Forgot your password?
typodupeerror

Windows Mobile Security Software Fails the Test 106

Posted by CowboyNeal
from the running-the-gauntlet dept.
boebert_ms writes "Windows Mobile security software is insecure and buggy, according to a report from Airscanner. In a paper posted at msmobiles.com, roughly 20 different Windows Mobile programs (e.g. MS Money, Password Master 3.5, etc) were examined and found to have a wide range of issues from broken protection schemes to poor encryption algorithms, and more. The paper goes into some details about each program and their flaws and also provides some tips on how to protect your data."
This discussion has been archived. No new comments can be posted.

Windows Mobile Security Software Fails the Test

Comments Filter:
  • tip #1 (Score:5, Funny)

    by User 956 (568564) on Monday August 14, 2006 @08:33PM (#15907336) Homepage
    The paper goes into some details about each program and their flaws and also provides some tips on how to protect your data.

    Tip #1: Use a Palm OS device.
    • Yup. In choosing a Treo, does one choose a Palm one or a Windows one?

      Palm. Simple, fast, and no Windows viruses/security issues.
      • A virus on a handheld???? I never heard of such a thing. Who says Microsoft can't innovate.
      • Yup. In choosing a Treo, does one choose a Palm one or a Windows one? Considering you can active sync you palm treo's now and sync with Outlook, These little reason not to go palm. Of course I reccomend blackberry the least of the three being that Palm and pocket windows both have a plethora of software compared to blackberry.
        • Re:tip #1 (Score:5, Informative)

          by Sancho (17056) on Monday August 14, 2006 @11:51PM (#15908125) Homepage
          I chose Windows Mobile primarily for its ability to multitask. Specifically, I want to be able to maintain an SSH connection while I'm switching to another app to look something up. That is something that Palms cannot handle at this point.

          We keep hearing promises from PalmOne that they'll have a multitasking version of the OS out "soon", but it never seems to happen. I used a phone with a broken screen for almost a year, betting (wrongly) that Palm would have their solution out. They never did, and I went with the PPC6700 from Sprint (running Windows Mobile 5.0).

          I'm not unhappy, but that's about all I can say about it. It's an adequate OS, but it has quirks. I'd probably sell it in a heartbeat if a Palm solution came out which met all my needs.
          • No problem switching from putty to other tasks sucha s my notes or a web browser and back on my nokia 6680. Symbian I gather is based on PalmOS
            • I've never heard anything about Symbian being based on PalmOS. Even if it was, it's obviously got enough modifications to allow multitasking. Try that trick on a Treo 650 or 700p and see if you get the same results.
              • If I had one to hand I would, Dont often get them at work - the only new PDAs I seem to be rolling out are bucketloads of crackberries at the moment. I've been using the nokia s60 symbians for a couple of years now, and am currently using mine for satnav (tomtom 5), email (profimail), ogg vorbis playing (oggplay), web (netfront), irc (virca), ssh (putty) and can play doom on the train with it, a real swiss army phone. I could never do that with my windows PPC (jornada 540), which i recently gave away to a c
              • You can switch between versamail and the "blazer" web browser without a hitch, so I'm not sure why the ssh client (best of breed that I could find) fails to do likewise, but then it also fails to provide a reasonable method of key entry as well, and fails to support multiple sessions to boot.

                Not having written the code, nor even having reviewed it, I can't tell you why. But it's free, so until I'm willing to do better, I live with it and I'm thankful to the author for his contribution.

                • You can switch between versamail and the "blazer" web browser without a hitch, so I'm not sure why the ssh client (best of breed that I could find) fails to do likewise, but then it also fails to provide a reasonable method of key entry as well, and fails to support multiple sessions to boot.

                  Well considering that http is a [Open connection],[download],[close], [read the web page] and ssh constantly has a tcp connection going, it makes perfect sense. Ditto for mail which only open the connection to check
          • Palm's "inability" to multi-task is vastly overstated. On my 650, I can switch applications and not lose network or telephone connectivity. In fact, I regularly copy things to and from memos from the Blazer browser, and the connection is always still active when I switch back. Of course, Blazer is coded so that it always does a page load on startup (configurable to your home page or the last page visited) which isn't really bandwidth friendly.

            The main issue with multitasking revolves around Palm's stated pr
        • Treos are badly merged chimeras. The Palm side brings down the phone side and vice versa. Too many bug-driven reboots. Windows ME is a tarpit of bloated complexity. Blackberries OTOH are extremely well designed and executed in every regard from what I've seen. Got ssh on the bb? VNC?

      • I've never heard of a windows mobile virus although they probably do exist. The nature of PDAs means that these viruses simply don't spread unless the user is stupid.

        I have heard of symbian viruses that spread via unsecured bluetooth but feel free to keep bashing the microsoft's OS...

        Something people should realise : Aside from some visual similarities and interopability between MS Office and Windows Mobile, the OS has little in common with desktop Windows

    • WM is something that is cut down and written from scratch to be familiar to Windows desktp users. The code is not the same, and the security folk are not the same, so there is a whole new crop of security flaws etc.

      The Linux that runs on phones is the same code that runs on desktops, servers etc. This means that by looking at Linux for servers etc, those paranoid security people have also verified Linux for mobile.

      Of course you can still do dumb thing with mobile Linux (eg. running as root) and mobile-speci

      • by Tim Browse (9263) on Monday August 14, 2006 @10:54PM (#15907964)

        Actually, what is pretty cool is that you can be modded +4, Insightful when you clearly haven't read the article (or even the summary, actually).

        Hint: the article is not about security vulnerabilities in Windows Mobile, it's about security problems in the apps people run on it, with the apps using poor/no encryption, or leaking data/passwords into the registry, etc. Most of these apps are not written by MS (although the example of MS Money, and it's 'pmoney' algorithm is amusing, if a little familiar [zdnet.co.uk]).

        • My mistake - it was PocketMoney that used the dodgy encryption algorithm based on 'pmoney'. MS Money has its own lame encryption algorithm. There were so many personal finance apps with crap encryption that I mixed them up.

          Aside: even though I'm pretty cynical, I was surprised that the programs whose primary purpose is to encrypt/protect your personal data have such utterly lame/easily circumvented encryption methods. I know I shouldn't be surprised, but I was. (I could have sworn there was stuff like

    • Re:tip #1 (Score:3, Informative)

      by Anonymous Coward
      Great idea, I'll take a device with an OS that hasn't recieved a real update in 3 years.

      PalmOS is antiquated. Hopefully the new "Access Limited Platform" or whatever they are calling it now revitalizes the PalmOS with something worthwhile (Real multitasking and a navigable file system would be a start). But right now, while streamlined and easy to use, is very limited in its functionality. I'm supprised you Linux fanboys aren't touting the 770 instead...it deserves it a lot more credit than PalmOS.
      • Antiquated is an understatement. It's like something from the C64 days. I'd read so many good things about the Palms over the years but when I finally used one I couldn't believe how backwards they were.
      • PalmOS 5 is called "Garnet" because of it's gem-like, almost mathematical perfection. It doesn't need any major updates because it is already virtually perfect. The features it lacks are actually bugs, relative to the function of a PDA or cellphone. The ease of use of PalmOS is near the limit for it's I/O and CPU facilities, unlike Windows, which has been declining for the past three years into a hopeless morass of filth and cruft. Now, when the I/O and CPU facilities change, PalmOS will be suboptimal,
    • Tip #1: Use a Palm OS device.

      I'm sure you realize that PalmOS devices store *ALL* of their data in cleartext, right? Marking those records private and protecting them with a password?

      Futile, just fetch the records directly (and pilot-link [pilot-link.org] is the de-facto tool for this) and open it in an editor, or run strings(1) across it to see everything in cleartext.

      There are applications, such as GNU/Keyring [sourceforge.net] and others [freewarepalm.com] that can help you secure your passwords, memos, data and whatever else you want on PalmOS devi

  • .... at least it doesn't blue screeen like every other Micro$oft OS.
  • by scenestar (828656) on Monday August 14, 2006 @08:41PM (#15907371) Homepage Journal
    More details on this shocking discovery at Eleven. ....
    • In other related news, ACME Chairs Inc. has doubled its stock since the news of the said security flaw.
    • This is about the software. The fact that they don't even look at Palm's software products makes me think the publisher of the article has an axe to grind.

      Here's a hint, if I write an email program for you and store your password in plaintext, there's *NOTHING* Windows can do to stop me.

      The fact of the matter is that sadly, a huge amount of software has security flaws in it, which is why most of us real developers aren't so quick to whip out the "MS is the only software company that makes insecure software"
  • However, once you understand limitations, you can then plan your Windows Mobile rollout more carefully.
    You mean by cancelling your rollout and switching platforms?
  • Application Problems (Score:5, Interesting)

    by Trevahaha (874501) on Monday August 14, 2006 @08:43PM (#15907393)
    Sounds like they are application design problems, not platform problems. How is Palm OS any better? I'm seriously interested, does Palm OS immune to these issues?
    • Sounds like they are application design problems, not platform problems

      Sounds like Microsoft could take a cue from their O/S design. Seeing there is one day per month to fix major platform problems, maybe they could devote one day per year to releasing patches for this stuff -- maybe the 4th Tuesday in every third month containing 30 days.

      • Ummm I didn't see anything in the article mention holes in the OS.. just poor software design. You can create crap software on any platform. Why don't you take a read of that article before you come to your conclusion.
  • Palm is more secure? (Score:2, Interesting)

    by Gilatrout (694977)
    How is Palm more secure? Are we talking about the platform or the apps which run on it?
  • by perkr (626584) on Monday August 14, 2006 @08:51PM (#15907423)

    It would be interesting to along with each application and its security flaw(s) see how many users they have. Some of these seem to be rather poor shareware that is probably as bad on a desktop as on a PDA.

    Still, an informative article, I've never really considered security at all on a PDA. Since they are nowadays wifi connected and used as password managers and for company email, obviously the concern should be greater.

  • What'd they do, strip down & re-interface Windows 98 ?
    • Why don't you google it and find out? WinCE has nothing to do with either the Win311/Win95/Win98/WinME or the NT/2K/XP OSes.
      • Why don't you google it and find out?

        Because half the results point to Slashdot or Slashdot users sites.
        • Boy... we need to learn how to use a search engine... Just searching for WinCE shows no results from /. If you want to restrict self to Microsoft, search for "http://www.google.com/search?hl=ru&client=safari& rls=ru-ru&q=WinCE+site%3Amicrosoft.com&btnG=?????& lr=" Done.
  • Not MSFT Bashing (Score:5, Informative)

    by Jazzer_Techie (800432) on Monday August 14, 2006 @08:54PM (#15907441)
    Those who actually RTFA will find that most of the complaints have nothing to do with Microsoft or Windows Mobile itself. (The exceptions are MS Money and complaints about the lack of a Task Manager / msconfig / regedit etc.) The issue is that vendors are writing 'security' software (password managers, antivirus) using terrible methods. In analyzing these programs, they found passwords stored as plaintext, some ROT-N encrypted, and other very poor methods of 'securely' storing data. OS security matters, but in this case it wouldn't matter if you were running OpenBSD, assuming you had chosen to (and could) run these programs.
    • Those who actually RTFA ...

      All three of us thank you for pointing this out.
    • What everyone in this discussion has missed as did the author of this stupid article, the biggest problem with security on MS Mobile platform is that there's NO security protection on Activesync... ie you lose your pda or someone steals it, the person possessing the device gets a usb cable connects it to a computer with activesync installed, bam ! They have then have full access to all the data on the pda, by default there's no facility to password protect the device.

      Anyhow, after saying all that I often th
      • you lose your pda or someone steals it, the person possessing the device gets a usb cable connects it to a computer with activesync installed, bam ! They have then have full access to all the data on the pda, by default there's no facility to password protect the device.

        Completely wrong. Firstly, password protection is built in always, in all versions of Windows Mobile going back to WM2003. This results in a password screen on the device, and a prompt on the PC for ActiveSync. You just need to turn it on.

      • My HP Pocket PC comes with an encryption program that encrypts data files to protect the data in the case of a misplaced PDA. So I would say that Microsoft Mobile does come with arrangements to encrypt data.
  • Obvious (Score:5, Insightful)

    by Geoffreyerffoeg (729040) on Monday August 14, 2006 @09:11PM (#15907514)
    This article is more or less obvious. A lot of programs for mobile devices aren't designed with security in mind. For some - like the handful of FTP clients listed - the password is insecure anyway, so it doesn't make sense to encrypt it. For many others, like the SSH client on my phone, even if you did encrypt the data, anyone who stole my phone would be able to log in to my account - after all, that's the point of saving the password.

    My device is relatively expensive and is a smartphone, so if anyone stole it I'd be far more worried about them receiving the monetary value of my device and unfettered access to my phone account than about my passwords (which I could change from a PC anyway). I have my university account password saved, but I use SSH and encrypted IMAP to access these services so there isn't any significant risk so long as I possess the device.

    People who use services like Remote Keyboard that don't ask for a login on the PC should expect that this service is unencrypted and unauthenticated. Similarly, people who use ActiveSync over the network should anticipate that if they haven't just plugged in their device, any password prompt must be spoofed.

    I can write a similar article about a "vulnerability" in Facebook: I received 5 e-mails yesterday asking me to confirm account creation. I've had an account for over a year now, so I knew these requests weren't legitimate. Had I clicked on the verification links, I would've surrendered to this attacker my Facebook identity (they'd've had a blank profile under my e-mail address), but I'm smart enough not to. Or perhaps someone can submit an "insecurity" in Firefox, that even with a master password, JavaScript from a plug-in can read my passwords through the DOM once I've accessed a site.
    • Re:Obvious (Score:3, Informative)

      by someone300 (891284)
      If my device was stolen, I'd be more worried about the immediate disclosure of my password, as it could be used to get my private key and someone could pretend they were me, or get into my home computer over ssh where they'd have access to my entire photo collection and data like my MSN details. The device should encrypt all sensitive data based on a password given at startup by default, and only keep the decrypted passwords in memory -- they should never touch the disk. I've not got one of these devices s
      • If my device was stolen, I'd be more worried about the immediate disclosure of my password, as it could be used to get my private key and someone could pretend they were me, or get into my home computer over ssh where they'd have access to my entire photo collection and data like my MSN details.

        I personally feel the thief would be a lot more likely to sell it on the black market (perhaps after reformatting it so it's easier to fence [wikipedia.org] the phone). I doubt anyone who gets the phone would say "Hey, let me look a
        • Sure. If it's a randomly stolen item then it is pretty unlikely that anyone would use this data. The point I was trying to make was that the security on the system is bad (from what I have read). This makes the phone a nice weak point for targetted attacks; "I don't like my coworker/boss/networkadmin" sort of attacks.
    • Re:Obvious (Score:3, Informative)

      by Helen O'Boyle (324127)
      This article is more or less obvious. A lot of programs for mobile devices aren't designed with security in mind. For some - like the handful of FTP clients listed - the password is insecure anyway, so it doesn't make sense to encrypt it. For many others, like the SSH client on my phone, even if you did encrypt the data, anyone who stole my phone would be able to log in to my account - after all, that's the point of saving the password.

      If the FTP server implements MS' NTLM authentication, then the passwo

  • We all know that Microsoft's software is insecure and shouldn't be used. I think the /. editors post these stories to let frustrated network administrators vent.
    • Um, didn't read the article - right?
      Not Microsoft software. Software written for PDA, by third parties.
      Really you just like bagging out Microsoft - admit it.
  • "Insecurity is better than NO security!"
  • by swordgeek (112599)
    Honestly. Big Fucking Deal.

    Life is insecure. You build your own level of insecurity, and deal with it.
  • "insecure and buggy"? why is this news? news is supposed to be new
  • Oh Noes!! (Score:5, Funny)

    by wwiiol_toofless (991717) on Tuesday August 15, 2006 @12:10AM (#15908174)
    Here I was using unsecured wifi at Hong Kong international, you know the one by the shady young-looking guys milling around with stolen laptops? Anyhoo, I was working on an unprotected pocket excel document which I stored in my Shared files folder containing all the Soc. Security numbers of my company's employees while trying to connect to the bluetooth device of this stewardess I had taken a liking to when I happened upon this article. For shame, Microsoft, for shame.
  • by Anonymous Coward
    If i'm a clueless/lazy app developer and write an insecure "password storage" app on linux and store the passwords in plain text or ROTn in a public place, i'm a stuiped developer and it's not the OS's fault for my insecurity.

    If i write the same app on windows or windows mobile, MS sucks.

    I'm going to do a whole lot more windows development so i'm not responsible for my own lazyness. :)

    Thanks!
  • PEAP on WM 5.0 (Score:2, Informative)

    by kickdown (824054)
    What I never really understood is why 802.1X connections on Windows Mobile 5 claim to require a client certficate. PEAP works fine without, and on XP the supplicant doesn't complain at all. WTF? If anyone knows how to convince the thing to do PEAP without client certs, I'd be happy!
  • Recently, at work, I have had to switch form palmos to pocketpc.

    From my experience, pocketpc just sucks. It is overloaded with useless features, it's slow and buggy, it's more complicated and less intuitive to use, and - of course - has the typical msft arm-twisting to buy msft only products.

    Small wonder msft is the 4th most popular mobile device OS.

    - I had no trouble syncing my palmos with linux, I don't think I can do that with pocketpc

    - with hotsync, you just put the PDA in a cradle, hit the button and y
    • Is that true? I've not used Active Sync or Windows Mobile extensively, however, I do know that when you plug in a Mobile device Active Sync lets you choose what you wish to sync (just like Blackberry etc) and then off it goes. Everytime you plug the same device in, it will only sync the selected data (and automatically!). Dunno where you got this stylus thing from?! (early version maybe?!)

      When my batteries run out nothing is lost (apps or data). It's all stored on the chip, however data being held in RAM is
    • In my experience ActiveSync syncs as soon as the device is plugged it. No Stylus necessary. And AFAIK it always has. Sounds like you're using an application that doesn't support syncing.
      1. For Linux sync, check out the SynCE project [sourceforge.net]. It doesn't support WM5 (the latest Pocket PC OS) yet, but the experience you describe suggests you have an older version of the OS.
      2. ActiveSync is supposed to sync-on-connect. There must be some configuration error. You definitely should not need to "export" any data; at worst, you'd just have to start syncing manually.
      3. Older Pocket PCs, like older Palms, stored data in RAM. Newer (WM5) devices store data in ROM, and are therefore not susceptible to losing

"Tell the truth and run." -- Yugoslav proverb

Working...