Windows Mobile 5.0 Security Model FAQ

Certificates (SSL)

Q: What is required to install a new certificate to the ROOT store?
A: Adding ROOT certificates currently requires trusted code or manager access. On most Pocket PC devices this won't be a problem, but some Smartphone devices are deployed in a restricted configuration where this will be a problem.

Q: Okay, I have a restricted Smartphone device. What are my options for getting a root certificate on there?
A: In the general case, you will need a signed certificate installer. Some operators provide this tool. There's a more in-depth discussion of this issue at the blog post here.

Q: Does Windows Mobile support wildcard certificates?
A: Not in the current versions.

Q: Does the certchk tool work for disabling SSL validation for Exchange ActiveSync?
A: Not on Windows Mobile 5.0 devices. There is currently no workaround for this beyond adding the root certificate as described above, or disabling SSL altogether.

Application Security and Code Signing

Q: Why doesn't the device trust my code? I bought a code signing certificate from a CA!
A: Because the certificate doesn't chain to an execution root on the device. For a binary to be trusted, the cert must chain to a certificate in the Privileged or Unprivileged Execution Authorities stores. A typical Windows codesigning certificate from a CA won't work. Get a Mobile2Market certificate to run on the widest variety of devices.

Q: But why does it say "Unrecognized Publisher"? My code signing certificate was purchased from Verisign!
A: Since we can't verify the certificate chain, we cannot trust the certificate at all. We don't show any text from the certificate to reduce the spoofing risk to the user.

Q: Do I have to sign resource-only DLLs?
A: Yes. This is a change in Windows Mobile 5.

Q: Why do you need a privileged certificate to load a driver on PPC? Everything else runs trusted with an unprivileged certificate
A: During boot time, the device has not finished initializing and processing configuration XML. Only the privileged execution store is trusted until the boot is finished. If you can wait to load until after boot finishes, things will work as you expect. See the post "Getting your unprivileged drivers and services to work" for a more in-depth description.

Q: What is the point of code signing? It doesn't ensure that the code is well written, or that it is not malicious.
A: Code signing provides a reliable means of verifying the identity of the developer of the code. It also provides an integrity check to ensure that binaries are not tampered with, and a path for revocation of malicious or badly flawed applications.

Q: How do I know which APIs require trust and which don't?
A: Start here

Q: How do I sign my code for day-to-day development?

A: In general, install the SDK certificates and then sign your code with them, or configure Visual Studio to do so automatically. The emulators have the SDK certs installed already, so you can skip that step for those. More detailed step-by-step instructions in the white paper under "Signing an Application During Day-to-Day Development."


Q: Do you have to sign the cabs and the files inside the cab?
A: Yes. We realize this can be less than ideal, and expensive for an ISV to get that many signing events. It's on our radar for things to improve.

Q: Why should we have to go through the Mobile2Market program at all? Why can't I run whatever I want on the device?
A: Most Windows Mobile 5.0 devices are deployed on private networks owned by the mobile operators. To protect these networks from malicious software and limit support costs, many operators have stringent requirements limiting which applications can install and execute on connected devices.

Q: Isn't this just a scheme to make application developers pay Microsoft every time they want to ship an app?
A:  No. The cost of signing your code with a Mobile2Market cert goes directly and entirely to the Certificate Authority, either Verisign or Geotrust. Microsoft does not participate in this commerce in any way. Microsoft’s interest is strictly to provide the most unified application security model possible so that a single signing process will allow you to deploy your application on the greatest possible number of Windows Mobile Devices.

Q: Will my Mobile2Market application run on all Windows Mobile 5.0 devices?
A: As of today (12/18/2005) Mobile2Market certificates are currently included on all new Windows Mobile devices sold worldwide with the exception of those sold by two mobile operators; Orange and SKT (South Korea).  Orange devices currently ship with the Mobile2Market certificate only in the unpriv store, and with an Orange certificate in the priv store.  SKT devices ship without any Mobile2Market certificates.  This means that when your unprivileged application is properly signed with a Mobile2Market certificate it will run on every device worldwide, except those sold by SKT.  Your privileged-mode application will run on all devices worldwide except those sold by Orange or SKT.

Q: What about previous releases of Windows Mobile?

A: Code signed through the Verisign program should run on devices dating back to the 2002 release. The Geotrust root is on devices starting at 2003SE. We're investigating a solution to allow end users to install the Geotrust root on devices so they can run these programs.


edit 12/28/05: broke into two sections, typos, added two new questions. Disabling comments for this post to reduce clutter - you can mail me directly to add new questions or comment.

edit 1/4/06: Comments back on after customer feedback. Comment to your heart's content. The offer to mail me is still open - you'll get a faster response that way.

edit 1/5/06: Added certificates section.

edit 4/12/06: linked to "what requires trust?" blog entry

edit 12/8/06: day-to-day development signing 

edit 3/15/07: added note about Geotrust cert and downlevel devices