Windows Mobile Security Software Fails the Test

boebert_ms writes "Windows Mobile security software is insecure and buggy, according to a report from Airscanner. In a paper posted at msmobiles.com, roughly 20 different Windows Mobile programs (e.g. MS Money, Password Master 3.5, etc) were examined and found to have a wide range of issues from broken protection schemes to poor encryption algorithms, and more. The paper goes into some details about each program and their flaws and also provides some tips on how to protect your data."

Not MSFT Bashing

[Jazzer_Techie]

Those who actually RTFA will find that most of the complaints have nothing to do with Microsoft or Windows Mobile itself. (The exceptions are MS Money and complaints about the lack of a Task Manager / msconfig / regedit etc.) The issue is that vendors are writing 'security' software (password managers, antivirus) using terrible methods. In analyzing these programs, they found passwords stored as plaintext, some ROT-N encrypted, and other very poor methods of 'securely' storing data. OS security matters, but in this case it wouldn't matter if you were running OpenBSD, assuming you had chosen to (and could) run these programs.

Re:Windows Mobile does have one good point...

[stoolpigeon]

Right - it just hangs and doesn't do anything. and after poking at it for a while, soft-reset time.

Re:Windows Mobile does have one good point...

[Anonymous Coward]

no, it just freezes up for no reason and requires a reset, without any indication of what's wrong. The reset requires removing the battery cover, which usually requires removing the case.

so this is good how?

Re:Obvious

[someone300]

If my device was stolen, I'd be more worried about the immediate disclosure of my password, as it could be used to get my private key and someone could pretend they were me, or get into my home computer over ssh where they'd have access to my entire photo collection and data like my MSN details. The device should encrypt all sensitive data based on a password given at startup by default, and only keep the decrypted passwords in memory -- they should never touch the disk. I've not got one of these devices so I can't say if that happens or not, but the point is, that should happen. The master password should not be stored anywhere on the system, in a weakly encrypted form or not.

Remote Keyboard should be encrypted regardless of whether there's a password prompt or not using SSL. Theoretically there's no way for a man in the middle unless someone cracks the authority key, so you know if your keystrokes are appearing on the device and there hasn't been an invalid certificate error, then noone is listening.

The ActiveSync vulnerability is just terrible practise. Someone across the room could be sitting watching for the person to plug in their mobile device (not hard to imagine in an office environment) and then be the first to spawn a password prompt. Not sure how hard it'd be to implement something that then also sends the password to the device so it's not even noticed that the password has been stolen.

Re:tip #1

[Anonymous Coward]

Great idea, I'll take a device with an OS that hasn't recieved a real update in 3 years.

PalmOS is antiquated. Hopefully the new "Access Limited Platform" or whatever they are calling it now revitalizes the PalmOS with something worthwhile (Real multitasking and a navigable file system would be a start). But right now, while streamlined and easy to use, is very limited in its functionality. I'm supprised you Linux fanboys aren't touting the 770 instead...it deserves it a lot more credit than PalmOS.

Re:Obvious

[Helen O'Boyle]

This article is more or less obvious. A lot of programs for mobile devices aren't designed with security in mind. For some - like the handful of FTP clients listed - the password is insecure anyway, so it doesn't make sense to encrypt it. For many others, like the SSH client on my phone, even if you did encrypt the data, anyone who stole my phone would be able to log in to my account - after all, that's the point of saving the password.

If the FTP server implements MS' NTLM authentication, then the password can be at least obfuscated on the network rather than sent in clear text; I wonder if any of those FTP clients handle that. Similarly regarding the above assertion that "anyone who stole my phone would be able to log in to my account," don't be so sure. My PPC 6700 Windows Mobile phone implements a PIN scheme in the OS where after some period of non-use, the phone goes to a lock screen, and I have to type in my PIN to bring the Today screen up again. After some number of failures, the phone will erase its contents to protect the owner's privacy. (No, I do not use an external flash memory card.)

Re:That why Linux is pretty cool on embedded devic

[Tim Browse]

Actually, what is pretty cool is that you can be modded +4, Insightful when you clearly haven't read the article (or even the summary, actually).

Hint: the article is not about security vulnerabilities in Windows Mobile, it's about security problems in the apps people run on it, with the apps using poor/no encryption, or leaking data/passwords into the registry, etc. Most of these apps are not written by MS (although the example of MS Money, and it's 'pmoney' algorithm is amusing, if a little familiar [zdnet.co.uk]).

Re:tip #1

[Sancho]

I chose Windows Mobile primarily for its ability to multitask. Specifically, I want to be able to maintain an SSH connection while I'm switching to another app to look something up. That is something that Palms cannot handle at this point.

We keep hearing promises from PalmOne that they'll have a multitasking version of the OS out "soon", but it never seems to happen. I used a phone with a broken screen for almost a year, betting (wrongly) that Palm would have their solution out. They never did, and I went with the PPC6700 from Sprint (running Windows Mobile 5.0).

I'm not unhappy, but that's about all I can say about it. It's an adequate OS, but it has quirks. I'd probably sell it in a heartbeat if a Palm solution came out which met all my needs.

PEAP on WM 5.0

[kickdown]

What I never really understood is why 802.1X connections on Windows Mobile 5 claim to require a client certficate. PEAP works fine without, and on XP the supplicant doesn't complain at all. WTF? If anyone knows how to convince the thing to do PEAP without client certs, I'd be happy!

Re:Windows Mobile does have one good point...

[plumby]

I don't think my current one (Orange SPV600, that I've had for around 3 months) has crashed/frozen once yet. The SPV500 that I had for 18 months before that managed about 3-6 months between crashes and that's far better than most of my previous phones ever did (a Nokia, a Motorola and a Samsung one that not only froze about once per month, it was also so badly designed that it shorted on a metal chain that I had in my pocket melting a hole in my trousers).