Saturday, June 09, 2007

Locking down individual programs in Windows Mobile

There is no API for locking down certain elements (programs, functions) on Windows Mobile and in fact there is not a lot of information out there on how to do such a thing.

There is information about security policies on particular Windows Mobile 5 and 6 and testing tools such as the Device Security Manager. For information about security policies and certificates, see this blog. I am currently in the middle of writing a document about the signing and creating of certificates which I will publish soon…

So back to a simple way of locking down an individual program….

There are three ways for locking down Windows Mobile. They are:

● Kiosk solution (SPB Kiosk)
● Long hand (code “hack”)
● Lock-down product (Trust Digital)

Of course the Kiosk solution or any of the lock down products are the easiest, but if you are fussy about using third party software or trying to keep costs down, then the long hand option might be the way to go. In addition the Kisok solution requires full screen which in some cases is not desirable. Personally I like to stick to using my own code rather than using third party solutions. Based on this, I will talk about the Long hand (code) option.

A silly simple way to stop end users from running an application is to create a zero-byte filename that you wish to block. So for example if you didn’t want a handful of your users using Pocket Internet Explorer, then you would create a zero-byte file named iexplore.exe in the \Windows directory. I know this sounds strange that it might overwrite the existing file, but it merely “hides” it. In order to enable Pocket Internet Explorer again just simply delete the zero-byte file.

This is all fine, but what about the shortcuts? Simply tapping them after locking down the .exe will generate an error message that the application could not be found. A better way to handle this situation is to delete the shortcut file. For example if Pocket Internet Explorer is present in the Start Menu, you would need to delete the shortcut file: \Windows\Start Menu\Internet Explorer.lnk.

There is one thing you should bear in mind when deleting the shortcut file and that is when locking down File Explorer (\Windows\fexplore.exe) – among others the shortcut file is marked as read-only. A simple way of getting around this is to mark the Attribute property for the FileInfo object as Archive. IE:

FileInfo ieShortcutStartMenuFile = new FileInfo(@“\Windows\Start Menu\Internet Explorer.lnk”);
ieShortcutStartMenuFile.Attributes = FileAttributes.Archive;
ieShortcutStartMenuFile.Delete();

Of course when you need to re-enable the application you will not only need to delete the zero-byte file but create the shortcut file as well.

This method of locking down applications can be applied throughout the device for all programs if required including some of the ROM installed apps:

Phone (for Phone Edition devices cprog)
Word Mobile
Word Excel
File Explorer
Camera

It is also possible to limit access to the Settings window. This is as easy as deleting the \Windows\Start Menu\Settings folder. There is nothing contained in this folder, so you won’t lose any shortcuts/data. To re-enable, simply re-create the folder.

7 comments:

Anonymous said...

This was the only article I could find on the entire Internet that addressed this problem in an acceptable and intelligent manner.

Simon Hart said...

You're welcome, I'm glad the article helped.

Cheers,
Simon.

Marcos said...

Dear Simon,

This article is very useful for us. We are involved in a research project to improve reproductive health in Malawi. We use handheld computers for the data collection. In order to minimize the possibility that the PDAs are re-sold, we want to lock down individual programs.

We do not have expertise in using Windows Mobile and we are a small charity.

Could you give me some pointer on how to create a zero-byte file and how to input the code for deleting the shortcut, as well as how to delete the files that you mention...

We would highly appreciate it.

Simon Hart said...

Marcos,

I will write an article on how to do this as I think it would benefit others.

Cheers,
Simon.

The Freepouille said...

Alternatively, add the following keys to the registry

[HLKM\Security\Policies\Shell]

DisallowRun REG_DWORD 1

and

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun]

1 REG_STRING BubbleBreaker.exe
2 REG_STRING Jawbreaker.exe
3 REG_STRING Solitare.exe

Now warm reset your Workabout Mobile™ 2003 device or suspend and resume your Workabout Pro Windows Mobile™ 5.0/6.0 device for the new settings to take effect.

AJS SE England said...

Thanks for your article.

We are currently looking at the SPB Kiosk and it seems quite good except are wary of using it and find the holding of the stylus for a period to unlock the device frustrating. I understand being from a development background it's always nicer to write your own thing if you can!

The 0 byte file thing is interesting. I originally set up a cab to remove some items from programs and start menu such as Internet Explorer as you mention. I am also looking at possibly using the Process class (System.Diagnostics) to launch an application such as File Explorer only when a password has been entered (File Explorer to be hidden). I was also wondering how to prevent the device from being explored on the PC but it looks like you can turn off USB sync in ActiveSync, I don't know if this can still be bypassed by connecting another way.

I'm hoping further down the line Microsoft will make Windows Mobile ever closer to the PC versions of Windows and that you will be able to set up individual usernames and policies!

Anonymous said...

I love hacks like this. Simple and effective. Nicely done. Thank you!