General security observationsA first impression of the approach to and level of Pocket PC Security can be found in a paper from Microsoft on this issue. What immediately is very obvious is that this paper contains a huge number of links to third party solutions and applications. In that sense it still reflects the old approach to security by Microsoft, namely that although some hooks and APIs are present, default security is not really present in the device. Memory protection One surprising finding when considering the XDA is that all applications running on the device have pretty much full access to whatever you would want. Microsoft basically introduced two main levels of access: trusted and untrusted applications. To differentiate between the two a framework of checking digital signatures is present, but it is mainly down to the OEM to specify the function that determines the trust level. On the XDA there seems to be no such check. An example of a device that did implement such a check is the Smartphone from Orange. However, this check was later allowed to be removed to allow the necessary demand for applications on the device. Risks: • Programs can destroy a device. Connectivity One specific area of additional interest with regard to the Pocket PC/phone device, are the connectivity possibilities and associated risks. One of the higher risk fraud schemes to steal money is when an attacker can cause unwanted calls to high fee numbers. These schemes work because it only becomes clear after a whole billing period and it is very difficult for the victim to prove that it was unintentional. To counter the risk of such schemes, proper end-user control over what calls are made is essential. Currently such control is not present in the Pocket PC Phone edition. It is trivial to both start calls and GPRS connections without any user intervention. Risks: • A device can connect to remote hosts creating a backdoor into
a corporate network. Encryption Currently Pocket PC 2002 only contains basic functionality to support encryption, but does not provide any encryption for data storage. Also encryption for e-mail is not supported. SSL encryption is supported. Although typical use of a device leads to a high risk of loss or theft, apparently encryption was not considered a mandatory feature and was left to third party implementations. Risks: • All data can retrieved from a stolen device.
|