Presentation is loading. Please wait.

Presentation is loading. Please wait.

The slides for this event will be posted at: www.microsoft.com/uk/msdn/postevents.

Published byRoss Morris Modified over 9 years ago

Similar presentations

Presentation on theme: "The slides for this event will be posted at: www.microsoft.com/uk/msdn/postevents."— Presentation transcript:

1 The slides for this event will be posted at: www.microsoft.com/uk/msdn/postevents

2 Writing Secure Mobile Applications for Windows Mobile Pocket PCs and Smartphones Marcus Perryman marcpe@microsoft.com marcpe@microsoft.com http://Blogs.msdn.com/marcpe

3 “Building secure software is now critical to protecting our future, and every software developer must learn how to integrate security into all projects” Writing Secure Code 2 Michael Howard, David LeBlanc

4 Agenda The Security Story Mobile device security Practical use of security Perimeter security Data Transmission Data Storage Futures Summary

5 The Security Story Secure code is designed to withstand malicious attack. Design to be secure, not a bolt on. Trustworthy Computing “Helping ensure a safe and reliable computing experience that is both expected and taken for granted.“ Security- Resilient to attack Privacy- Controlling data access Reliability- Dependable systems Business Integrity- Accountability

6 Enterprise Implications Tiered Enterprise Application Data Source Private IF Public IF Mobile IF Customer / User Call Centre Worker Delivery Authorisation. Secure Data Transfer Protection from attack Authorisation. Secure Data Transfer Protection from attack Authorisation. Secure Data Transfer Protection from attack Authorisation. Secure Data Transfer Protection from attack Loss of Device?

7 Security – General Approach Security vs Usability trade-off Decide where to secure Target most important areas Match security to risk Risk analysis as part of system design Consider areas most at risk / highest impact Probability * Impact = Risk List mitigations to reduce impact or probability Track risk through project (it changes!) Threat Modelling http://msdn.microsoft.com/security/securecode/threatmod eling/default.aspx

8 Risk Analysis Threat ProbImpRisk Unauthorised user steals or acquires deviceMedHigh Unauthorised user gains access to local data held on device MedHigh Unauthorised user gains access to network, via device Unauthorised user gains access to backend data/systems, via device MedHigh Trusted user uses device for unapproved purposesMedLow Trusted user exports data or synchronises with unapproved system LowHighMed …

9 File System Filter Device Specific Security Password Protection / Data Encryption Application1 Application2 Windows CE OS SQL CE Perimeter Security Object Store CAPI Libraries OEM Security Layer

10 Practical use of security

11 Device Security Devices today are NOT Secure by Default PC’s today are improving (i.e. Win2003) Where to put security? Secure at perimeter Secure data storage Data Transmission privacy Secure at the service level

12 Device Security (Cont…) Advice: Don’t make your own security algorithm! Adjust security vs usability Care when storing secrets Don’t transmit secrets! Sign Code App 1 App 2 SendMessage, Socket,File, Memory App 3

13 UK Police Mobile Solution Vision: Put 100 officers back on the beat Provide mobile solution for office based applications: Police National Computer (PNC) search, Name Address search Firearms register etc. Risk analysis: data privacy Transferring confidential information over GPRS Storing confidential information on mobile device. Smart Client chosen for disconnected working http://www.vnunet.com/news/1161980 http://www.microsoft.com/uk/press/content/presscentre/rele ases/2005/03/PR03410.asp

14 SmartBeat Application (n-tier SOA) Solution Design: Data Source Key Data RADIUS RSA Firewall S&F Req/Resp Store RSA Dial Code Input/ Display Screen Choose A Key. Encrypt Data Key Data Server Device UserKey Data Data Data

15 demo Police Solution

16 Power On Password Replace the inbuilt password for Pocket PC: LPTSTR PromptForPasswd(HWND,BOOL) LONG CALLBACK CPlApplet(HWND,UINT,LONG,LONG) Update the Registry: HKLM\controlpanel\password Redirect = \windows\password.cpl Call device password API’s BOOL CheckPassword(PasswordText); BOOL SetPassword( OldPwd, NewPwd); SetPasswordActive( TRUE, PasswordText); Challenges: Device implementations do differ Work with your device vendor Pocket PC 2000 requires password.cpl Use this name for backward compatability

17 Power On Password Benefits: Finer control of password complexity Force password ON Generate access key (don’t store secrets!) Store protection – SQLCE / File System Filter Server Authentication / Authorization Destroy private data on password fail i.e. 5 strikes and out! Device State management Start applications / check install state

18 demo Power On Password

19 WiFi / GPRS IrDA Bluetooth Active Sync Other Perimeter Restrictions

20 General Principal: HKLM\Drivers\BuiltIn\ Controlling Removable Media Disable SD Card: HKLM\Drivers\Builtin\SDBusDriver Disable CF Card: HKLM\Drivers\BuiltIn\PCMCIA Restrict via File System Filter or 3 rd party tools Disable Bluetooth – OEM specific HKLM\Drivers\BuiltIn\ASIC5_BTUR (for XDA II) Disable IrDA HKLM\Comm\AFD\Stack – remove irdastk Active Sync Machine generated password http://blogs.msdn.com/marcpe/archive/2005/01/18/355158.aspx Other Perimeter Restrictions

21 demo Locking Down the Device

22 Data Transmission Windows Mobile 2003 Certificate Store Enables many more device scenarios Using SLL (HTTPS) SSL 2.0 / 3.0, SGC PPP (RAS), 802.1x EAP, EAP-TLS, PEAP, LEAP support Virtual Private Network PPTP and L2TP/IPSec support

23 On Device Data Protection SQL CE Password protection per database (file store) 128 bit encryption of the store 3 rd party protected store applications Roll your own File System Filter Application based store security

24 Vodafone Media Trial Vision: Research media use on mobile device. Provide mobile device with media on SD Card. Daily video’s displayed in sequence with questionnaire. Risk analysis highlighted data privacy. Video contents copyright, needed basic protection – DRM ideal solution! Windows Media Player solution required for timescales.

25 Solution Architecture MediaData MediaData File System Filter Device Unique Device ID

26 File System Filter Filter layer above file system Hooks all high level store access API’s CreateFile, ReadFile, WriteFile, CloseHandle FindFirstFile, FindNextFile Chained filter system via registry key HKLM\System\StorageManager\FATFS\filters\VodaFilter "Dll" = “VodaFilter.dll" Order = 0

27 demo File System Filter Solution

28 Application Store Protection CAPI Library capabilities Microsoft CSP supports: MD2, MD5, SHA, SHA1, MAC, HMAC, SSL3_SHAMD5, RC2, RC4, RSA_SIGN, RSA_KEYX Creating a key CryptAcquireContext() CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash) CryptHashData(hHash, (BYTE *)data, (uint)Size, 0) CryptDeriveKey(hProv, CALG_RC2, hHash, CRYPT_EXPORTABLE, &hKey)

29 Application Store Protection Encrypting data CryptEncrypt(hKey,NULL,TRUE,0, Buffer, &BytesRead,MAX_BUFFER) Decrypting data CryptDecrypt(hKey,NULL, TRUE,0, Buffer, &BytesRead)

30 Other Considerations Reduce the attack surface of the device: Failed login? Remove sensitive data. Time-out data. Transferring secret data Never send as readable – use a secure channel Consider sending a token instead Keep the secret – use a callback Keeping track of date and time SNTP support only in Windows CE.NET Several Examples of SNTP code on the web.

31 Signature Smartphone Application Security Windows CE OS Application1 App. Loader OEM Security Layer Certificate Store Privileged Un- Privileged Device Security Policy Open Signed Req. Trusted Req.

32 Futures of Device Security

33 Futures Hardware innovations Biometric solutions Smartcard Readers Managed classes for Crypto access Compact Framework V2 Open Mobile Alliance (OMA) DRM Ringtones, Images, Branding etc Windows Mobile V.Next 1 Tier code group security model for Pocket PC Provisioning for peripheral control (Bluetooth, IRDA etc.)

34 Questions?

35 Summary “Building secure software is now critical to protecting our future, and every software developer must learn how to integrate security into all projects” Windows Mobile 2003 provides a rich suite of tools to help secure you application.

36 MSDN Connection Get personalised info and a customised RSS feed The programming language(s) you’re interested in The technology area(s) you’re interested in The information you want View news, technical resources, events, webcasts and community information Sign up for MSDN Connection at: http://www.microsoft.com/uk/msdn

37 Additional Information Post Events Site All information on past events, slide decks etc http://www.microsoft.com/uk/msdn/postevents The UK MSDN Site & Flash Local news, events, webcasts http://www.microsoft.com/uk/msdn Register to received the bi-weekly MSDN Flash by email http://www.microsoft.com/uk/msdn/flash.aspx Try Visual Studio http://www.microsoft.com/vstudio/tryit Take a look at the Express products http://msdn.microsoft.com/express GotDotNet and ASP.NET – lots of excellent resources http://www.gotdotnet.com http://www.asp.net

38 The slides for this event will be posted at: www.microsoft.com/uk/msdn/postevents

39 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "The slides for this event will be posted at: www.microsoft.com/uk/msdn/postevents."

Similar presentations

Innovation Towards a next generation secure internet Private Application Ecosystems Sanjay Deshpande CEO and Chief Innovation Officer Center.

Innovation Towards a next generation secure internet Private Application Ecosystems Sanjay Deshpande CEO and Chief Innovation Officer Center.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.

A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Remote Access Network Management Kelly Given Allison Traina.

Remote Access Network Management Kelly Given Allison Traina.
Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.

Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Top 10 Pocket PC Support Questions Marcus Perryman

Top 10 Pocket PC Support Questions Marcus Perryman
The slides for this event will be posted at: www.microsoft.com/uk/msdn/postevents.

The slides for this event will be posted at:
What’s new for Rich Clients? Martin Parry Developer & Platform Group Microsoft Ltd

What’s new for Rich Clients? Martin Parry Developer & Platform Group Microsoft Ltd
Visual Studio Whidbey: Deploying Applications Using ClickOnce Sean Draine Program Manager Microsoft Corporation Sean Draine Program Manager Microsoft Corporation.

Visual Studio Whidbey: Deploying Applications Using ClickOnce Sean Draine Program Manager Microsoft Corporation Sean Draine Program Manager Microsoft Corporation.
Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.

Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Rob Hwacinski Sr. Program Manager Lead Microsoft Corporation WEM206 Ashwin Kulkarni Sr. Product Manager Microsoft Corporation.

Rob Hwacinski Sr. Program Manager Lead Microsoft Corporation WEM206 Ashwin Kulkarni Sr. Product Manager Microsoft Corporation.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google