How Secure Is Your Mobile Application Data?

When developing mobile applications we usually think in terms of a single user; doing only a few tasks in a small device. However, this may no longer be true. We are now faced with devices that have large screens (for a smartphone, that is) such as the HTC Advantage 7501 with a 5" screen and a decent size keyboard. Some of them are quite frankly borderline-UMPC sized. This means that not only the usage paradigm will shift into more desktop-like functions while keeping the mobile form factor.

For corporations, this could mean that there is a higher risk of exposing sensitive data or even trade secrets. Even with precautions and OS-security features as advanced as they are today such as Compact Framework provided encryption APIs and the ability to wipe a whole device from the Admin’s desk by using Exchange 2003 SP2 and SMS Device Management Feature Pack a user could take a while to report the loss of a device. This could potentially open a window of opportunity for someone looking for a security gap. So, having said that; your application’s security setup is now more than critical. You application could be quite at risk of exposing secure data if not handled adequately.

So what can be done to secure an application? Well, the amount of security is a function of how much time, resources and budget you have on top of making the application user-friendly enough. Basically, the more money, time and effort you put into security the safer/more secure it could potentially be. However, because of the human factor involved in usage and programming (yes, developers are included in this equation) there is no such thing as an absolutely secure application, it is always a matter of risk, and how much the business is willing to risk/invest into securing the data. On top of all that there is a matter of meeting the appropriate user-friendliness for your application to be adopted easily.

Visual Studio comes with some pretty cool security features; but again; it depends on the developer to implement, the analysts to design into the application and the business areas to budget their needs accordingly.

Windows Mobile and Compact Framework already come with the following features that you can take advantage of:

Crypto API – Encryption: any piece of data can be encrypted by using some simple calls to the System.Security.Cryptography API or Crypto API for short. There are several different types of encryption you can use such as Symmetric vs. Asymmetric encryption Algorithmic vs. Hashed data. The ones that are included in the Compact Framework are:

  • Digital Signature Algorithm (DSA)
  • MD5 hash algorithm
  • RC2 and RC4 algorithm
  • Cryptographic Random Number Generator (RNG) algorithm
  • RSA algorithm
  • SHA1 hash algorithm
  • Data Encryption Standard (DES) algorithm
  • Triple Data Encryption Standard (TripleDES or 3DES) algorithm
  • Rijndael (AES) algorithm

All these different algorithms cover a pretty wide range of security levels and process complexities. With all these choices, you are definitely bound to find the one algorithm you like, that fits your requirements and your compliance needs. For example: Rijndael (AES) is used as a US Federal Government Advanced Encryption Standard.

Let’s say you have to store data in the registry, you could make your application safer and more secure just by storing its data encrypted so that anyone snooping around the device registry would not be able to figure out what you stored under those registry keys.

The same example is valid for storing data in plain text or under an XML file which is nothing but a plain text file with tag formatting. If you encrypt the data before you store it, then you would be protecting the data from any curious user or unauthorized access.

SQL CE Encryption: One common method of storing information in Windows Mobile is SQL Server CE. Even though SQL Server CE does not support logins and their respective passwords, it does support 128-bit encryption of the data in the SQL Server CE database with a password that only your application would know or even better the user would know; therefore giving you a secure way to store information in it.

Access to Networked Data: You can also access services over secured networks. If you do not want to store information in your mobile devices, you can use a web service-like application. You could secure your communication channels to the target service. Your application could be using tools such as:

  • Network Authentication
    • NTLM versions 1 and 2
    • SSL Basic and TLS Client Authentication
  • Wireless LAN Security
    • WiFi 802.1x user authentication using
      • Protected EAP (PEAP)
      • EAP/TLS (certificate-based)
      • WPA
  • Native VPN support
    • PPTP
    • L2TP
    • IPSec

You may establish a secure connection between your device and the target by using any of the mentioned tools and protocols.

Encrypting Data Streams: There might be a similar way of implementing your encrypted security if you access a web service by encrypting only selective pieces of critical data that you send or receive and not using the encrypted protocols that may pose a larger overhead for performance when everything going back and forth is encrypted.

Finally remember that too much security may also work against you degrading performance or extending your development time frame. Also have in mind that applying one encryption method and then another on top of the first one does not necessarily make your application more secure and it will surely add more overhead to your application.

No matter what your needs are and even though not perfect; the tools provided by the Compact Framework are great for establishing a custom cryptographic solution for your applications needs. So take your time learning them and using them to your favor.

About Diego Samuilov

Editor in Chief/Founder Diego Samuilov is an executive, consultant, IT strategist and book, e-book and web published author. Diego has worked in Microsoft’s environments since 1990. Since then, he has successfully filled many positions related to the Software Development lifecycle. Having worked as a developer, analyst, technical lead, project lead, auditor and, since 1996 a project manager, manager, director and VP in the Software Development, Server, Desktop and Mobile environments. Diego is very passionate about the software development process, which has played a great part in his skills development. Since the introduction of the first ever PDA (the Apple Newton MessagePad) in 1994 and Windows CE in 1998 he has pioneered and pushed the envelope in the field of mobile software development. He has developed many solutions used in mobile markets, desktop and server environments. He participates in public and private developer community events. He actively collaborates with the community at support forums and blogs. Diego is the author of "Windows Phone for Everyone" available [HERE].