Securing the Pocket PC – A Threat Assessment
By Chris De Herrera, Copyright 2004
 Version 1.01  Revised 6/27/2004

[an error occurred while processing this directive]

This article explains the threats to securing the Pocket PC or Windows Mobile 2003 (In this article I use them interchangeably).  It covers known threats that you should assess prior to deploying Pocket PCs and provides some suggestions on how you can manage them.  I recommend that you use these concepts to create a risk assessment check list to help you manage your security risk of deploying Pocket PCs.  An example of a risk assessment of these issues that the United States Navy uses for the Pocket PC is available at http://www.nswc.navy.mil/ISSEC/Form/AccredForms/acc_part2_Pocket_pc.html  It addresses machine by machine how the Pocket PC is being used and what risk there is to the information it contains. 

Overview of Pocket PC Security Threats

1. Power on Password - Microsoft has implemented a power on password.  I recommend that you change the settings to ensure it allows an alphanumeric password and enter a password that is at least 8 characters long. Of course following common password procedures like not using a word that is found in a dictionary and including numbers will ensure your password cannot be easily guessed.  At this point the Windows Mobile operating system does not provide a power-on banner prior to sign-on so you cannot warn users not to attempt to access the system without authorization.  This may affect your ability to prosecute persons that attempt to hack the system.  You may find that entering a warning banner in the Today screen, User Information as an acceptable work around for this.
2. Memory Protection between Applications - Microsoft has not implemented memory protection in the Windows Mobile operating system.  This means that any application can look at the memory of another application.  So if you are storing passwords in encrypted format using a 3^rd party program such as eWallet (http://www.iliumsoft.com/site/ew/ewallet.htm) or CodeWallet Pro (http://www.developerone.com/codewalletpro/pocketpc.htm) which must decrypt the passwords to display them, any application in the system could read this sensitive data.  Microsoft made the decision to not implement memory protection between applications in the Windows Mobile implementation even though the Windows CE operating system has supported it since version 1.0.  I highly recommend that companies review what applications are allowed to be installed to minimize this risk.
3. File System Encryption – The Windows Mobile operating system does not support file system encryption.  You will need to check out 3^rd party applications that support encryption of the file system to prevent unauthorized access to the files stored in the Pocket PC.  Also, this includes the ability to encrypt data on storage cards such as the Secure Digital card or using NTFS with encryption.
4. Viruses – Microsoft does not include a virus scanner.  Currently the virus scanners look for desktop viruses on the Pocket PC to prevent them from being spread.  Applications such as AirScanner, McAfee and Norton Antivirus are available to address this need.
5. Keyboard Sniffers – With the addition of different methods of input (using the SIP), a vendor could create a program to capture all your keystrokes and the applications they were fed into.   So allowing a user to install an add-on SIP increases the risk of this occurring.  Calligrapher (http://www.phatware.com/calligrapher/index.html) is an example of this SIP replacement that is safe.  However installing applications like this that are not from a reputable vendor may allow them to capture your keystrokes.  Microsoft does not have a method in the operating system to prevent keystroke capture from occurring.
6. Internet Access – With the direct connections to the internet using Ethernet, Wi-Fi, GPRS/GSM or 1xRTT and in addition of desktop passthrough, an application running on the PC can silently send or receive data without your knowledge.  There is no option to turn off passthrough access or disable the ability to connect to the internet if the user has the appropriate hardware. 
7. Internet Explorer - The Pocket PC can silently install ActiveX controls that are specifically designed to run on it when a user clicks on a link.  There is a registry hack available to prevent the installation of ActiveX controls in RegKing (www.pocketpcfaq.com/applications/regking.htm) Also, if a user clicks on a .CAB file they can download and install an application so if you allow your users access to the internet, they can add applications without ActiveSync or even a PC.
8. Storing Passwords - By default the Windows Mobile 2003 and Pocket PC operating systems allow users to choose to store their username and password to access websites and network shares.  I recommend that you encourage users NOT to store any passwords on the Pocket PC just in case it is lost or stolen.
9. TCP/IP Services – The Pocket PC does not ship with any TCP/IP based servers installed.   It does act as a client to servers using TCP/IP such as Netbios, HTTP, HTTPS, SMTP, POP3, IMAP4 and LDAP.  Also, ActiveSync uses PPP and special ports 990, 999, 5678, and 5679.  So if you want to secure the Pocket PC you need to install a firewall on it and this can prevent these services from be used by programs.
10. System logs – The Pocket PC does not implement system logs to track what applications are used, when errors or problems occur or what is synchronized or installed on the device.
11. Program Installation – Programs can be installed using ActiveSync, a .CAB file on a website or a memory card inserted in the Pocket PC, or an executable program (.exe) copied to the Pocket PC.  Also users can beam applications using the file transfer function in Windows XP using Infrared to the Pocket PC without even having ActiveSync installed on the PC.  At this time, there is no built in method to prevent users from installing applications.  Further once an application is installed it may not be displayed in the Remove Programs.  So before deploying any Pocket PC, I recommend performing a hard reset before synchronizing and installing any additional applications.
12. Inability to control when applications execute – The Pocket PC operating system includes the ability to run applications on reset or power on.  This ability could allow an application to run silently in the background without being visible to the user including in the list of running applications to the operating system.  Right now Microsoft does not offer a method for users to know all the applications or processes running on their Pocket PC or how to stop them.
13. HTML Page can prompt the user to dial a number - On the Pocket PC 2002, Windows Mobile 2003 and the SmartPhone 2002 and 2003 if a website or locally stored html page contains a url formatted like <a href="tel:9005551212">call</a> and the user clicks on the link they are prompted with a do you want to dial box containing the number.  This could allow a 3rd party to incur expensive charges for phone numbers that are dialed using their cellular phone.  At this time there is no method of preventing the mobile device from prompting the user to dial the number in the link.  As a workaround I recommend that you advise users of the risk this presents and document the company's recommendation in policy.

Every company that deals with critical information should assess the risk with each machine based on the data that is stored on it and the way it will be used.  Further since the Pocket PCs cannot be locked down solid, I suggest that the company implement a security policy for the use of the Pocket PC with ground rules to prevent it’s misuse.  Also, there are 3^rd party applications that you may want to consider since it allow an administrator to implement tighter security than is available by default in the Pocket PC.

[an error occurred while processing this directive]

Return to Chris De Herrera's Windows CE Website