|By Chris De Herrera
All Rights Reserved
A member of the
Windows CE are trademarks of
Corporation and are used
under license from owner.
CEWindows.NET is not
associated with Microsoft
All Trademarks are owned
by their respective companies.
Securing the Pocket PC A Threat
De Herrera, Copyright 2004
Version 1.01 Revised 6/27/2004
This article explains the threats to securing the
Pocket PC or Windows Mobile 2003 (In this article I use them
interchangeably). It covers known threats that you should assess prior to
deploying Pocket PCs and provides some suggestions on how you can manage
them. I recommend that you use these concepts to create a risk assessment
check list to help you manage your security risk of deploying Pocket PCs.
An example of a risk assessment of these issues that the United States Navy
uses for the Pocket PC is available at
It addresses machine by machine how the Pocket PC is being used and what
risk there is to the information it contains.
Overview of Pocket PC Security Threats
- Power on Password - Microsoft has implemented
a power on password. I recommend that you change the settings to ensure
it allows an alphanumeric password and enter a password that is at least 8
characters long. Of course following common password procedures like not
using a word that is found in a dictionary and including numbers will
ensure your password cannot be easily guessed. At this point the Windows
Mobile operating system does not provide a power-on banner prior to
sign-on so you cannot warn users not to attempt to access the system
without authorization. This may affect your ability to prosecute persons
that attempt to hack the system. You may find that entering a warning
banner in the Today screen, User Information as an acceptable work around
- Memory Protection between Applications -
Microsoft has not implemented memory protection in the Windows Mobile
operating system. This means that any application can look at the memory
of another application. So if you are storing passwords in encrypted
format using a 3rd party program such as eWallet (http://www.iliumsoft.com/site/ew/ewallet.htm)
or CodeWallet Pro (http://www.developerone.com/codewalletpro/pocketpc.htm)
which must decrypt the passwords to display them, any application in the
system could read this sensitive data. Microsoft made the decision to not
implement memory protection between applications in the Windows Mobile
implementation even though the Windows CE operating system has supported
it since version 1.0. I highly recommend that companies review what
applications are allowed to be installed to minimize this risk.
- File System Encryption The Windows Mobile
operating system does not support file system encryption. You will need
to check out 3rd party applications that support encryption of
the file system to prevent unauthorized access to the files stored in the
Pocket PC. Also, this includes the ability to encrypt data on storage
cards such as the Secure Digital card or using NTFS with encryption.
- Viruses Microsoft does not include a virus
scanner. Currently the virus scanners look for desktop viruses on the
Pocket PC to prevent them from being spread. Applications such as
AirScanner, McAfee and Norton Antivirus are available to address this
- Keyboard Sniffers With the addition of
different methods of input (using the SIP), a vendor could create a
program to capture all your keystrokes and the applications they were fed
into. So allowing a user to install an add-on SIP increases the risk of
this occurring. Calligrapher (http://www.phatware.com/calligrapher/index.html)
is an example of this SIP replacement that is safe. However installing
applications like this that are not from a reputable vendor may allow them
to capture your keystrokes. Microsoft does not have a method in the
operating system to prevent keystroke capture from occurring.
- Internet Access With the direct connections
to the internet using Ethernet, Wi-Fi, GPRS/GSM or 1xRTT and in addition
of desktop passthrough, an application running on the PC can silently send
or receive data without your knowledge. There is no option to turn off
passthrough access or disable the ability to connect to the internet if
the user has the appropriate hardware.
- Internet Explorer - The Pocket PC can
silently install ActiveX controls that are specifically designed to run on
it when a user clicks on a link. There is a registry hack available to
prevent the installation of ActiveX controls in RegKing (www.pocketpcfaq.com/applications/regking.htm)
Also, if a user clicks on a .CAB file they can download and install an
application so if you allow your users access to the internet, they can
add applications without ActiveSync or even a PC.
- Storing Passwords - By default the Windows
Mobile 2003 and Pocket PC operating systems allow users to choose to store
their username and password to access websites and network shares. I
recommend that you encourage users NOT to store any passwords on the
Pocket PC just in case it is lost or stolen.
- TCP/IP Services The Pocket PC does not ship
with any TCP/IP based servers installed. It does act as a client to
servers using TCP/IP such as Netbios, HTTP, HTTPS, SMTP, POP3, IMAP4 and
LDAP. Also, ActiveSync uses PPP and special ports 990, 999, 5678, and
5679. So if you want to secure the Pocket PC you need to install a
firewall on it and this can prevent these services from be used by
- System logs The Pocket PC does not
implement system logs to track what applications are used, when errors or
problems occur or what is synchronized or installed on the device.
- Program Installation Programs can be
installed using ActiveSync, a .CAB file on a website or a memory card
inserted in the Pocket PC, or an executable program (.exe) copied to the
Pocket PC. Also users can beam applications using the file transfer
function in Windows XP using Infrared to the Pocket PC without even having
ActiveSync installed on the PC. At this time, there is no built in method
to prevent users from installing applications. Further once an
application is installed it may not be displayed in the Remove Programs.
So before deploying any Pocket PC, I recommend performing a hard reset
before synchronizing and installing any additional applications.
- Inability to control when applications execute
The Pocket PC operating system includes the ability to run applications
on reset or power on. This ability could allow an application to run
silently in the background without being visible to the user including in
the list of running applications to the operating system. Right now
Microsoft does not offer a method for users to know all the applications
or processes running on their Pocket PC or how to stop them.
- HTML Page can prompt the user to dial a number
- On the Pocket PC 2002, Windows Mobile 2003 and the SmartPhone 2002 and
2003 if a website or locally stored html page contains a url formatted
like <a href="tel:9005551212">call</a> and the user clicks on the link
they are prompted with a do you want to dial box containing the number.
This could allow a 3rd party to incur expensive charges for phone numbers
that are dialed using their cellular phone. At this time there is no
method of preventing the mobile device from prompting the user to dial the
number in the link. As a workaround I recommend that you advise
users of the risk this presents and document the company's recommendation
Every company that deals with critical information
should assess the risk with each machine based on the data that is stored on
it and the way it will be used. Further since the Pocket PCs cannot be
locked down solid, I suggest that the company implement a security policy
for the use of the Pocket PC with ground rules to prevent its misuse.
Also, there are 3rd party applications that you may want to
consider since it allow an administrator to implement tighter security than
is available by default in the Pocket PC.
Return to Chris De Herrera's Windows