Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Windows Mobile Applications Marcus Perryman

Published byBeverly Hawkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing Windows Mobile Applications Marcus Perryman"— Presentation transcript:

1 Securing Windows Mobile Applications Marcus Perryman marcpe@microsoft.com http://blogs.msdn.com/marcpe

2 “Building secure software is now critical to protecting our future, and every software developer must learn how to integrate security into all projects” Writing Secure Code 2 Michael Howard, David LeBlanc

3 Agenda The Security Story Mobile device security Practical use of security Perimeter security Data Transmission Data Storage Futures Summary

4 The Security Story Secure code is designed to withstand malicious attack. Design to be secure, not a bolt on. Trustworthy Computing “Helping ensure a safe and reliable computing experience that is both expected and taken for granted.“ Security- Resilient to attack Privacy- Controlling data access Reliability- Dependable systems Business Integrity

5 Enterprise Implications Tiered Enterprise Application Data Source Private IF Public IF Mobile IF Customer / User Call Centre Worker Delivery Authorisation. Secure Data Transfer Protection from attack Authorisation. Secure Data Transfer Protection from attack Authorisation. Secure Data Transfer Protection from attack Authorisation. Secure Data Transfer Protection from attack Loss of Device?

6 Security – General Approach Security vs Usability trade-off Decide where to secure Target most important areas Match security to risk Risk analysis as part of system design Consider areas most at risk / highest impact Probability * Impact = Risk List mitigations to reduce impact or probability Track risk through project (it changes!)

7 Risk Analysis Threat ProbImpRisk Unauthorised user steals or acquires deviceMedHigh Unauthorised user gains access to local data held on device MedHigh Unauthorised user gains access to network, via device Unauthorised user gains access to backend data/systems, via device MedHigh Trusted user uses device for unapproved purposesMedLow Trusted user exports data or synchronises with unapproved system LowHighMed …

8 Device Specific Security Password Protection / Data Encryption Application1 Application2 Windows CE OS SQL CE Perimeter Security File System Filter Object Store CAPI Libraries OEM Security Layer

9 Practical use of security

10 Device Security Devices today are NOT Secure by Default PC’s today are improving (i.e. Win2003) Where to put security? Secure at perimeter Secure data storage Data Transmission privacy Secure at the service level

11 General Advice Don’t make your own security algorithm Care when storing secrets Don’t transmit secrets! Sign Code App 1 App 2 SendMessage, Socket,File, Memory App 3

12 UK Police Mobile Solution Vision: To put 100 additional officers back on the beat in the next 12 months. Provide mobile solution for office based applications: Police National Computer search, Name Address search, Firearms register etc. Risk analysis highlighted data privacy. Transferring confidential information over GPRS Storing confidential information on mobile device. Smart Client solution chosen for disconnected working

13 SmartBeat Application (n-tier SOA) Solution Design: Data Source Key Data RADIUS RSA Firewall S&F Req/Resp Store RSA Dial Code Input/ Display Screen Choose A Key. Encrypt Data Key Data Server Device UserKey Data Data Data

14 Police Solution

15 Power On Password Replace the inbuilt password for Pocket PC: LPTSTR PromptForPasswd(HWND,BOOL) LONG CALLBACK CPlApplet(HWND,UINT,LONG,LONG) Update the Registry: HKLM\controlpanel\password Redirect = \windows\password.cpl Call device password API’s BOOL CheckPassword(PasswordText); BOOL SetPassword( OldPwd, NewPwd); SetPasswordActive( TRUE, PasswordText); Challenges: Device implementations do differ Work with your device vendor Pocket PC 2000 requires password.cpl Use this name for backward compatability

16 Power On Password Benefits: Finer control of password complexity Force password ON Generate access key (don’t store secrets!) Store protection – SQLCE / File System Filter Server Authentication / Authorization Destroy private data on password fail i.e. 5 strikes and out! Device State management Start applications / check install state

17 Power On Password

18 WiFi / GPRS IrDA Bluetooth Active Sync Other Perimeter Restrictions

19 General Principal: HKLM\Drivers\BuiltIn\ Controlling Removable Media Disable SD Card: HKLM\Drivers\Builtin\SDBusDriver Disable CF Card: HKLM\Drivers\BuiltIn\PCMCIA Restrict via File System Filter or 3 rd party tools Disable Bluetooth – OEM specific HKLM\Drivers\BuiltIn\ASIC5_BTUR (for XDA II) Disable IrDA HKLM\Comm\AFD\Stack – remove irdastk Active Sync Machine generated password Other Perimeter Restrictions

20 Locking Down the Device

21 Data Transmission Windows Mobile 2003 Certificate Store Enables many more device scenarios Using SLL (HTTPS) SSL 2.0 / 3.0, SGC PPP (RAS), 802.1x EAP, EAP-TLS, PEAP, LEAP support Virtual Private Network PPTP and L2TP/IPSec support

22 On Device Data Protection SQL CE Password protection per database (file store) 128 bit encryption of the store 3 rd party protected store applications Roll your own File System Filter Application based store security

23 Vodafone Media Trial Vision: Research for consumption of video media on mobile device. Provide mobile device with media on SD Card. Daily video’s displayed in sequence with questionnaire. Risk analysis highlighted data privacy. Video contents copyright, needed basic protection – DRM ideal solution! Windows Media Player solution required for timescales.

24 Solution Architecture MediaData MediaData File System Filter Device Unique Device ID

25 File System Filter Filter layer above file system Hooks all high level store access API’s CreateFile, ReadFile, WriteFile, CloseHandle FindFirstFile, FindNextFile Chained filter system via registry key HKLM\System\StorageManager\FATFS\filters\VodaFilter "Dll" = “VodaFilter.dll" Order = 0

26 File System Filter Solution

27 Application Store Protection CAPI Library capabilities Microsoft CSP supports: MD2, MD5, SHA, SHA1, MAC, HMAC, SSL3_SHAMD5, RC2, RC4, RSA_SIGN, RSA_KEYX Using Crypto Encrypting data CryptEncrypt(hKey,NULL,TRUE,0, Buffer, &BytesRead,MAX_BUFFER) Decrypting data CryptDecrypt(hKey,NULL, TRUE,0, Buffer, &BytesRead)

28 Other Considerations Reduce the attack surface of the device: Failed login? Remove sensitive data. Time-out data. Transferring secret data Never send as readable – use a secure channel Consider sending a token instead Keep the secret – use a callback Keeping track of date and time SNTP support only in Windows CE.NET Several Examples of SNTP code on the web.

29 Signature Smartphone Application Security Windows CE OS Application1 App. Loader OEM Security Layer Certificate Store Privileged Un- Privileged Device Security Policy Open Signed Req. Trusted Req.

30 Futures of Device Security

31 Futures Digital Rights Management Open Mobile Alliance (OMA) DRM Media Player 10 Hardware innovations Biometric solutions Smartcard Readers Compact Framework 2 Managed classes for Crypto access ‘Most secure’ Web Service authentication 1 tier security model for PPC

32 Get Tools & Resources: Windows Mobile Developer Portal More Support: Windows Mobile Solutions Partner Program Go To Market: Mobile2Market and Certification Technical Support:  Tools and SDKs with emulators  Technical articles and whitepapers  Developer community Marketing Support:  Monthly newsletters  Case studies Technical Support:  Exclusive expert columns  Early access to SDKs  Access to beta programs Marketing Support:  PR support  Ongoing promotions for devices Technical Support:  “Designed for Windows Mobile” certification testing  Free technical support incident Marketing Support:  “Designed for Windows Mobile” logo on packaging & promotions  Increased promotion to retailers and distribution partners Go to: http://www.microsoft.com/windowsmobile/developer http://www.microsoft.com/windowsmobile/developer http://www.microsoft.com/windowsmobile/developer Windows Mobile Developer Resources

33 Summary “Building secure software is now critical to protecting our future, and every software developer must learn how to integrate security into all projects” Windows Mobile 2003 provides a rich suite of tools to help secure you application.

34 Questions?

35 © 2004 Microsoft Corporation. All rights reserved. MICROSOFT CONFIDENTIAL. INTERNAL USE ONLY.

36 The slides for this event will be posted at: www.microsoft.com/uk/msdn/postevents

37 MSDN Connection Get personalised info and a customised RSS feed The programming language(s) you’re interested in The technology area(s) you’re interested in The information you want View news, technical resources, events, webcasts and community information Sign up for MSDN Connection at: http://www.microsoft.com/uk/msdn

38 Additional Information Post Events Site All information on past events, slide decks etc http://www.microsoft.com/uk/msdn/postevents The UK MSDN Site & Flash Local news, events, webcasts http://www.microsoft.com/uk/msdn Register to received the bi-weekly MSDN Flash by email http://www.microsoft.com/uk/msdn/flash.aspx Try Visual Studio http://www.microsoft.com/vstudio/tryit Take a look at the Express products http://msdn.microsoft.com/express GotDotNet and ASP.NET – lots of excellent resources http://www.gotdotnet.com http://www.asp.net

Download ppt "Securing Windows Mobile Applications Marcus Perryman"

Similar presentations

Innovation Towards a next generation secure internet Private Application Ecosystems Sanjay Deshpande CEO and Chief Innovation Officer Center.

Innovation Towards a next generation secure internet Private Application Ecosystems Sanjay Deshpande CEO and Chief Innovation Officer Center.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Remote Access Network Management Kelly Given Allison Traina.

Remote Access Network Management Kelly Given Allison Traina.
Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.

Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Top 10 Pocket PC Support Questions Marcus Perryman

Top 10 Pocket PC Support Questions Marcus Perryman
The slides for this event will be posted at: www.microsoft.com/uk/msdn/postevents.

The slides for this event will be posted at:
Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.

Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.
Rob Hwacinski Sr. Program Manager Lead Microsoft Corporation WEM206 Ashwin Kulkarni Sr. Product Manager Microsoft Corporation.

Rob Hwacinski Sr. Program Manager Lead Microsoft Corporation WEM206 Ashwin Kulkarni Sr. Product Manager Microsoft Corporation.
SP2 Mikael Nystrom. Agenda Översikt Installation.

SP2 Mikael Nystrom. Agenda Översikt Installation.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,

Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.

Security Directions - Release 6 and beyond SearchDomino.com Webcast Patricia Booth Security and Directory Product Management 9/25/02.

Similar presentations

Ads by Google