locked
IsolatedStorage in Windows Mobile? RRS feed

  • Question

  • Hi,

    Is IsolatedStorage or anything which provides similar functionality available on Windows Mobile (.NET CF 2.0)?

    Thanks.
    Tuesday, March 3, 2009 9:38 PM

Answers

  • No, it is not available. You can however store data in normal files or in registry.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Ka$h Thursday, March 5, 2009 7:48 PM
    Tuesday, March 3, 2009 10:52 PM

All replies

  • No, it is not available. You can however store data in normal files or in registry.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Ka$h Thursday, March 5, 2009 7:48 PM
    Tuesday, March 3, 2009 10:52 PM
  • Thanks Ilya,

    If I store my data in normal files, the file can be read/overwritten by any other application (signed or unsigned).
    I need some storage option which can be accessed only by my application and is completely isolated from other applications. Something which cannot be backed up would be even better.
    I wonder what other applications which really need to securely store their data from being tampered with do on Windows Mobile.
    Seems to be a very basic feature of security that is missing.

    Wednesday, March 4, 2009 12:23 AM
  • This is the same situation as with isolated storage on desktop - data in isolated storage can be read/overwritten by pretty much any other application. For example on Vista user level isolated storage is located in "%userprofile%\AppData\Local\IsolatedStorage" with bunch of random folders inside.  Pretty much any application running under user account can do whatever with these files. This fact is stated right on the isolated store class description:

     

    “Since isolated stores are scoped to particular assemblies, most other managed code will not be able to access your code's data (highly trusted managed code and administration tools can access stores from other assemblies). Unmanaged code can access any isolated stores.”


    So it makes no real difference whatever you're using isolated storage or using files – they have the same security level (i.e. none). Isolated storage is mostly needed for web based applications which don't have access to local file systems - plus it might be convenient.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, March 4, 2009 1:58 AM
  • Thanks Ilya. So I guess Windows Mobile offers nothing in terms of application data security - no application data isolation, no memory protection. Encryption is not enough given this. Is there anything at all that the platform offers to mitigate against malware?
    Wednesday, March 4, 2009 10:17 PM
  • Do you have an example of API which does that on a desktop?
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, March 5, 2009 12:51 AM
  • On Windows desktop OS, unfortunately not.

    But we used DPAPI in our desktop solution to encrypt the sensitive information since atleast on the desktop a user logon is mandatory. For a Windows Mobile smartphone, the device PIN is not mandatory which makes it difficult to base encryption on DPAPI. Once logged in, any malware running under the same user can basically access the data. This solution did not pass our security review for the desktop and the product never saw the light of the day in the consumer market.

    For the J2ME platform, we leveraged the fact that java applications have their own isolated storage along with protected memory space, in the iPhone the device has a unique password not known to anyone except the manufacturer which is used to encrypt and store sensitive data and I think Blackberry has its own secure RIM vault.

    I just cannot find a secure enough solution for Windows Mobile :-(
    Thursday, March 5, 2009 1:39 AM
  • Interesting… Did you do a review of all the JVMs around to find out how secure J2ME isolated storage really is? Let’s say it’s bullet proof (which I somehow doubt)…  What if malware replaces JVM itself? Would it not be able to gain access to all your secrets right away?

     

    Next,  iPhone gets hacked within weeks (or lately - days) of firmware upgrades been released to facilitate jail braking and carrier unlock. Are you sure nobody really knows that secret unique password considering OS is not exactly a fortress?

     

    So my point is: how do you know it’s really secure and not just an illusion of security?


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by bharathi_m Thursday, March 5, 2009 7:46 AM
    • Unproposed as answer by Ka$h Thursday, March 5, 2009 7:54 PM
    Thursday, March 5, 2009 2:41 AM
  • I agree with you to a certain extent, but I guess it is the degree of difficulty you add for malware to be able to create havoc in the system.
    With untrusted applications being allowed to pretty much do anything on the device, there is little you can do to protect your data.
    If only privileged applications would be able to access (read/write) any data, it would have been fine since I understand that there is an agreement form that needs to be submitted through the Mobile2Market program in order to become privileged and it is a lengthy and expensive process for a malware app to go through to gain access to a single device (motivation may be low).

    Devices in the enterprise environment may have strict control on what can be installed according to the corporate policy, but as a consumer handset it is pretty much open to anyone stealing your data.

    Anyway, I'm sure everyone has his/her own opinions on this topic and you've gone over this plenty of times before the decision was made about the security model.


    Given the current model, are there any best practices regarding how an application should protect and store the app data and the associated encryption keys on WM smartphones? Is there a standard practice that is adopted by other applications?

    I do not want to store the symmetric key or its material in the app for obvious reasons, so I considered DPAPI to encrypt the data, but then dismissed it since the device PIN is not really mandatory on today's WM smartphones + its difficult to enforce it when you are targeting the consumer market, not just the enterprise one.
    To use SQL Server Mobile, I still need the connection password somewhere in the app.
    I considered asking the user to set a PIN/password for the app, but it is certainly bound to become a usability issue for our app since we need to encrypt/decryt the sensitive data very frequestly when the app is running.

    So is there a recommendation on the "best effort security" that an app can try to incorporate on WM?

    You have been very helpful so far Ilya, thank you very much for that.
    Thursday, March 5, 2009 8:23 PM
  • Let's say PINs are mandatory. Would it really make any difference on open systems like Windows (whatever desktop or mobile)? I would say no as malware would run with PIN just as it would without it. PIN is more like a measure to restrict physical access to the device.

    On open systems there are pretty much no secrets between applications running under the same user. If your data is valuable then you should not keep secrets on the devices. Ask user for a password as needed (and it’s needed only on application startup) and you’ll be fine. That is very normal for, say, financial information. I mean, you use your ATM card – you have to enter the PIN.

    If your data is not that valuable then DPAPI (whatever with or without PIN – as it makes no difference) with extra entropy specific to your application should be enough. Unless malware specifically targeting your app (in which case you probably doomed anyway) it should be fine.

     


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, March 6, 2009 1:39 AM
  • Ilya,

    Can you recommend an approach for caching credentials securely? I have a web service that requires NTLM authentication. What is the "right way" to provide credentials to the application so that the user does not have to input their credentials for every request? (For example, in a Facebook application I would configure my User name and password.)

    What is the preferred Windows Mobile technique for requesting and storing user credentials?

    Matthew
    Matthew McDermott, MVP MOSS
    Monday, November 30, 2009 6:25 PM