Thursday, December 25, 2008 4:35 PMDevice Security and certificate problems.
- Edited by Xiaoyun Li – MSFT Monday, December 29, 2008 10:07 AM
Thursday, December 25, 2008 5:05 PM
A device has the following four security configurations:
- Locked or Mobile2Market Locked
- Security-Off Device
With a Locked configuration, the only applications that will run are those applications that have been signed with a certificate in one of the device's certificate stores. Moreover, the use of the certificates that are in the certificate stores is controlled completely by the original equipment manufacturer (OEM), the mobile operator, or Mobile2Market.
In a Two-Tier Prompt device, the only applications that will run with privileged execution mode are those that are signed with a certificate in the privileged store. Applications that are signed with a certificate in the normal store will run with normal mode execution. Applications that are unsigned will only be allowed to run if you respond affirmatively to the security prompt that appears when you try to run a given unsigned application. After you have allowed a given application to run by responding affirmatively to the prompt, the application will always run in normal execution mode.
On a One-Tier-Prompt device, applications are either executed in privileged mode or are not allowed to be executed. If you try to run an unsigned application, you will be prompted to allow the application to run, and if you respond affirmatively, the application will run with privileged mode execution.
On a Security-Off configuration, all applications will execute on privileged mode, even if they are unsigned.
Based on the above theory, when you encounter a security problem, you can first use the device security manager tool, which can view device security configurations. Visual Studio 2008 is shipped with it. For testing purposes, you can install an SDK certificate, which includes a privileged certificate and unprivileged certificate. When you are about to release a product, you can apply an M2M certificate, because almost every OEM installs M2M in privileged stores.
For how to sign an application, you can refer to MSDN document:
For more FAQ about Windows Mobile Development, please see Windows Mobile Development FAQ
- Marked As Answer by Xiaoyun Li – MSFT Thursday, December 25, 2008 5:09 PM