Building Secure GOV-LOB Windows Phone Apps. Part II, Session III
In this entry we will cover:
- Multi-targeting and Application Compatibility
- Application Deployment and
- Device Security Features
Multi-targeting and Application Compatibility
With WP 7.1 SDK, developers can now specify the target OS as WP 7.0 or WP 7.1. This means that with WP 7.1 SDK, developers can develop the application for both WP 7.0 and WP 7.1 release. However when developer uses WP 7.1 SDK with target OS as WP 7.0 then developer can create, open, debug and deploy the project but cannot utilize the WP 7.1 features. With WP 7.0 SDK, developers can develop application targeting WP 7.0 release only.
The following table summarizes the Application compatibility with different flavors of WP 7 release:
Target WP OS Version
Create or Open Projects
Deploy or Debug Projects
Use WP 7.1 Features
Note: It is very important to understand the compatibility between SDK and Target OS. Based on SDK Version and Target OS selected, developers can use the new (Security) features of WP 7.1 release.
All 3rd party WP7 applications need to go through a formal certification process before they are made available to the end user via the Windows Phone 7 Marketplace. Code signing occurs automatically once the application has successfully passed the certification testing within the Marketplace deployment workflow. The application and repackaged XAP files are signed by Microsoft with the Microsoft-issued Authenticode certificate assigned to the developer when they registered on the Windows Phone Marketplace. Any pre-existing signatures in a submitted application or XAP files will be replaced/overwritten during this process.
Note: Only those applications that are signed with a Marketplace-issued Authenticode certificate can be installed and run on a commercially available Windows Phone.
There are currently no supported mechanisms for loading released applications onto the WP7 platform outside of Marketplace – such as downloading from a PC or from a storage card or from another device over Bluetooth (these alternate installation mechanisms are often collectively termed as ‘side-loading’).Thus, even upgrades, maintenance releases and patches for applications have to be routed through the public Marketplace.
Line of Business Application considerations
With the release of Windows Phone 7.1, there is increased opportunities for the deployment of Line of Business applications. The public marketplace provides maximum visibility to corporate staff (as well as anyone else). Two new options include a beta release that makes an application available for a fixed time to a fixed whitelist of users, and targeted distribution which hides applications from Marketplace searching/lists and is deployed using a deep link URL. This URL can be distributed to authorized users and minimize the risk of exposure of the application to unauthorized users. If the URL is disclosed in a public venue, then this advantage is significantly reduced / eliminated.
Exchange Active Sync (EAS) can be used to enforce policy such as mandatory pin lock, remote wipe of a device, wipe on failed attempts to brute-force the PIN, etc. This implies, though, that to enforce the policies, individual phone devices need to be Outlook “enabled.” Otherwise the device will have, for example, a PIN lock if the user chooses to enable it. There is no concept of a “group policy” that can be enforced across all of the phones used by the staff of a corporate enterprise for things such as PIN complexity.
Also, there is currently no known method to verify if any device security policies such as PIN are implemented on the handset. It may be possible to query Exchange or SCCM information to make this determination on the infrastructure side of the application.
Device Security Features
A WP7 phone can be locked through a device level PIN. PC tethering and removable SD cards are currently not supported. In addition, WP7 supports IT-managed Exchange ActiveSync (EAS) policies such as Require Password, Password Policies, Remote Wipe and Reset to Factory Settings after multiple failed unlock attempts.
For detailed information on the differences in EAS policy and features on different Exchange Servers (2003 SP2, 2007,2010), see:
For detailed comparison on Exchange ActiveSync client, refer below link:
In WP 7.1, EAS policy can enforce complex passwords which includes alphanumeric passwords. Support for IRM is also included.
In the next session we will discuss:
- SSL Support
- Socket Support
- Security Considerations
Based on work from Manish Prabhu, Sameer Saran, Don Willits, and Dharmesh Mehta.