Virtual Lock Picking of Windows Mobile Password Managers
Editor's Note: This article was originally published in the InformIT Security Reference Guide.
The Windows Mobile device is an ultra-portable digital assistant that can help its owner with numerous activities. The operating system comes with the ability to access the Internet, view email, open and create documents, play music, and even play games—and all that without any third-party programs. When you factor in the more than 18,000 programs that you can install on the device, it’s obvious that this hand-sized gadget offers much more than its size implies.
One particularly useful feature of any PDA is that it can store information you need while away from your computer. But some of that info is likely to be very sensitive: passwords, credit card numbers, keycodes, etc. The core Windows Mobile operating system doesn’t include any native security programs to store such sensitive information. To protect your data, you have to install a third-party application.
Having a central secure storage program makes sense, but it’s risky. Your sensitive data is secure only as long as no one else manages to learn your master password, or figures out a way to get around it. If you rely on a master password to protect your sensitive data, you have to keep that master password strong and secure. If your master password isn’t secure, your entire collection of secure data can be lost. In addition, the creator of your secure storage program has to keep its software up to par with handling current security risks, and invulnerable to "virtual lock picking," which could completely subvert any and all protection.
Because testing security is somewhat complex and requires specific tools, most people don’t know whether their password-protection program is really secure. In addition, few people in the security world are actively looking at password managers, especially on the Windows Mobile platform, so the chances are good that a program will remain vulnerable—until it’s too late.
Over the last couple of years, Airscanner has tested numerous programs and found many to be suitably secure—but we’ve also found several that are not secure at all. This article outlines several of these programs and demonstrates how it’s possible to bypass the authentication measures used by so-called "secure" applications, giving anyone with access to the PDA full control over the sensitive data. The goal of this article is twofold:
- Providing the community with a tutorial for locating these problems in their own code, or in third-party programs
- Illustrating that you can’t simply trust that your software is protecting your valuable data