I was looking into OWASP Top 10 Mobile Risks for security issues to be kept in mind while developing mobile applications. They have given very good information pertaining to Android and iOS platforms. Some notable ones include Client Side Injections, iOS Abusing URL Schemes, Android-Abusing Intents, Keystroke logging, Screenshots/iOS Backgrounding, Logs etc.
These were very useful and now I want to know if there are any new vulnerabilities that exist in Windows Phone 7 , which were not present in Apple iOS and Google Android.
My requirement is, I need to build somewhat like a Damn Vulnerable WP7 App to educate the WP7 developers in my project to build secure applications for our clients.
OWASP has already built iGoat (iOS application) and DroidGoat (Android application) for the sake of iOS and Android developers. I dont see any such application for Windows Phone 7.
Currently WP7 appears to be a very secure OS. Whilst I am sure it has vulnerabilities, these have not been exploited yet. Interestingly AVG released an anti-virus / malware app for WP7. This was pulled from the marketplace because it didn't actually do anything since there are no viruses for the phone yet!
http://www.winrumors.com/microsoft-pulls-avg-antivirus-windows-phone-app-from-the-marketplace/
There has been a recent SMS flaw discovered:
http://nakedsecurity.sophos.com/2011/12/14/windows-phone-7-5-susceptible-to-sms-hack/
Having said that, there is still a need to educate developers about security. You can of course build an application which has its own security vulnerabilities by failing to protect the users data for example.
if there are any new vulnerabilities that exist in Windows Phone 7
Actually, I dare say there ain't any old ones either. Most of the security issues on Android is caused by the ability to change the system 110%. Windows Phone don't have intents, don't allow process inspection, or access to the raw file-system.
As Colin said, the security issues there can occur is related to data handling. For instance, the isolated storage can be inspected by jailbreaking the device, and as such you can read out unencrypted passwords (or other personal data) from the isolated storage.
However, to jailbreak a device, you need physical access to it. And you can't remote install a application for inspecting the isolated storage, even if the device was jailbreak'd. It can only be done by USB.
Related
I am trying to install my own web App to a ROOTED LG TV, ignoring Developer mode status. I have successfully run it with Devmode = On, but it expires after 48 hours, and I have to do it over. I want to use the TV as a menu display. I can install my App, using "ApplicationInstallerUtility -c install -p /tmp/com.xxx.xxx_1.0.0_all.ipk -u 0 -l /media/cryptofs -d", but when I try to start it with Developer Mode = Off , using ssh and luna://com.webos.applicationManager/launch, I get an error code 302, and a text "errorText": "Failed to identify a proper DRM file".
What can I do to solve this issue? How can I sign my app, without going to LG content store? Thanks in advance.
Many DRM implementations will have a check for rooted devices and will not work if they detect the device is rooted - the logic is that a rooted device may not have the same protection for the media path and the keys.
If for your use case you don't actually need DRM, which could be the case if the streams you want to play are not encrypted, then it may be worth looking at your application and removing any DRM configuration or libraries it includes.
Update
The term DRM can be used generally to describe Digital Rights Management for anything, e.g. software, book, media etc, or to refer to the common DRM solutions used to protect media such as Widevine, PlayReady, FairPlay etc.
Unfortunately, the LG WebOS documentation seems to use the term for both which makes it hard to interpret the type of error you are seeing.
The manual for the error code you are seeing simply suggests the error message should be "Failed to check DRM.'
http://webostv.developer.lge.com/api/webos-service-api/application-manager/?wos_flag=launch#launch.
This might be a reference to a media DRM, but it also could be talking about the DRM used to sign and protect apps themselves.
LG have a WebOS security solutions guide also that explains their app signing security which you may be able to find on the web.
I suspect that the error message you are seeing is related to this use of the term 'DRM'.
Assuming that is the case, then unfortunatly, you are either going to have to remove this security framework in your device, which I suspect will not be trivial, or submit the app to the LG content store.
We will start using Microsoft Intune for all our devices soon, and while configuring Intune, the question came up of which certificate to choose, for authentication etc.
I have followed this link and others similar: https://learn.microsoft.com/en-us/intune/certificates-configure
However these links only explain how to install CA's, configure settings etc. I can not find a clear differentiation between the 2 certificates (SCEP and PFX) and why one would choose one over the other.
Are there any general guidelines to follow?
Edit: Our devices are mostly company laptops, with Windows 10.
It's hard to say how to choose one kind rather than the other one. It really depends on what devices you're using and what platforms runs for those devices:
You can create and assign a PKCS or SCEP certificate profile for
devices running the following platforms:
iOS 8.0 and later
Android 4.0 and later
Android for Work Windows 10
(desktop and mobile) and later
You can only use a SCEP certificate
profile for devices running the following platforms:
macOS 10.9 and later
Windows Phone 8.1 and later
So, it's clear that If your devices are using macOS 10.9 and later
,Windows Phone 8.1 and later platforms, you must choose to use SCEP certificates.
Also, it sometimes depends on what CA that your Network devices support. E.g, if your VPN devices only supports SCEP CA,you just need to use SCEP CA.
You can also refer to this Tech Note of Cisco to find more details about SCEP and PKCS.
For same devices:
If you are building a prototype or a small not critical service then go with PKCS12.
If you use SCEP profiles, you need to configure a Network Device Enrollment Service (NDES) server. So,If you are building a serious product (production and touching devices of people with sensitive info) then go with SCEP (you can get a free SCEP servers. It's not that complex).
Hope this helps!
In this link https://msdn.microsoft.com/en-us/library/windows/apps/dn726767.aspx
it is said 'Universal Windows Platform (UWP) app is a Windows experience'.What is actually Windows experience means?
Well, basically what it means is; That by creating a UWP you are creating an app that will run across the Windows Platforms, thus giving the full Windows experience. Having an app that gives a familiar "experience" across all the devices that support Windows UWP (Xbox One, PC, Tablet, Phone, IoT, HoloLens) that is the goal.
Microsoft’s language around Windows has changed in the last year. Where Windows was originally a brand indicating an interconnected system of software, it is now used philosophically to represent the mission statement to let people do more.
The idea is, because of the Windows experience, developers can create software that operates in a new paradigm. More specifically, users can experience software in a way that centers around them as a user and not the device they are using.
This new workflow approach downplays the built-in interoperability of Microsoft products, and highlights the opportunity to create software that can do far more to change the way users and companies leverage and experience software.
At its heart, the Windows experience, is the experience that defines a better way to use software. This is a subjective thing depending on the type of user or industry – but it is also a far more broad-reaching definition that no longer simply implies: “build an app that can run on multiple devices”.
Good job teasing out this new language. Not everyone has noticed yet.
At the core of the Universal Windows Platform is the technology enabling code written for one Windows device to seamlessly transition to other devices and form factors. The Windows experience is the full panoply of Microsoft services, including those targeting iOS, Android, and traditionally competing products like Sales Force.
PS: the Windows Experience is not the performance measurement tool introduced in Vista to evaluate hardware for its readiness for an advanced graphics, etc.
The Windows experience, in the new mission-oriented form, is intended to promote a love for Windows - but thinking of Windows not as an Operating System, but, instead, as a family of reliable solutions. It's a nice change, and I (personally) am excited to see how it inspires developers.
I hope this helps.
I believe the intention is to encourage those creating software to not think about an isolated app that just runs on a single device (or class of devices) but to create an "experience" that can travel with the user across multiple devices.
For example, don't just think about creating a phone app or a desktop/tablet app. Instead think about how the user will experience interacting with your software (and presumably the same data) as they use different devices, in the Windows 10 family, at different times and in different ways.
Windows as an ecosystem has been moving closer and closer together in terms of developing for different devices for years. With Windows 10, you finally have a true universal platform where you can develop for phones, tablets, desktops, HoloLens, Xbox, etc with one code base. Sure, there are specific API tweaks, but those devices run the same core allowing you the developer to create experiences across multiple different devices!
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
In other words, why should developers build HTML5 applications instead of iOS or Android apps and deploy to Firefox Marketplace? What are the incentives that Firefox Marketplace offers to attract developers from other application platforms?
It's an interesting question, and i am going to paste you some text that i find out related to the topic. It explains better the idea than probably I could do.
Open Web Apps are essentially no different than standard websites or Web pages. They are built using standard open Web technologies — HTML, CSS, JavaScript, etc. — and can be accessed using a Web browser. The main differences lie in their ability to be installed on a device and work offline, and access to advanced APIs that allow interaction with device features such as the camera, address book, and other such things. In addition, they are built on open technologies as much as is possible. Where differences lie in technology implementation between platforms, efforts should be made to ensure that both are supported, through a combination of feature detection and appropriate code for different platforms, and graceful degradation.
From the ground up Mozilla has been building an apps system that lets users buy an app once and run it on all of their HTML5 devices. When you purchase an app through the Firefox Marketplace, the system installs a receipt on your device. The receipt is a JSON Web Token with metadata that links to the Marketplace’s public key and its verification service URL. When an app starts up it can verify the receipt but the receipt on the device is not tied to the Firefox Marketplace. The receipt is just a cryptographically verifiable proof of purchase. Anyone can sell open Web apps if they follow the receipt specs. When you buy an app, it is intended to be portable across any device that supports the Open Web Apps system.
In the future the Open Web Apps system will support syncing your installed apps across devices. Since receipts are portable you could just sync them yourself if you wanted to. In case it’s not obvious, you can always run a free open Web app in any browser because it is no different than a website. It might, however, use new mobile specific web APIs which are not implemented on all platforms.
To me the main thing is not start thinking on create Firefox OS apps, create web apps that is better to you and the web, and Mozilla is making a good job making it real.
Those links are interesting to read and to see what will come to the web in the future:
https://developer.mozilla.org/en-US/Apps/Quickstart/Build/Intro_to_open_web_apps
https://marketplace.firefox.com/developers/
My company has a Compact Framework.NET WinForms application which runs on rugged handhelds manufactured by companies like Motorola, Intermec and Psion. These are expensive devices with built-in barcode scanners that are used in harsh conditions.
The configuration of the handheld application is managed by business users through our web site. The devices pick up the configuration when they sync from within the handheld application. Field workers use the handhelds, business users use the web site.
The business users have expressed the desire to, for lack of a better description, configure and preview or even fully use the actual handheld application through a web browser. They want to make configuration changes in the web site and immediately see what the impact will be in the handheld, without having to have a physical device (again, the devices are quite expensive). They want to be able to create training materials or conduct sales meetings and be able to demonstrate the application to their customers without having a physical device on hand.
Microsoft offers several Device Emulators, but they are probably too complex for business users. They are developer tools. One idea might be to somehow use the emulators within virtual machines possibly in conjunction with Terminal Services or even some kind of clever screen capture/VNC to show an emulated device in a browser. I suspect running emulators in the fashion may not exactly be a scalable solution, however. Also, only one emulator at a time on a single machine can be "cradled" and connected to network.
I'm looking for any suggestions which might help me meet the business users' requirements.
Thanks.
The only thing I can think of offhand is not that simple, but would probably be useful (and certainly the only "true" way for them to test).
I'd create a service that works like the Remote Display app (part of the WinMo Developer power tools, also ships with Platform Builder for CE), in fact it might just use that app (the source code for it actually ships with Platform Builder, so the eval version of PB would get you that source).
You would then create a web interface that acts as a "shell" for that service, marshalling the display image out to a web page and image clicks back as mouse events to the device.