Nick's .NET Travels

Continually looking for the yellow brick road so I can catch me a wizard....

Windows Mobile Widget (lack of) Security

I have to preface this post by saying that Windows Mobile Widgets run under the same context as Internet Explorer Mobile on a Windows Mobile 6.5. This means that in terms of securing data across the wire you should use HTTPS/SSL over any connection you wish to send usernames, passwords and other sensitive data. What I want to cover in this post is some information on how to protect the security of your data sources.

Windows Mobile Widgets are great for visualising existing web data sources.  By this I mean that instead of relying on users browsing to your website on their mobile device, you can build a widget that mashes up rss, web service and other data to build a rich local user experience. Unfortunately, if you only want your data sources to be consumed by the widget you build there are a couple of things you should be aware of:

  • Widgets are just plain text html files with or without javascript, which is also plain text – this means that any thing you put in a widget can easily be extracted.  Sure, you can obfuscate the javascript code, but essentially any usernames, passwords or keys will be able to be decoded.
  • Once a widget is installed on the device it is possible for anyone with physical access to the device to extract the widget files. This means that any user who downloads and installs your widget from the Marketplace will be able to connect to their device and view (and in fact edit) the widget files. [This is assumed based on the behaviour of the Windows Mobile 6.5 emulator and may be different with an RTM build of Windows Mobile where they may work out how to protect widget files]
  • With access to the usernames, passwords or keys from your widget files any developer will be able to create their own widget that accesses your data sources without your permission.

Ok, so I mentioned something about protecting your data sources…. well, here is a proposed strategy for ensuring your data is only accessed by your widget running on a Windows Mobile device:

  • If you look at the headers for a request coming from a widget you will notice a couple of things:
    • Referer: x-widget1:///\\Program%20Files\\Widgets\\User\\2\\Products.htm
      • The \Program Files\Widgets\User\2\Products.htm is the name of the file on the Windows Mobile device that is loaded into the widget. Widgets get installed into the \Program Files\Widgets\User folder by expanding .widget zip file onto the device.
    • User-Agent: WMWidgets 1.0 (MSIE6.0;Windows CE;http://www.builttoroam.com/ProductWidget)
      • The agent string “WMWidgets 1.0” confirms that this request is coming from a Windows Mobile device, whilst the “http://www.builttoroam.com/ProductWidget” is the id of my widget defined within the config.xml file eg:
      • <?xml version="1.0" encoding="utf-8" ?>
        <widget xmlns="
        http://www.w3.org/ns/widgets"
                id="http://www.builttoroam.com/ProductWidget"
                version="1.0">

  • You can make use of this header information in two ways.
    1. The first, and probably simpler, way is to verify these headers as part of the call to your data source. This is the easiest way if you own and are able to change the way that the data sources work.
    2. If you can’t modify the data source and they take a username, password or key to access them, then you need to protect these pieces of information. Do not insert them into the widget html or javascript itself (as outlined above they are very easy to extract off the device). Instead build a simple web service that will return the required username, password or key upon request.  As part of the request you would of course verify the headers to ensure it is coming from your widget running on a Windows Mobile device.

This sounds all very well but what’s to stop someone from getting my widget, copying the code into their own widget and using the same id and/or filenames. Well the answer to this is that I’m assuming that the id specified in the config.xml file will be unique on the Windows Mobile Marketplace [yet to be confirmed by Microsoft but that would seem logical since there needs to be a way in Marketplace to uniquely identify your widget]. This would mean that another party can’t create a widget using your id and upload it to Marketplace.

But what’s to stop someone from creating a widget with the same id and publishing it on their website. The answer is that there is nothing to stop them from doing that. However, no non-cracked Windows Mobile device will be able to install that widget – Windows Mobile Marketplace is the only way to install widgets on a non-cracked Windows Mobile 6.5 device. On the Windows Mobile 6.5 emulators, you can simply copy a .widget file onto the device and then install it by clicking on it in File Explorer on the device. This is not possible on a non-cracked Windows Mobile device as the file extension .widget is not recognised by the device (By setting the following registry keys will enable this feature on your device and thus “cracking” your device: [HKEY_CLASSES_ROOT\riapp] "EditFlags"=dword:00010000,  [HKEY_CLASSES_ROOT\riapp\Shell\Open\Command] @="wmwidgetinstaller.exe %1").

  • Francisco Brouk

    5/22/2011 1:31:56 AM |

    Even you will find many running for years, when you begin your barefoot jogging instruction the very first thing you should know is that you should cut way back on your regular routine, and start as though you were just simply getting started going.

Comments are closed