Windows Mobile Security Software Fails the Test

← Back to Stories (view on slashdot.org)

Windows Mobile Security Software Fails the Test

Posted by ryuzaki0 on Monday August 14, 2006 @12:32PM from the running-the-gauntlet dept.

boebert_ms writes "Windows Mobile security software is insecure and buggy, according to a report from Airscanner. In a paper posted at msmobiles.com, roughly 20 different Windows Mobile programs (e.g. MS Money, Password Master 3.5, etc) were examined and found to have a wide range of issues from broken protection schemes to poor encryption algorithms, and more. The paper goes into some details about each program and their flaws and also provides some tips on how to protect your data."

12 of 106 comments (clear)

Min score:

Reason:

Sort:

tip #1 by User+956 · 2006-08-14 12:33 · Score: 5, Funny

The paper goes into some details about each program and their flaws and also provides some tips on how to protect your data.

Tip #1: Use a Palm OS device.

--
The theory of relativity doesn't work right in Arkansas.
1. Re:tip #1 by Anonymous Coward · 2006-08-14 13:50 · Score: 3, Informative
  
  Great idea, I'll take a device with an OS that hasn't recieved a real update in 3 years.
  
  PalmOS is antiquated. Hopefully the new "Access Limited Platform" or whatever they are calling it now revitalizes the PalmOS with something worthwhile (Real multitasking and a navigable file system would be a start). But right now, while streamlined and easy to use, is very limited in its functionality. I'm supprised you Linux fanboys aren't touting the 770 instead...it deserves it a lot more credit than PalmOS.
2. Re:tip #1 by Sancho · 2006-08-14 15:51 · Score: 4, Informative
  
  I chose Windows Mobile primarily for its ability to multitask. Specifically, I want to be able to maintain an SSH connection while I'm switching to another app to look something up. That is something that Palms cannot handle at this point.
  
  We keep hearing promises from PalmOne that they'll have a multitasking version of the OS out "soon", but it never seems to happen. I used a phone with a broken screen for almost a year, betting (wrongly) that Palm would have their solution out. They never did, and I went with the PPC6700 from Sprint (running Windows Mobile 5.0).
  
  I'm not unhappy, but that's about all I can say about it. It's an adequate OS, but it has quirks. I'd probably sell it in a heartbeat if a Palm solution came out which met all my needs.
Security Flaw Found in MSFT Product by scenestar · 2006-08-14 12:41 · Score: 4, Funny

More details on this shocking discovery at Eleven. ....

--
perpetually dwelling in the -1 pits
Application Problems by Trevahaha · 2006-08-14 12:43 · Score: 5, Interesting

Sounds like they are application design problems, not platform problems. How is Palm OS any better? I'm seriously interested, does Palm OS immune to these issues?
Shitty applications, but how common are they? by perkr · 2006-08-14 12:51 · Score: 4, Interesting

It would be interesting to along with each application and its security flaw(s) see how many users they have. Some of these seem to be rather poor shareware that is probably as bad on a desktop as on a PDA.

Still, an informative article, I've never really considered security at all on a PDA. Since they are nowadays wifi connected and used as password managers and for company email, obviously the concern should be greater.
Not MSFT Bashing by Jazzer_Techie · 2006-08-14 12:54 · Score: 5, Informative

Those who actually RTFA will find that most of the complaints have nothing to do with Microsoft or Windows Mobile itself. (The exceptions are MS Money and complaints about the lack of a Task Manager / msconfig / regedit etc.) The issue is that vendors are writing 'security' software (password managers, antivirus) using terrible methods. In analyzing these programs, they found passwords stored as plaintext, some ROT-N encrypted, and other very poor methods of 'securely' storing data. OS security matters, but in this case it wouldn't matter if you were running OpenBSD, assuming you had chosen to (and could) run these programs.
Re:Windows Mobile does have one good point... by stoolpigeon · 2006-08-14 12:56 · Score: 3, Informative

Right - it just hangs and doesn't do anything. and after poking at it for a while, soft-reset time.

--
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Obvious by Geoffreyerffoeg · 2006-08-14 13:11 · Score: 4, Insightful

This article is more or less obvious. A lot of programs for mobile devices aren't designed with security in mind. For some - like the handful of FTP clients listed - the password is insecure anyway, so it doesn't make sense to encrypt it. For many others, like the SSH client on my phone, even if you did encrypt the data, anyone who stole my phone would be able to log in to my account - after all, that's the point of saving the password.

My device is relatively expensive and is a smartphone, so if anyone stole it I'd be far more worried about them receiving the monetary value of my device and unfettered access to my phone account than about my passwords (which I could change from a PC anyway). I have my university account password saved, but I use SSH and encrypted IMAP to access these services so there isn't any significant risk so long as I possess the device.

People who use services like Remote Keyboard that don't ask for a login on the PC should expect that this service is unencrypted and unauthenticated. Similarly, people who use ActiveSync over the network should anticipate that if they haven't just plugged in their device, any password prompt must be spoofed.

I can write a similar article about a "vulnerability" in Facebook: I received 5 e-mails yesterday asking me to confirm account creation. I've had an account for over a year now, so I knew these requests weren't legitimate. Had I clicked on the verification links, I would've surrendered to this attacker my Facebook identity (they'd've had a blank profile under my e-mail address), but I'm smart enough not to. Or perhaps someone can submit an "insecurity" in Firefox, that even with a master password, JavaScript from a plug-in can read my passwords through the DOM once I've accessed a site.
Re:Windows Mobile does have one good point... by MyLongNickName · 2006-08-14 13:27 · Score: 3, Funny

Yup. My Pocket PC hangs at least twice a year.

--
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Re:That why Linux is pretty cool on embedded devic by Tim+Browse · 2006-08-14 14:54 · Score: 4, Informative

Actually, what is pretty cool is that you can be modded +4, Insightful when you clearly haven't read the article (or even the summary, actually).
Hint: the article is not about security vulnerabilities in Windows Mobile, it's about security problems in the apps people run on it, with the apps using poor/no encryption, or leaking data/passwords into the registry, etc. Most of these apps are not written by MS (although the example of MS Money, and it's 'pmoney' algorithm is amusing, if a little familiar).
Oh Noes!! by wwiiol_toofless · 2006-08-14 16:10 · Score: 5, Funny

Here I was using unsecured wifi at Hong Kong international, you know the one by the shady young-looking guys milling around with stolen laptops? Anyhoo, I was working on an unprotected pocket excel document which I stored in my Shared files folder containing all the Soc. Security numbers of my company's employees while trying to connect to the bluetooth device of this stewardess I had taken a liking to when I happened upon this article. For shame, Microsoft, for shame.

--
the mods may say you posted flamebait, but to me it's a flame that warms my heart. rock on, brother! --chebucto