I have to preface this post by saying that Windows Mobile Widgets run under the same context as Internet Explorer Mobile on a Windows Mobile 6.5. This means that in terms of securing data across the wire you should use HTTPS/SSL over any connection you wish to send usernames, passwords and other sensitive data. What I want to cover in this post is some information on how to protect the security of your data sources.
Windows Mobile Widgets are great for visualising existing web data sources. By this I mean that instead of relying on users browsing to your website on their mobile device, you can build a widget that mashes up rss, web service and other data to build a rich local user experience. Unfortunately, if you only want your data sources to be consumed by the widget you build there are a couple of things you should be aware of:
- Once a widget is installed on the device it is possible for anyone with physical access to the device to extract the widget files. This means that any user who downloads and installs your widget from the Marketplace will be able to connect to their device and view (and in fact edit) the widget files. [This is assumed based on the behaviour of the Windows Mobile 6.5 emulator and may be different with an RTM build of Windows Mobile where they may work out how to protect widget files]
- With access to the usernames, passwords or keys from your widget files any developer will be able to create their own widget that accesses your data sources without your permission.
Ok, so I mentioned something about protecting your data sources…. well, here is a proposed strategy for ensuring your data is only accessed by your widget running on a Windows Mobile device:
- If you look at the headers for a request coming from a widget you will notice a couple of things:
- You can make use of this header information in two ways.
- The first, and probably simpler, way is to verify these headers as part of the call to your data source. This is the easiest way if you own and are able to change the way that the data sources work.
This sounds all very well but what’s to stop someone from getting my widget, copying the code into their own widget and using the same id and/or filenames. Well the answer to this is that I’m assuming that the id specified in the config.xml file will be unique on the Windows Mobile Marketplace [yet to be confirmed by Microsoft but that would seem logical since there needs to be a way in Marketplace to uniquely identify your widget]. This would mean that another party can’t create a widget using your id and upload it to Marketplace.
But what’s to stop someone from creating a widget with the same id and publishing it on their website. The answer is that there is nothing to stop them from doing that. However, no non-cracked Windows Mobile device will be able to install that widget – Windows Mobile Marketplace is the only way to install widgets on a non-cracked Windows Mobile 6.5 device. On the Windows Mobile 6.5 emulators, you can simply copy a .widget file onto the device and then install it by clicking on it in File Explorer on the device. This is not possible on a non-cracked Windows Mobile device as the file extension .widget is not recognised by the device (By setting the following registry keys will enable this feature on your device and thus “cracking” your device: [HKEY_CLASSES_ROOT\riapp] "EditFlags"=dword:00010000, [HKEY_CLASSES_ROOT\riapp\Shell\Open\Command] @="wmwidgetinstaller.exe %1").