start windows mobile johan huss [email protected] mobility day, may 27 phonecontacts
TRANSCRIPT
Agenda
Overview of Windows Mobile
What’s new in Windows Mobile 5.0
Application Security on Windows Mobile
Windows Mobile Device Categories
Dedicated for mediaHighly optimized user interfaceNon touch, dedicated button navigation Video out capability
PDA’s and converged devicesMessaging devicesTouch ScreenQWERTY keyboards Vertical, LOB applicationsPlatform extensibility
Great phone firstKeypad and joystick inputOptimized for one handed navigationPlatform extensibility
Windows Mobile & WinCE
SmartphoneSmartphone
Windows CE Operating SystemWindows CE Operating System
Common Elements (e.g. Cellcore, WMP)Common Elements (e.g. Cellcore, WMP)
Pocket PCPocket PCPortable MediaPortable Media
Center Center
SPECSPECSPECSPEC
Platform Creation Model
Projectstart
CH
AN
GE
TIMEAdaptationKit release
CODECODECODECODE DEBUGDEBUGDEBUGDEBUG STABILIZESTABILIZESTABILIZESTABILIZE
OzUpOzUpOzUpOzUpOz Oz
20022002Oz Oz
20022002SP/PPC SP/PPC
20022002SP/PPC SP/PPC
20022002
OORT
MagnetoMagnetoMagnetoMagneto
SUSTAINSUSTAINSUSTAINSUSTAIN
MDD Core DevelopmentTeam
AKUReleases
Windows Mobile Releases
20002000 20012001 20022002 2005200520032003 20042004
PocketPC 2000
PocketPC 2002
”Merlin”
Smartphone 2002
”Stinger”
Windows Mobile 2003
”Ozone”
Windows Mobile 20032nd Edition
”OzUp”
Windows Mobile 5.0
”Magneto”
.netcf included
PocketPC 2002Phone Edition
”Merlin Phone”
What’s on the device?
MS
OEM
ISV
ISV
ISV
MicrosoftPlatform releasesAK & AKUsSame for all manufacturers
OEM/ODMPlatform integrationDrivers and device specificfeatures
ISVCan ship applications in ROM usually via OEM/ODM.E.g. MMS Client
Windows Mobile 5.0 Device Trends
4 devices with hard drives Integrated GPSMedia CentricSmartphone with WiFi
Optimized for e-mail10+ QWERTY1+ SmartphoneCDMA\1xrtt & GSM\GPRS
Edge in CY0517+ devices7 Smartphones
UMTS/EVDO in CY0512+ devices7 Smartphones
More Messaging Devices Faster Phones Targeted Devices
Windows Mobile 5.0 Development Platform
New In ROM New In ROM Install.NET CF 1.0 SP3 Windows Media 10
OCX.NET CF 2.0
MFC 3.0/ATL 4.0 Managed Telephony SQL Mobile 2005
State and Notification Broker
Managed Outlook Mobile
MFC 8.0/ATL 8.0
DirectShow (raw camera access)
Managed Messaging (SMS, Mail)
Direct 3D Mobile Managed Config Mgr
Direct Draw GPS API
Picture Picker Get Device ID (unpriv)
Contact Picker Query Policy
Developer Platform Notes
Pocket PC Soft keysSmartphone-like hardware navigation for app menus
Create a 2 button menu
Not compulsory, >2 button menu gets existing menu bar
Orientation and landscape supportWindows Mobile 5.0 apps (CESubsystem=5.0) must be orientation and resolution aware
Pre-Windows Mobile 5.0 apps still get pixel doubling and scroll bars
New Font!Windows Mobile 5.0 uses Segoe rather than Nina/Tahoma
Segoe slightly smaller in height and width
Development Tools for Windows Mobile 5.0
Visual Studio 2005 is the single development tool for Magneto development
Supports build, deploy, debug across NET CF 1.0, 2.0 and native code for 2003 devices upward
Integrates device development completely to Visual Studio development environment
Managed and native development in one placeIntellisenseRemote Tools
eVC3, eVC4 and VS .NET 2003Apps still runCannot debug or deploy direct to Magneto
New features of Visual Studio 2005
True ARM emulator with higher fidelity experienceSame executable/CAB for device and emulator
Realistic device performance
Direct3D and GAPI support
New debuggerBrand new architecture rewritten from line 0
Optimized for USB 2.0 performance
New designersImproved UI designers (docking and anchoring)
Data designers (drag, drop and bind SQL to forms)
Improved CAB designer support (new project type)
What’s new in 5.0?
Performance and StabilityWindows CE 5.0Persistent StorageNew “Image Update” updating flexibilitypWatson support for radio data during trials
Device InnovationNew Softkeys and improved keyboard supportNew flexibility in the phone application for branding and functionalityLandscape and keyboard support for Smartphone*
Including keyboard navigation improvements for both platforms
Native Wi-Fi support for SmartphoneExtended storage and USB 2.0 supportImproved secondary display supportNative SDIO supportBluetooth keyboard driver
SecurityFull Security Review (FSR)FIPS 140-2 certification
OperatorMultiple APN supportSimultaneous connections over RAS/PPP radio interfaceOMA Device Management support – provision settings & certs
Major Platform Updates
Application Security
Windows Mobile Security Model
Execution Security: Applies to code executionControl whose apps can run on the deviceControl what those apps can do
Device Management Security:Applies to device configuration. E.g.: Installing applications. changing security settings, OTA provisioning…Control who can access which device settings at what level
Remote Access Security:RAPI (Remote API) Access via Active Sync connectionControl what connected desktop applications can do on the device
Security Services
Security Roles
Security Policies
Digital Certificates
What are the fundamentals?
RolesHave certain privileges like ACL
Users, Applications and Messages get one or more roles assigned
PoliciesSets level of security for Applications and OTA provisioning messages
Controls Port of Entry
CertificatesProvides means of authentication for Applications and Packages
Code Groups
What can an app do?Two-tier: {Trusted, Prompt/Normal, Run/Normal, Blocked}One-tier: {Trusted, Prompt/Trusted, Blocked}
Trusted: Access to all registries, APIs, hardware interfaces
Normal: Exists only on two-tier devicesSome APIs restricted, parts of Registry are read-only
>95% of device accessible, adequate for almost all apps
Intended as a way to improve reliability of apps, not a primary defense against damage from malicious code
Blocked: Code cannot run
WM Security Model Availability
Smartphone PocketPC
PocketPC Phone
One-tier Access NEW
Two-tier Access
I nstallation NEW
Revocation NEW
Security Roles in Device Management
Prompt for unsigned applications
NEW
Default Policy ’03: Prompt ’05: Prompt
’03: Security OFF ’05: Prompt
Architecture
UNPRIVExec. Trust Authorities
PRIVExec. TrustAuthorities
CE kernel.net CF
.net exe dll
Security Policy
Policy Engine
EvidenceGenerator
CAPI
ID
Decision: 0: Block 1: Run Normal 2: Run Trusted
ID
Code Identity
Who is responsible for this app?X509 Certificate for Code signingCertificate represents the ISV, publisherSigning attaches the Code ID to executable
Built-in Code IDs: Unsigned:
Can be allowed to run, with or without promptNo recognized signature
Bad Signature: Signature/file is corrupted, or certificate misusedHardcoded policy: Always blocked
Revoked:Blacklisted App, Code ID Certificate, or CA CertificateHardcoded policy: Always blocked
Device Security Trade-off
More Application Compatibility
More Device Security
Security OFF
3rdParty Signed
Code ID Required -- Deterrence against
rogue apps
Locked
Exclude M2M -- Close development
platform to 3rd parties
Prompt
User Visibility
Application CompatibilityMore app varietyRicher device experienceMore appealing to users
Device SecurityStronger protections
Defense against rogue codeIncreased manageability
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Objects Requiring TrustRegistry Keys
HKEY_LOCAL_MACHINE\Comm
HKEY_LOCAL_MACHINE\Drivers
HKEY_LOCAL_MACHINE\HARDWARE
HKEY_LOCAL_MACHINE\SYSTEM
HKEY_LOCAL_MACHINE\Init
HKEY_LOCAL_MACHINE\Security
HKEY_LOCAL_MACHINE\WDMDrivers
HKEY_LOCAL_MACHINE\Services
HKEY CLASSES_ROOT (device specific)
Component APIs
Public SetInterruptEvent
SetSystemMemoryDivision
CESetThreadPriority
CeSetThreadQuantum
ForcePageout
VirtualCopy
LockPages
UnlockPages
SetProcPermissions
SetKMode
ReadProcessMemory
WriteProcessMemory
SetCleanRebootFlag
PowerOffSystem
DebugActiveProcess
CreateProcess (only the debug flags DEBUG_ONLY_THIS_PROCESS and DEBUG_PROCESS)
KernelIOControl
Applications using these Applications using these objects must run as TRUSTED objects must run as TRUSTED applications on the deviceapplications on the device
Objects Requiring Trust (2)
Extended Telephony Application Program Interface (ExTAPI)
lineRegister
lineSetCallBarringPassword
lineSetCallBarringState
lineUnregister
lineSetPreferredOperator
lineSetEquipmentState
lineGetGeneralInfo
lineManageCalls
lineSetGprsClass
lineGetNumberCalls
lineSetHSCSDState
lineGetUSSD
lineSendUSSD
lineSetSendCallerIDState
lineSetCallWaitingState
SIM Manager simUnlockPhone
simSetLockingStatus
simGetSmsStorageStatus
SIM Manager (cont) simChangeLockingPassword
simReadMessage
simWriteMessage
simDeleteMessage
simReadRecord
simWriteRecord
simGetRecordInfo
Short Message Service
SmsSetMessageNotification
SmsClearMessageNotification
SmsReceiveAllMessagesFromSIM
SmsSetSMSC
Connection Manager ConnMgrProviderMessage
Critical Process Monitor (CPM)
CPMRegister (Reboot)
CPMShutdown
CPMStatus
CPMRegisterTest
Radio Interface Layer
All RIL APIs