All About "Application Locked"


I have been working on this post slowly for several days, but Reed and Steve are seriously kicking my butt on posting solid developer-focused technical security content. Read their blog – they covered a lot of this material sooner and better than I did.


 


Some non-touchscreen Windows Mobile devices ship with a set of security policies that prevents developers from adding their own codesigning certificates. I don’t know of any touchscreen devices that ship like that – it’s possible to configure those devices to be locked down but none ship like that by default as far as I know. For some of these devices, it’s possible to tweak the security policies via supported methods so you can install development certs,debug, and develop privileged applications. Internally we call this “the user is manager” meaning that the user has the ability to freely modify any software setting on the phone. In this post I’ll describe how to figure out the security policies on your device and how to figure out if you are “application locked” or not.


For this post I’ll assume that the end goal is to get the SDK certificates (sdkcerts.cab) installed on the phone. Once you’ve done that, you can run the remote registry editor from the SDK, develop and sign your own programs and do whatever you want.


Try This First


Let me get to the point first – I’d recommend two things, in order of likelihood of success



  1. Use the Device Security Manager. It has a great facility for inspecting the security policies and cert stores of a connected device, and even has a menu option to install the SDK certs for you.

  2. Try installing the unsigned sdkcerts.cab on the device. There are a few cases where the Security Manager tool errs on the side of caution and tells you that you can’t install the certs, but they will really work via unsigned cab. I’ll describe this case below.

If either of those work, the SDK certs are installed and you can now develop, change security policies, do whatever you want.


 


Local security policies


There are several security policies that come into play here. To install the SDK certs you need the highest level of trust on the device. (manager)


Unsigned CAB policy: If policy is set to 0, then unsigned CABs won’t install. The typical role is User Auth which means the CABs will install but they have a similar set of privileges as code running at the Normal level. If this policy is set to Manager, then the unsigned CABs have all privileges, and you can use the unsigned cab technique to change any setting.


Two-tier security policy: If this is set to “One-tier” then CAB files and programs have the ability to change any setting on the device. Some smartphone devices ship in one-tier mode. Those phones are definitely not application locked – you can use the unsigned cab technique to apply any setting.


Grant Manager policy: This policy contains a list of roles that are elevated to manager. If this role contains “User Auth” then every action taken by the user has full administative access. Installing the setup XML from a cab file counts as one of those actions, so if grant manager contains User Auth, you can again use the unsigned cab technique to change any setting.


RAPI security policy: I think it’s pretty uncommon for this policy to be open when the previous policies are be locked down, but if this policy is set to Open (2) then all of the API calls over Activesync are processed as trusted/manager, so you’ll be able to change any setting or security policy using RAPI.


Inspecting security policies with the Device Security Manager



Here’s the default configuration for a Windows Mobile “Standard” non-touch-screen device. All of the security policies mentioned above are in their restricted state. You won’t be able to install the SDK certs onto a phone like this. It is possible to run unsigned untrusted code, so you can write some classes of apps, but the development and debugging experience is not great. The Device Security Manager will tell you that it can’t install the SDK certs on a device like this. This is typically what most people mean when they say “Application Locked”.


 


 


 


 


 


 Here’s another possible configuration. On this phone, the Grant Manager policy is set to “User Auth”.  This means that an unsigned cab will install with full privilege, after the prompt. The Device Security Manager still thinks this phone is locked down, so you’ll need to install the unsigned cab by hand.


 


 


 


 


 


 


 


For a default Windows Mobile 6 SDK install, the SDKCerts cab is located at “C:\Program Files\Windows Mobile 6 SDK\Tools\Security\SDK Development Certificates\Certs.cab”. Copy this CAB to a device configured like the above, and it will successfully install. Once the SDK certs are installed, you can write your own programs and use all the development tools that ship with the SDK.

Comments (12)

  1. shawn says:

    so short of using the unlocking app that is floating around, how do you remove the app lock?

  2. scyost says:

    If the device is configured like the "locked" state again then that was the choice of the mobile operator or OEM. If there were a way to circumvent the policy I wouldn’t be able to discuss it here anyway.

  3. Charyo Chokro says:

    There is a debate going on several fora on whether WM5 can be upgarded to WM6 on motorala q phones: http://www.everythingq.com/forum/software/upgrading-wm-5-wm-6-moto-q-8031.html#post50941

    Can you guys comment anonymously if such an upgrade is doable?

  4. scyost says:

    Sorry, that paragraph refers to the location of the CAB when you have installed the SDK on a desktop machine. It has nothing to do with an install of a new operating system on the device.

  5. Juan Felipe Rincon says:

    Scott,

    Here’s one piece of advice, having come from the operator part of the universe of WinMobile — I was doing developer relations for a US operator when we launched a SmartPhone built on WinMobile 2003. The company got two different messages from Microsoft: from the folks managing the product side of WinMobile, the general recommendation on locking/unlocking the phone tended to go to the "lock it down, be concerned about rogue applications, someone could issue a DOS attack and bring you down" FUD and bugaboo route. The message from MSDN folks was "unlock it, unlock it, make it easy for developers" at some points or "Mobile 2 Market is how developers need to be going, so lock it down" at some others.

    It was hard to argue for a sane approach to application security inside the company with that kind of multimessage/complexity from Microsoft. So, when the phone got to market, it was as locked down as SmartPhone could be because it really was the one requiring the least amount of thinking.

    The net result was that many people who bought apps for their phone would get the "locked" message and ask us how to unlock it (I remember seeing a developer support ticket from someone who was begging us to unlock it for her: "I just want to install my Bible on it"). Fortunately, the operator launched a remote unlock client to make it possible for someone in developer relations to take mercy on the poor customer who bought a phone that was tighter than Fort Knox — and nowadays the group that used to take mercy on those poor souls is no longer doing open developer support, so that avenue is now closed permanently.

    I think that there’s a certain amount of work the MSDN and WinMobile product groups should do to make sure that the message for operators is consistent regarding the locking/unlocking choices, particularly for the two-tier or three-tier security strategies. Otherwise, you’ll continue finding yourself explaining this additionally complex multi-tiered schema in addition to explaining the multi-tiered levels of trust an application can have in addition to explaining the multi-tiered WM Platform definition (and how Microsoft Marketing decided to rename the new platform so that the terms you knew 2 years ago when you settled on the OS for the device are now not what people are talking about… it’s horrifying.

    I think part of the reason why the WM 5.0 PPC Phone Edition / WM 6.0 Professional edition devices have been so well received is because the platform doesn’t make it that easy for an operator to put an enormous padlock around the box and not notice the difficulties it creates really quickly.The two-tier security model works if the operator really understands that there needs to be a real way for customers to get applications; otherwise, it’s just bad for the platform and for the folks writing the software for it.

    Phew.

  6. Salman says:

    i used this to application unlock my spv e650 but once i clicked provision it said ur device is two-tier and to contact the mobile provider, i wish i had got the vox instead of the spv, as ive heard application unlock on that is a lot easier….

  7. Frida says:

    Hi.

    Can you help me please with a provisioning problem on Windows Mobile 6?

    I tried to send a NET setting on HTC S710 and the phone can’t recieve the setting. If I send the setting with RapiConfig, then the setting is saved correctly. If I sent on my old HTC Excalibur this setting it worked fine.

    Do you know which security policie values have to modify to be able to provisioning the phone under Windows Mobile 6? (I allready modified the 4097, 4101,4102, 4119, 4122, 4123 values but nothing changed 🙁 )

    Thx. Frida (fridahauler@vipmail.hu)

  8. Frida – you could connect your device to Visual Studio "Orcas" and open Device Security Manager (if you don’t have Visual Studio installed, you could use the powertoy available separately for download) and check what configuration your phone currently has.

    Using the same Device Security Manager, you can provision your phone to allow CABs to get installed.

    Aarthi

  9. eli says:

    how do i unlock the wing.its asking for password.but i found the phone.please someone help

  10. bARB says:

    I found a wing a couple of months ago and it is password protected.  I just had a friend who now has a charger that works with it. How do I unlock the phone?

  11. Wraz z systemami Windows Mobile 5.0 i Windows Mobile 6 wprowadzono nowych model zabezpieczeń (security

  12. jp says:

    I am very disappointed at you to choose this kind of security model. It makes things hard for consumers to get any application running on their phones and it’s actually just all about business and purchasing certificates that would allow the applications to run in the system.

    I have to say that i regret buying Windows Mobile. I wish i had known that when it comes to Microsoft it will never work.