Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Mobile Security Software Fails the Test

Posted by ryuzaki0 on from the running-the-gauntlet dept.

boebert_ms writes "Windows Mobile security software is insecure and buggy, according to a report from Airscanner. In a paper posted at msmobiles.com, roughly 20 different Windows Mobile programs (e.g. MS Money, Password Master 3.5, etc) were examined and found to have a wide range of issues from broken protection schemes to poor encryption algorithms, and more. The paper goes into some details about each program and their flaws and also provides some tips on how to protect your data."

25 of 106 comments (clear)

  1. tip #1 by User+956 · · Score: 5, Funny

    The paper goes into some details about each program and their flaws and also provides some tips on how to protect your data.

    Tip #1: Use a Palm OS device.

    --
    The theory of relativity doesn't work right in Arkansas.
    1. Re:tip #1 by Anonymous Coward · · Score: 3, Informative

      Great idea, I'll take a device with an OS that hasn't recieved a real update in 3 years.

      PalmOS is antiquated. Hopefully the new "Access Limited Platform" or whatever they are calling it now revitalizes the PalmOS with something worthwhile (Real multitasking and a navigable file system would be a start). But right now, while streamlined and easy to use, is very limited in its functionality. I'm supprised you Linux fanboys aren't touting the 770 instead...it deserves it a lot more credit than PalmOS.

    2. Re:tip #1 by Sancho · · Score: 4, Informative

      I chose Windows Mobile primarily for its ability to multitask. Specifically, I want to be able to maintain an SSH connection while I'm switching to another app to look something up. That is something that Palms cannot handle at this point.

      We keep hearing promises from PalmOne that they'll have a multitasking version of the OS out "soon", but it never seems to happen. I used a phone with a broken screen for almost a year, betting (wrongly) that Palm would have their solution out. They never did, and I went with the PPC6700 from Sprint (running Windows Mobile 5.0).

      I'm not unhappy, but that's about all I can say about it. It's an adequate OS, but it has quirks. I'd probably sell it in a heartbeat if a Palm solution came out which met all my needs.

  2. Security Flaw Found in MSFT Product by scenestar · · Score: 4, Funny

    More details on this shocking discovery at Eleven. ....

    --
    perpetually dwelling in the -1 pits
  3. Application Problems by Trevahaha · · Score: 5, Interesting

    Sounds like they are application design problems, not platform problems. How is Palm OS any better? I'm seriously interested, does Palm OS immune to these issues?

    1. Re:Application Problems by Trevahaha · · Score: 2, Insightful

      Ummm I didn't see anything in the article mention holes in the OS.. just poor software design. You can create crap software on any platform. Why don't you take a read of that article before you come to your conclusion.

  4. Palm is more secure? by Gilatrout · · Score: 2, Interesting

    How is Palm more secure? Are we talking about the platform or the apps which run on it?

  5. Shitty applications, but how common are they? by perkr · · Score: 4, Interesting

    It would be interesting to along with each application and its security flaw(s) see how many users they have. Some of these seem to be rather poor shareware that is probably as bad on a desktop as on a PDA.

    Still, an informative article, I've never really considered security at all on a PDA. Since they are nowadays wifi connected and used as password managers and for company email, obviously the concern should be greater.

  6. Not MSFT Bashing by Jazzer_Techie · · Score: 5, Informative

    Those who actually RTFA will find that most of the complaints have nothing to do with Microsoft or Windows Mobile itself. (The exceptions are MS Money and complaints about the lack of a Task Manager / msconfig / regedit etc.) The issue is that vendors are writing 'security' software (password managers, antivirus) using terrible methods. In analyzing these programs, they found passwords stored as plaintext, some ROT-N encrypted, and other very poor methods of 'securely' storing data. OS security matters, but in this case it wouldn't matter if you were running OpenBSD, assuming you had chosen to (and could) run these programs.

  7. Re:Windows Mobile does have one good point... by stoolpigeon · · Score: 3, Informative

    Right - it just hangs and doesn't do anything. and after poking at it for a while, soft-reset time.

    --
    It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
  8. Re:Windows Mobile does have one good point... by Anonymous Coward · · Score: 2, Informative

    no, it just freezes up for no reason and requires a reset, without any indication of what's wrong. The reset requires removing the battery cover, which usually requires removing the case.

    so this is good how?

  9. That why Linux is pretty cool on embedded devices by EmbeddedJanitor · · Score: 2, Insightful
    WM is something that is cut down and written from scratch to be familiar to Windows desktp users. The code is not the same, and the security folk are not the same, so there is a whole new crop of security flaws etc.

    The Linux that runs on phones is the same code that runs on desktops, servers etc. This means that by looking at Linux for servers etc, those paranoid security people have also verified Linux for mobile.

    Of course you can still do dumb thing with mobile Linux (eg. running as root) and mobile-specific software can still give some vulnerabilities, but at least you have a half-decent start.

    --
    Engineering is the art of compromise.
  10. Obvious by Geoffreyerffoeg · · Score: 4, Insightful

    This article is more or less obvious. A lot of programs for mobile devices aren't designed with security in mind. For some - like the handful of FTP clients listed - the password is insecure anyway, so it doesn't make sense to encrypt it. For many others, like the SSH client on my phone, even if you did encrypt the data, anyone who stole my phone would be able to log in to my account - after all, that's the point of saving the password.

    My device is relatively expensive and is a smartphone, so if anyone stole it I'd be far more worried about them receiving the monetary value of my device and unfettered access to my phone account than about my passwords (which I could change from a PC anyway). I have my university account password saved, but I use SSH and encrypted IMAP to access these services so there isn't any significant risk so long as I possess the device.

    People who use services like Remote Keyboard that don't ask for a login on the PC should expect that this service is unencrypted and unauthenticated. Similarly, people who use ActiveSync over the network should anticipate that if they haven't just plugged in their device, any password prompt must be spoofed.

    I can write a similar article about a "vulnerability" in Facebook: I received 5 e-mails yesterday asking me to confirm account creation. I've had an account for over a year now, so I knew these requests weren't legitimate. Had I clicked on the verification links, I would've surrendered to this attacker my Facebook identity (they'd've had a blank profile under my e-mail address), but I'm smart enough not to. Or perhaps someone can submit an "insecurity" in Firefox, that even with a master password, JavaScript from a plug-in can read my passwords through the DOM once I've accessed a site.

    1. Re:Obvious by someone300 · · Score: 2, Informative

      If my device was stolen, I'd be more worried about the immediate disclosure of my password, as it could be used to get my private key and someone could pretend they were me, or get into my home computer over ssh where they'd have access to my entire photo collection and data like my MSN details. The device should encrypt all sensitive data based on a password given at startup by default, and only keep the decrypted passwords in memory -- they should never touch the disk. I've not got one of these devices so I can't say if that happens or not, but the point is, that should happen. The master password should not be stored anywhere on the system, in a weakly encrypted form or not.

      Remote Keyboard should be encrypted regardless of whether there's a password prompt or not using SSL. Theoretically there's no way for a man in the middle unless someone cracks the authority key, so you know if your keystrokes are appearing on the device and there hasn't been an invalid certificate error, then noone is listening.

      The ActiveSync vulnerability is just terrible practise. Someone across the room could be sitting watching for the person to plug in their mobile device (not hard to imagine in an office environment) and then be the first to spawn a password prompt. Not sure how hard it'd be to implement something that then also sends the password to the device so it's not even noticed that the password has been stolen.

    2. Re:Obvious by Helen+O'Boyle · · Score: 2, Informative
      This article is more or less obvious. A lot of programs for mobile devices aren't designed with security in mind. For some - like the handful of FTP clients listed - the password is insecure anyway, so it doesn't make sense to encrypt it. For many others, like the SSH client on my phone, even if you did encrypt the data, anyone who stole my phone would be able to log in to my account - after all, that's the point of saving the password.

      If the FTP server implements MS' NTLM authentication, then the password can be at least obfuscated on the network rather than sent in clear text; I wonder if any of those FTP clients handle that. Similarly regarding the above assertion that "anyone who stole my phone would be able to log in to my account," don't be so sure. My PPC 6700 Windows Mobile phone implements a PIN scheme in the OS where after some period of non-use, the phone goes to a lock screen, and I have to type in my PIN to bring the Today screen up again. After some number of failures, the phone will erase its contents to protect the owner's privacy. (No, I do not use an external flash memory card.)

  11. Re:Windows Mobile does have one good point... by MyLongNickName · · Score: 3, Funny

    Yup. My Pocket PC hangs at least twice a year.

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  12. Re:Windows Mobile does have one good point... by bblboy54 · · Score: 2, Funny

    Actually, I believe that the lack of a BSOD is a missing feature. It is internationally known that when your machine blue screens, you have no choice but to reboot. With my Windows Mobile device, it just stops... but every now and then gives me a glimer of hope that it is still alive. As a result, the lack of a BSOD feature in my cell phone wastes hours of precious time per month.

  13. Microsoft's Motto by misterhypno · · Score: 2, Funny

    "Insecurity is better than NO security!"

  14. Re:That why Linux is pretty cool on embedded devic by Tim+Browse · · Score: 4, Informative

    Actually, what is pretty cool is that you can be modded +4, Insightful when you clearly haven't read the article (or even the summary, actually).

    Hint: the article is not about security vulnerabilities in Windows Mobile, it's about security problems in the apps people run on it, with the apps using poor/no encryption, or leaking data/passwords into the registry, etc. Most of these apps are not written by MS (although the example of MS Money, and it's 'pmoney' algorithm is amusing, if a little familiar).

  15. Re:Windows Mobile does have one good point... by Cola+Junkee · · Score: 2, Interesting

    Twice a year? You're lucky.

    In my case it is literally more than twice a day.

    But then, I am developing for the platform, which is IMHO the most awful development environment known to mankind. The "ActiveSync" product has received lots of flack at the MEDC2006 conference for being buggy. And, I can't for the life of me figure out why VS2005 won't give me a full stack trace when I pause the program while debugging (and yes, I have compiled with debug information on).

    It's amazing the garbage that people put up with to develop MS products.

    --

    f u cn rd ths, u r prbbly a lsy spllr.

  16. Oh Noes!! by wwiiol_toofless · · Score: 5, Funny

    Here I was using unsecured wifi at Hong Kong international, you know the one by the shady young-looking guys milling around with stolen laptops? Anyhoo, I was working on an unprotected pocket excel document which I stored in my Shared files folder containing all the Soc. Security numbers of my company's employees while trying to connect to the bluetooth device of this stewardess I had taken a liking to when I happened upon this article. For shame, Microsoft, for shame.

    --
    the mods may say you posted flamebait, but to me it's a flame that warms my heart. rock on, brother! --chebucto
  17. Re:Wrong target by irc.goatse.cx+troll · · Score: 2, Insightful

    While mostly true, I'd say the low end of pc users is a lot further down than the low end of expensive pda/cellphone users, so the "average" windows mobile user likely is a lot more intelligent than the "average" desktop user. Whether they have the time or desire to keep up on security is another issue entirely, of course.

    --
    Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
  18. Re:Microsoft can't code by Anonymous+MadCoe · · Score: 2, Insightful

    For people who can't code they're quite successfull doing it.
    I have seen a few people use their stuff (and being quite happy with it).

    They mus do something right, and more than marketing, looking at all he repeat orders (and happy users actualy).

  19. PEAP on WM 5.0 by kickdown · · Score: 2, Informative

    What I never really understood is why 802.1X connections on Windows Mobile 5 claim to require a client certficate. PEAP works fine without, and on XP the supplicant doesn't complain at all. WTF? If anyone knows how to convince the thing to do PEAP without client certs, I'd be happy!

    --
    Continuous positive slashdot karma since... uh, maybe next year.
  20. Re:Windows Mobile does have one good point... by plumby · · Score: 2, Informative

    I don't think my current one (Orange SPV600, that I've had for around 3 months) has crashed/frozen once yet. The SPV500 that I had for 18 months before that managed about 3-6 months between crashes and that's far better than most of my previous phones ever did (a Nokia, a Motorola and a Samsung one that not only froze about once per month, it was also so badly designed that it shorted on a metal chain that I had in my pocket melting a hole in my trousers).