReadFile, WriteFile, CloseHandle FindFirstFile, FindNextFile Chained filter system via registry key HKLM\System\StorageManager\FATFS\filters\VodaFilter "Dll" = “VodaFilter.dll" Order = 0

File System Filter Solution

Application Store Protection CAPI Library capabilities Microsoft CSP supports: MD2, MD5, SHA, SHA1, MAC, HMAC, SSL3_SHAMD5, RC2, RC4, RSA_SIGN, RSA_KEYX Using Crypto Encrypting data CryptEncrypt(hKey,NULL,TRUE,0, Buffer, &BytesRead,MAX_BUFFER) Decrypting data CryptDecrypt(hKey,NULL, TRUE,0, Buffer, &BytesRead)

Other Considerations Reduce the attack surface of the device: Failed login? Remove sensitive data. Time-out data. Transferring secret data Never send as readable – use a secure channel Consider sending a token instead Keep the secret – use a callback Keeping track of date and time SNTP support only in Windows CE.NET Several Examples of SNTP code on the web.

Signature Smartphone Application Security Windows CE OS Application1 App. Loader OEM Security Layer Certificate Store Privileged Un- Privileged Device Security Policy Open Signed Req. Trusted Req.

Futures of Device Security

Futures Digital Rights Management Open Mobile Alliance (OMA) DRM Media Player 10 Hardware innovations Biometric solutions Smartcard Readers Compact Framework 2 Managed classes for Crypto access ‘Most secure’ Web Service authentication 1 tier security model for PPC

Get Tools & Resources: Windows Mobile Developer Portal More Support: Windows Mobile Solutions Partner Program Go To Market: Mobile2Market and Certification Technical Support:  Tools and SDKs with emulators  Technical articles and whitepapers  Developer community Marketing Support:  Monthly newsletters  Case studies Technical Support:  Exclusive expert columns  Early access to SDKs  Access to beta programs Marketing Support:  PR support  Ongoing promotions for devices Technical Support:  “Designed for Windows Mobile” certification testing  Free technical support incident Marketing Support:  “Designed for Windows Mobile” logo on packaging & promotions  Increased promotion to retailers and distribution partners Go to: Windows Mobile Developer Resources

Summary “Building secure software is now critical to protecting our future, and every software developer must learn how to integrate security into all projects” Windows Mobile 2003 provides a rich suite of tools to help secure you application.

Questions?

© 2004 Microsoft Corporation. All rights reserved. MICROSOFT CONFIDENTIAL. INTERNAL USE ONLY.

The slides for this event will be posted at:

MSDN Connection Get personalised info and a customised RSS feed The programming language(s) you’re interested in The technology area(s) you’re interested in The information you want View news, technical resources, events, webcasts and community information Sign up for MSDN Connection at:

Additional Information Post Events Site All information on past events, slide decks etc The UK MSDN Site & Flash Local news, events, webcasts Register to received the bi-weekly MSDN Flash by Try Visual Studio Take a look at the Express products GotDotNet and ASP.NET – lots of excellent resources