The Windows Mobile Obfuscation Shell
Before we examine the details of the flaws, it is important to understand the nature of the operating system. The reason for this is because it is our belief that Windows Mobile platform creates an environment conducive to poorly designed security software.
In contrast, if there is a problem on the Windows XP (desktop) operating system, it is fairly easy for you to find out what is happening. For starters, a Ctrl-Alt-Del will allow you access to an informative Windows Task Manager that provides all sorts of information about the programs running on the computer. In addition, it is simple to find out what is configured to run at startup via the "msconfig" command. Next, you can look inside the registry with "regedit" or use the command line to quickly access and view files. And if this isn't enough, there are many free tools available that can expose almost anything about the operating system to its owner. All in all, thanks to certain tools, Windows XP is a fairly open operating system.
Now, what kind of details can you find out on the Windows Mobile 5 platform? For starters, the Task List only mentions the names of the open applications that have graphical interfaces. All others are not listed! How can a user find out if there is a hidden program eating up memory? Is there a way to find out what executes when the device is rebooted? Not for the average user. In fact, the only way a user can examine what is occurring behind the scenes is via the Visual Studio 2005 program that runs on a desktop system — and only if the PDA is synced up to that same system. There are some third party programs that give access to some of this data, but these are not free or as informative as Visual Studio.
The point is this — average Windows Mobile users are relatively blind about what their device is doing. As this paper will illustrate, there are numerous Windows Mobile vendors that store sensitive information in the registry with flawed encryption schemes, or even in plaintext! If the end user knew anyone could see this data, what would they say?
History has taught the security community that software vendors will not code secure software unless forced to do so by consumers. The Pocket PC software market is a prime example of this "law," which is why Airscanner performed this research. No more excuses...
The rest of this paper will examine many different programs and their flaws. As you will see, blindly trusting a software vendor to keep you data safe is very risky. We hope that our research will help convince you to thoroughly research a product before relying on it to keep you secure.