Windows Mobile Security Software Fails the Test 106
boebert_ms writes "Windows Mobile security software is insecure and buggy, according to a report from Airscanner. In a paper posted at msmobiles.com, roughly 20 different Windows Mobile programs (e.g. MS Money, Password Master 3.5, etc) were examined and found to have a wide range of issues from broken protection schemes to poor encryption algorithms, and more. The paper goes into some details about each program and their flaws and also provides some tips on how to protect your data."
Not MSFT Bashing (Score:5, Informative)
Re:Windows Mobile does have one good point... (Score:4, Informative)
Re:Windows Mobile does have one good point... (Score:2, Informative)
so this is good how?
Re:Obvious (Score:3, Informative)
Remote Keyboard should be encrypted regardless of whether there's a password prompt or not using SSL. Theoretically there's no way for a man in the middle unless someone cracks the authority key, so you know if your keystrokes are appearing on the device and there hasn't been an invalid certificate error, then noone is listening.
The ActiveSync vulnerability is just terrible practise. Someone across the room could be sitting watching for the person to plug in their mobile device (not hard to imagine in an office environment) and then be the first to spawn a password prompt. Not sure how hard it'd be to implement something that then also sends the password to the device so it's not even noticed that the password has been stolen.
Re:tip #1 (Score:3, Informative)
PalmOS is antiquated. Hopefully the new "Access Limited Platform" or whatever they are calling it now revitalizes the PalmOS with something worthwhile (Real multitasking and a navigable file system would be a start). But right now, while streamlined and easy to use, is very limited in its functionality. I'm supprised you Linux fanboys aren't touting the 770 instead...it deserves it a lot more credit than PalmOS.
Re:Obvious (Score:3, Informative)
If the FTP server implements MS' NTLM authentication, then the password can be at least obfuscated on the network rather than sent in clear text; I wonder if any of those FTP clients handle that. Similarly regarding the above assertion that "anyone who stole my phone would be able to log in to my account," don't be so sure. My PPC 6700 Windows Mobile phone implements a PIN scheme in the OS where after some period of non-use, the phone goes to a lock screen, and I have to type in my PIN to bring the Today screen up again. After some number of failures, the phone will erase its contents to protect the owner's privacy. (No, I do not use an external flash memory card.)
Re:That why Linux is pretty cool on embedded devic (Score:5, Informative)
Actually, what is pretty cool is that you can be modded +4, Insightful when you clearly haven't read the article (or even the summary, actually).
Hint: the article is not about security vulnerabilities in Windows Mobile, it's about security problems in the apps people run on it, with the apps using poor/no encryption, or leaking data/passwords into the registry, etc. Most of these apps are not written by MS (although the example of MS Money, and it's 'pmoney' algorithm is amusing, if a little familiar [zdnet.co.uk]).
Re:tip #1 (Score:5, Informative)
We keep hearing promises from PalmOne that they'll have a multitasking version of the OS out "soon", but it never seems to happen. I used a phone with a broken screen for almost a year, betting (wrongly) that Palm would have their solution out. They never did, and I went with the PPC6700 from Sprint (running Windows Mobile 5.0).
I'm not unhappy, but that's about all I can say about it. It's an adequate OS, but it has quirks. I'd probably sell it in a heartbeat if a Palm solution came out which met all my needs.
PEAP on WM 5.0 (Score:2, Informative)
Re:Windows Mobile does have one good point... (Score:3, Informative)