Windows Mobile Security Software Fails the Test

boebert_ms writes "Windows Mobile security software is insecure and buggy, according to a report from Airscanner. In a paper posted at msmobiles.com, roughly 20 different Windows Mobile programs (e.g. MS Money, Password Master 3.5, etc) were examined and found to have a wide range of issues from broken protection schemes to poor encryption algorithms, and more. The paper goes into some details about each program and their flaws and also provides some tips on how to protect your data."

That why Linux is pretty cool on embedded devices

[EmbeddedJanitor]

WM is something that is cut down and written from scratch to be familiar to Windows desktp users. The code is not the same, and the security folk are not the same, so there is a whole new crop of security flaws etc.

The Linux that runs on phones is the same code that runs on desktops, servers etc. This means that by looking at Linux for servers etc, those paranoid security people have also verified Linux for mobile.

Of course you can still do dumb thing with mobile Linux (eg. running as root) and mobile-specific software can still give some vulnerabilities, but at least you have a half-decent start.

Obvious

[Geoffreyerffoeg]

This article is more or less obvious. A lot of programs for mobile devices aren't designed with security in mind. For some - like the handful of FTP clients listed - the password is insecure anyway, so it doesn't make sense to encrypt it. For many others, like the SSH client on my phone, even if you did encrypt the data, anyone who stole my phone would be able to log in to my account - after all, that's the point of saving the password.

My device is relatively expensive and is a smartphone, so if anyone stole it I'd be far more worried about them receiving the monetary value of my device and unfettered access to my phone account than about my passwords (which I could change from a PC anyway). I have my university account password saved, but I use SSH and encrypted IMAP to access these services so there isn't any significant risk so long as I possess the device.

People who use services like Remote Keyboard that don't ask for a login on the PC should expect that this service is unencrypted and unauthenticated. Similarly, people who use ActiveSync over the network should anticipate that if they haven't just plugged in their device, any password prompt must be spoofed.

I can write a similar article about a "vulnerability" in Facebook: I received 5 e-mails yesterday asking me to confirm account creation. I've had an account for over a year now, so I knew these requests weren't legitimate. Had I clicked on the verification links, I would've surrendered to this attacker my Facebook identity (they'd've had a blank profile under my e-mail address), but I'm smart enough not to. Or perhaps someone can submit an "insecurity" in Firefox, that even with a master password, JavaScript from a plug-in can read my passwords through the DOM once I've accessed a site.

Re:Application Problems

[Trevahaha]

Ummm I didn't see anything in the article mention holes in the OS.. just poor software design. You can create crap software on any platform. Why don't you take a read of that article before you come to your conclusion.

Re:Wrong target

[Anonymous Coward]

I can see what you are saying regarding the article, but I am reading some of these posts and I think that we miss the point to all of this. For me, I had been an average user that didn't know anything. Now, I am power user that can run msconfig, jump in registry and do all sorts of fun stuff. I credit papers like these for giving me information. That is how I became a power user. Airscanner seems to be a company that is dedicated to information and it would seem to me that we have an option to protect our devices. That option is one I appreciate whole-heartedly. I have read Mr. Fogie's co authored book on Internet Security and find it one of the best teaching tools I have. Thank you Airscanner for educating this average user!

Re:Wrong target

[irc.goatse.cx troll]

While mostly true, I'd say the low end of pc users is a lot further down than the low end of expensive pda/cellphone users, so the "average" windows mobile user likely is a lot more intelligent than the "average" desktop user. Whether they have the time or desire to keep up on security is another issue entirely, of course.

Let me get this straight

[Anonymous Coward]

If i'm a clueless/lazy app developer and write an insecure "password storage" app on linux and store the passwords in plain text or ROTn in a public place, i'm a stuiped developer and it's not the OS's fault for my insecurity.

If i write the same app on windows or windows mobile, MS sucks.

I'm going to do a whole lot more windows development so i'm not responsible for my own lazyness. :)

Thanks!

Re:Microsoft can't code

[Anonymous MadCoe]

For people who can't code they're quite successfull doing it.
I have seen a few people use their stuff (and being quite happy with it).

They mus do something right, and more than marketing, looking at all he repeat orders (and happy users actualy).