NAVmoble - the pocket-sized ERP
Optimized for Microsoft Dynamics NAV and Windows Mobile powered devices

Sunday, February 04, 2007

“How to” Series: Windows Mobile Security Configurations

I've plugged a new Windows Mobile 5 device to my dev box and tried to deploy and debug a simple Compact Framework app. The device was HTC P3600 and it was obtained from a local mobile operator. However, the VS2005 complained that it can't deploy the app, because the device's security configuration does not permit debugging

The message said: "Unable to start program…"

I just wanted to debug, but no luck!
In order to deal with such issues, one should check out the following resource:
Windows Mobile 5.0 Application Security

Assuming, you are familiar with the concepts discussed in the resource given, I will outline some of the possible options: First we need the right tools to work with the security configurations. There are some "low-level" tools , but I personally find the Security Configuration Manager Powertoy for Windows Mobile to be a very useful toy.


Cradle the device and start the Security Conf. Manager
The right part of the screen displays the current device security configuration.
See the underlined labels? I'll explain the most important ones:

  • Configuration type shows the name of the standard security configuration loaded.
  • Security model
    shows if the device support trusted or normal execution mode. Only the Smartphone platform supports two tier security model. The PocketPC devices are one tier. It means that apps always run in trusted mode on PocketPC based devices.
  • Prompt indicates if the user is prompted, when unsigned app is about to be launched.
  • Unsigned applications- shows if unsigned application may be launched.

You may try the following scenarios in order to proceed with the day-to-day development normally:

  1. Scenario 1: Do not sign your app
    If Unsigned applications are allowed for execution you may debug and deploy without signing your app. However depending on the security configuration you app may run in normal mode (no access to specific APIs and resources). If the Prompt option is on, the device will show a confirmation message box every time your app is about to be launched. And that could be very annoying.
  2. Scenario 2: Sign your app

    This is the recommended scenario if Unsigned applications are not allowed for execution.

    1. Try to install a development certificate on the device.
      Go to the Security Configuration Manager and click "Add Development Certificate" from the "Device" menu. If the operation fails, you should consider contacting the deice vendor for a development certificate. Checkout the configuration type. Is it Locked or Third-Party Signed?
    2. Sign your app with a development certificate
      Although you may sign your app with the Security Configuration Manager, it is not practical enough during the development phase. Use the Visual Studio 2005 for that purpose. Use the Devices tab from the Project Properties (right click from the Solution Explorer). See the Signing an Application During Day-to-Day Development topic from the Windows Mobile 5.0 Application Security article for details.

    3. Deploy and debug your signed app.

  3. Scenario 2: Turn-off security
    This scenario is not recommended, because it is unlikely to have a commercial device with Security-Off. The development environment will be too different from the production one and may produce unexpected behavior. At least consider testing your app before releasing in a security configuration close to the production one.

    1. Provision device with the Security-Off Security configuration

      Select "Security-Off" from the dropdown list under "Selected Configuration" and click the "Provision" button. Wait until the device is provisioned with the new configuration.

    2. Deploy and Debug without signing your apps



Links:
Windows Mobile 5.0 Application Security
Windows Mobile 5.0 Security Model FAQ
Codesigning for Windows Mobile-based Smartphones and Pocket PCs
Security, Deployment, and Management

2 comments:

Tim B. said...

Thanks for such a nice explanation.

Trying to Provision any profile resulted in an error on my US-based T-Mobile Dash (HTC Excalibur, wm 6.0) so I had to resort to some 'desperate' methods (this link).

Garinda said...

Hi, my name is Garinda, I use WM6.0 device. My smartphone is Samsung C6625. I have a problem to install skyscape application into my WM6.0 smartphone. this application enable to be installed ob WM5.0

I read your article about "“How to” Series: Windows Mobile Security Configurations". It helps me a lot and gave me brightness. I tried your advice. But, I still face the same problem. Do you have any advice or suggestion? Is there an application program that can install .cab file into WM6.0

Kindly need youradvice

dr_garinda@yahoo.com