Database Users

Unsigned applications - how to ? - and what's the point ?

I have a SD card with lots of software, most programs usually run without installation, shortcuts were copied from my QTEK9090 to this device (QTEK9000)
.
Some programs cannot be started, they complain about certificates..
Most others do - except for these that won't work in WM5
What's the point with this behavior anyway ?
I searhed this forum, but did not find any real answers.

In terms of what's the point:
http://msdn.microsoft.com/library/d...conapplicationsecurityonmobiledevicesozup.asp
Basically to prevent you running applications not permitted by your phone operator, in case you try to screw up their network or they have otherwise locked down your phone to get cash/inconvenience out of you.
You need to disable various security policies. Try searching for BeyondTheTech's posts. He's always got goodies for children that come to play with his puppies.
V

so .. it is basicly no drawback to disable this "feature" completly ?

Oh: well, it depends how much you trust your 3rd party software, and whether you trust your operator more than you trust yourself.
If your operator application-locks your phone, and you can unlock it, use your own judgement if the software you run is safe.
V

Is there an Administrator account in WM5?

I noticed that in the \windows\profiles folder where IE stores its data everything is in the folder "guest". This leads me to the question if there are different accounts in WM5 like in grown-up Windows, or does this "guest" folder have no deeper meaning?
Maybe if there was a possibility to log into WM5 as Administrator that would open more possibilities to modify the device? If administrator privileges would bring any advantages, that is.
Plus of course I don't like the feeling being logged in only as a "guest"

WM5 (and Win CE) isn't a Multiuser OS, so i think there is no Admin Account. Btw, the one and only user has all possible privileges

you have to press ctrl+alt+del+win+$+esc to log off first.

Hmm... I was also thinking about things like for example that the device doesn't show me hidden system files, and I'm not allowed to change/copy/delete some system files at all. I see that there are two different approaches to higher privileges, one on the software side - I guess there are third party applications that allow operations such as I mentioned, I just haven't tried any yet - and one on the user side, which I'm interested in now. It would have been nice if there was a "Administrator"-mode implemented directly in WM5, to have direct access to such privileged operations without having to use third party applications...

I'm not logged in as Guest on my Uni, I searched the registry for "guest" and changed the username to PReDiToR, and cache folders to \profiles\PReDiToR\...
This makes my Uni feel more like home. Cookies and other settings come up with the right username.
As always, this hack does require 4 registry key edits, if you don't feel comfortable editing your registry please don't risk it.

Ha! Good suggestion; makes me feel better A symbolic one, but it is a step towards taking over total control over the device

I think there is a 3rd party software called as Pocket Multiowner..which may allow the above...

FreewarePPC has v1.3, the main site InfoSoftSys seems to be down right now.
Useful to some? How many of us share our Unis though? lol

G1 Rant & Rave

hello all and congrats on the new forum
the android in its current state is quite a poor business phone compared to winmo6.1 for a few reasons. can you all chip in in identifying the areas of weakness just to help out developers who want to do something about it
ill start by mentioning the obvious things to me
1. no exchange mail support with search server and html mail(maybe a roadsync port is needed)
2. no mention of vpn support
3. the join domain feature of wm6.1 was kinda useful to some
4. the only platform that can access our eap-tls network in wm5/6.
5. not sure its a big thing, but maybe a basic firewall is needed.
6. an option less integration with gmail (not good for corporations who have security concerns)
7. reader/editor for office 2k7 documents
8. remote desktop (windows, osX, linux)
9. maybe bundling all the buisness features as a single software pack (that does not need to be included with all sold phones if not many people are intrested) this will simplify development and updates.
10. out of box wirless 3g/edge modem or something similar to WiFiRouter.
that's what i can think of for now. feel free to repost this in a more visible android forum

well then don't get it

whats with the hostility. I'm just trying to make android a more attractive platform by highlighting its business shortcomings.
if we can get developers interested in developing these kind of apps early in its life to make it more corporate friendly it would be great.
taking care of business and core features are far more important than cool 'n' pointless apps that the iphone seems to be handling pretty well.
more stuff:
8. remote desktop (windows, osX, linux)
9. maybe bundling all the business features as a single software pack (that does not need to be included with all sold phones if not many people are interested) this will simplify development and updates.
10. out of box wireless 3g/edge modem or something similar to WiFiRouter.

since it's linux I have no doubt that most of your worries will be addressed. I know Linux has a remote desktop app but the question is will the android run non-java apps? Will it have GCC and some libs? Can we download GCC and some libs to our microSDHC cards? Will SSH work? Will the android GUI have X11-like network support? I am not much of a programmer but if the android has gcc and libs I will be doing some compiling of linux apps.

dagentooboy said:
since it's linux I have no doubt that most of your worries will be addressed. I know Linux has a remote desktop app but the question is will the android run non-java apps? Will it have GCC and some libs? Can we download GCC and some libs to our microSDHC cards? Will SSH work? Will the android GUI have X11-like network support? I am not much of a programmer but if the android has gcc and libs I will be doing some compiling of linux apps.
Click to expand...
Click to collapse
Im about 95% certain that all apps run inside android's java environment. Therefore any existing opensource application would have to be ported over to the specifications of android's java language.
Android as an operating system is just a linux executable binary. Think of it like X server. Android is just a GUI, but as of now everything that runs in that GUI has to be specifically written for android.
It may be possible to run seperate tty sessions... and that could allow you to run some sort of server in the background behind android that you could access from inside of android via a web browser (http://127.0.0.1 aka localhost style)

mburris said:
Im about 95% certain that all apps run inside android's java environment. Therefore any existing opensource application would have to be ported over to the specifications of android's java language.
Android as an operating system is just a linux executable binary. Think of it like X server. Android is just a GUI, but as of now everything that runs in that GUI has to be specifically written for android.
It may be possible to run seperate tty sessions... and that could allow you to run some sort of server in the background behind android that you could access from inside of android via a web browser (http://127.0.0.1 aka localhost style)
Click to expand...
Click to collapse
yeah... that's what I thought. I was hoping that wasn't the case.... I can dream right? Maybe it will be like the Zaurus all over again and we can write an X11 environment for it.

Nr. 1, the Exchange feature was mentioned at the launch, and the official answer was "we expect developers to provide applications for that". I think that also applies to the VPN part; since it's that open and that linux-ish, there will probably be lots of VPN/VNC/RDP/SSH clients available.
3 and 4, I don't even know what they are. Stuck in a Windows-based environment, with closed specs ? tough luck. That's vendor lock-in, you know.
5 - a firewall ? what for ? Your device won't be permanently connected, and you probably won't have lots of apps listening on your phone. Anyway, a filtering module will probably appear pretty soon. I'd be more worried about installed apps making hidden outgoing connections (apps calling home, or malicious apps), therefore a good app to have would be something similar to LittleSnitch.
6 - Google has service offerings for businesses, so you either choose to use their services, or you don't. If you don't like it, you shouldn't use this phone I guess
7 - the feature will appear for sure, at least the viewer part. Not hoping of a OpenOffice port for Android, though.
This phone actually doesn't look like it was built for business use, though; just take a look at the apps who won the contest, all of them are focused on fun, socializing, location-awareness and stuff that's useful to people, not business users.

Hmm, to follow up on the Office part:
http://www.informationweek.com/news/personal_tech/smartphones/showArticle.jhtml?articleID=210604042
"We expect it to be more for the consumer, not necessarily for enterprises," says Cole Brodman, chief technology and innovation officer at T-Mobile USA.
The 4.6-by-2.1-by-0.6-inch handset, which will go on sale in the United States on Oct. 22, will let users view Word and Excel documents as well as PDFs.

a few points:
a*you didnt coment on 8-10
b*the exchange feature needs licencing from mirosoft. i doubt the development comunity can do that. unless some genius cracks the airsync protocol
c*if you are on gprs/edge/3g then the phone is Always connected to the network. that why we have things like pushmail.
d*eap-tls is the most secure type of wirless access. and it uses certificates on both the server and client. the client normally needs to be part of the domain to be able to accept the certificate
e*almost all corporations are locked down to windows. its very imortant that buisness phones integrates very well with them if it were to be considered a buisness phones
f*dont you agree that having a buisness friendly is important for the sucess of any phone platform?
g* do you think that the lack of stylus or (resistive lcd) will hinder its ability to do remote desktop? the track ball thingy enough?

Most of the above points (1, 2, 3, 4, 7, 9) will most likely be addressed by developers and sysadmins in good time. In the case of Exchange, even if the platform is opensource, it doesn't mean that a 3rd party company can't license the technology to provide a solution. It might not be pretty (at first), but I wouldn't say it's impossible.
5. It depends on what specific vulnerabilities you're concerned about, whether on the app/run level or somewhere in the core Android stack. In general I doubt there's any issue that doesn't already exist on other mobile OSes, and given their respective solutions, the same is possible here. But if you have a specific concern in mind it would help to point it out.
6, 9. Google is certainly pushing its suite of apps and for good reason (because a lot of consumers use them), but given the open nature of the platform nothing is cemented in place. So while the G1 comes setup for use with gmail/gcal/maps/etc, there's nothing that says a sysadmin can't strip and replace. Moreover, the G1 isn't being pushed as an enterprise device in the first place; there's every possibility that carriers could release other handset models later, preloaded with more business-centric software packages (and less Google apps), and are simply holding off during Android's initial launch. If you think about it, Android has a much better chance of having a strong launch on the consumer front than on the enterprise front. Take care of the former first, then the latter has a better chance of long-term success.
8, g. Same as above, but Google is also pushing the cloud which could lessen the need for VNC/RDP/etc. Sysadmins will have their doubts about security in Google's cloud, but there's nothing that says they can't first observe the model and then later implement their own solution.
10. Not as much of an issue with the software as it is with the carrier. T-mobile isn't just launching Android, it's also launching its 3G network. Providing tethering out-of-the-box could seriously cripple the network in its infancy, and that's the last thing the US 3G market needs. Face it, we need good competition to force carriers to pick up the pace, and in time we could see some competing tethering plans between AT&T, T-mobile, et al.
Some thoughts in general:
Businesses may currently be invested in Windows Mobile for their mobile solutions, but the point isn't to take Android and simply turn it into WinMo -- that would be a wasted opportunity. WinMo users are effectively tied to their PC in one way or another (sync, RDP, svn, tether, etc). Android has the chance to push the cloud (among other innovative models), so that users are no longer dependent on existing workflows. The handset would become just a terminal for accessing the cloud, and transition between terminals would be completely transparent (Android on a phone? How about a netbook?). Not that I expect Android to overtake WinMo (or BES et al), but it gives companies more solutions that better fit their individual needs, and helps MS, RIM, etc start evolving the existing systems that are frankly getting dated.

thanks that was quite insightful
i would like to point out that a big portion (probably the biggest) of the android users only bought the G1 phone because of its great value. think about it the unlocked $399 G1 has more features than the $700 touch diamond. most of these people couldn't care less about what google have in mind for the platform. all they want is for their phone to do certain tasks (like exchange email) a lot of the other google-pushed tasks will probably be unused

I think for you personally, the #1 most important feature the G1 >>needs<< to have is spellcheck
fatso485 said:
...hostiliy...hilighting...buisness...intrested..
Click to expand...
Click to collapse

t mobile is a poor businesses Carrier
most of the big business i have seen use at&t
once tmobile 3g network become more mature they might get some more of the business market. but until they iron out the wrinkles in there new 3g network don't expect anything from tmobile. i don't think you want something like the iphone bill happening to all you business customers.
this is the first step tmobile has taken towards 3g in the US
i am sure there will be some stumbles.

I'm not 100% sure, but I think the Active Sync protocol needed for Exchange support is free to use from Microsoft. I see a LOT of it in many 3rd party email servers and applications. Many of which are in direct competition with Microsoft. So I think we can assume that Active Sync is very doable on the Android platform. Only needs a developer to do something about it.
Active Sync is my main concern too. Once that's in place, then some way to tether I'm getting me an Android phone quickly.
All the other concerns are too easy to fix either already or very soon, so the 2 problems I mentioned are the only show stoppers for me.

There currently isn't even a foolproof activesync drop-in replacement for Linux desktop distros. There's multisync and synCE, but they're both hard to install, hard to configure, and far from perfect in their implementation. As for getting it working under Android, like everything else, it's probably a wait-and-see situation. Most software for Linux isn't written in Java (which Android prefers/requires?) It'll be interesting to see if a java implementation of activesync software could happen.

does any1 know if the g1 has an on screen keyboard

haitiankid4lyf said:
does any1 know if the g1 has an on screen keyboard
Click to expand...
Click to collapse
Currenly, no. The demo and preview vids show that you need to open the hardware keyboard in order to type (except for the phone dialer). But I'm sure SIPs will show up pretty quickly.

fhsieh said:
Currenly, no. The demo and preview vids show that you need to open the hardware keyboard in order to type (except for the phone dialer). But I'm sure SIPs will show up pretty quickly.
Click to expand...
Click to collapse
Yeah, I hope they change that. When I had the Fuze I never liked pulling out the keyboard unless I have to type something long, an email or a long text or whatever. For normal web browsing, entering 1 URL, it's not worth it to slide it open, type and close it again.

my biggest concern is an appointment calender. im so reliant on my appointment calander ion my Kaiser... i wouldnt know what to do without it. Also, a way to sync files would be great. maybe the phone will be integrated with Google Docs? That would be SUPERB! I take notes in my college classes using Office Mobile, but if Android syncs with Google Docs... good lawd.. goodbye to WinMo!

bigdookie said:
my biggest concern is an appointment calender. im so reliant on my appointment calander ion my Kaiser... i wouldnt know what to do without it. Also, a way to sync files would be great. maybe the phone will be integrated with Google Docs? That would be SUPERB! I take notes in my college classes using Office Mobile, but if Android syncs with Google Docs... good lawd.. goodbye to WinMo!
Click to expand...
Click to collapse
Here's a video showing how well it syncs everything.
Say goodbye, WinMo

[Q] Help disabling features on Windows Mobile 6.5 Professional

I am using a phone that has a Windows 6.5 operating system on it.
I wish to disable all the features on my phone other than GPRS connectivity,Wifi connectivity and Camera features.i.e.I shouldnt be able to make or receive calls,text anyone,play games,or use any other default feature.
Either it must be completely disabled or i should be able to give so kind of password protection to these features.
Please help me at the earliest,i require it for a project completion,and i am not able to figure it out as how this can be done.
Thank You in advance
i dont know whether this is the right place to post as i am a new user,so i am extremely sorry if i have made a mistake.

You should get a SIM card that only supports data access for your project. This will prevent any circuit switched (i.e. voice) features and linked services like SMS. There are also options to activate call barring features for a normal SIM (so you can steer what is allowed or not) - but his is then again part of the SIM card subscription (and can be used on any phone likewise).
There are no default options which could cripple your device in such way as you have asked for.

How to make changes in security policy of Windows Mobile 6.5 Professional?
i was browsing through the net and i found this matter:
4102
Unsigned Applications Policy
SECPOLICY_UNSIGNEDAPPS
This setting indicates whether unsigned applications are allowed to run on Windows Mobile devices. If a signed application does not have a matching root certificate in the Privileged Execution Trust Authorities or the Unprivileged Execution Trust Authorities certificate store, the application is unsigned.
You should always use SECPOLICY_UNSIGNEDCABS together with SECPOLICY_UNSIGNEDAPPS policy. This means that when you block unsigned applications from running, you should also block unsigned cab files from getting installed on the device.
Default value is 1 for Windows Mobile.
The following list shows the possible values:
0 indicates that unsigned applications are not allowed to run on the device.
1 indicates that unsigned applications are allowed to run on the device.
Any value other than 1 is treated as 0.
The required role to modify this policy is SECROLE_MANAGER.
i think this will help me as i can make the applications that i dont need as unsigned applications and then make it 0 which will serve my purpose...but i have no clue how to make these changes in my mobile..
Can u please help me with this???
the solution that is given wont work for me because if anyone changes the sim then the settings i require will change and thus the solution is not full proof. i also dont know i will get any sim dat only offers data transfer.
thank you for the quick reply and i am expecting the same in future too!!
Thanks in advance
Regards,
Sneha

Let me write you this last reply to your query, please do not expect any further from my side.
This forum deals with understanding restrictions and enabling previously hidden or restricted functions mainly - learning from each other's experience.
The subforum you have chosen (chef central) deals with understanding how the Operating System is constructed from packages and how these can be recombined to new (cooked) ROMs.
There is no intention to cripple the existing functions of the operating system itself or to restrict the Radio part of it in any way.
You may think that the snippet you took from a MSDN page delivers something you could use for your purpose (which you have not outlined) without understanding the security concept of Windows Mobile. This is quite complex and often (for simplicity) simply disabled completely on several levels - so no security either for whatever you want to do.
The existing packages of the OS do not have separate components that you could omit to disable your desired functions.
Even if so, these core packages of the OS are usually delivered as modules (another special concept of Windows CE/Mobile) that do not need any security or signing - so they run anyway without restrictions.
So finally good luck with whatever you want to do, but I believe that you cannot achieve this with a crippled Windows Mobile - at least not fool proof.

Hello Sneha,
Welcome to the forums.
Unsigned Applications Policy is totally different then what you are looking for. More info here. When enabled, you will be allowed to install or run unsigned aka untrusted apps.
But the inside apps or features are already signed so you cannot stop them from running by enabling or disabling Unsigned Applications Policy.
The really thing you need is to make a custom ROM, remove all the unnecessary things and flash it to your device(s). That means you should change/modify the built in OS (in a simple word) but you cannot do within the device
However, its not a day, week or even a month task. It takes many months to learn things and then you can finally do it. I'm 99% sure that all of your needs can be fully filled but :
1. Takes many months to learn.
2. You need to get the stock ROM, Modify and flash to the device.
BTW; which device you really have?
Thanks...
Best Regards

Closed environment is something that should be done in bsp: kernel to be precise. Also it is possible via custom certmod.dll.
BUT. Little problems:
1) no bsp sources unless you're OEM
2) no certmod.dll sources.

Please look at the initial request on the restriction of radio features. This is handled in the radio layer and this cannot be cut in pieces. So there are no components to sign/restrict/omit for that query.
Cooking can do a lot, but it does not go inside one component.
Cutting all other things may be feasible - but not for radio relevant parts imho.

tobbbie said:
Please look at the initial request on the restriction of radio features. This is handled in the radio layer and this cannot be cut in pieces. So there are no components to sign/restrict/omit for that query.
Cooking can do a lot, but it does not go inside one component.
Cutting all other things may be feasible - but not for radio relevant parts imho.
Click to expand...
Click to collapse
Of courses its a lot of work but its possible. Within the OS functions. Radio thing is just for input and output but the way its handled is under OS itself. Am I right or wrong? Think of removing packages depending to what you don't want.
i.e to disable messaging, Remove all things which are related to it. I'm sure you know it.
Though its a plenty of work and have to be expert so not messing around things.
ultrashot is right but if we had the source, every thing would have been different and even easy.

Radio is special and never dealt with in cooking. The Radio lower layers are treated with code in a dedicated partition (GSM) and accessed via an interface Layer (RIL = Radio Interface Layer) from the OS.
On top of that are applications like messaging or MMS - these can be cut.
I see no option to prevent e.g. only speech calls but allow data calls. On RIL level these are just different GSMBCIE elements (look up the relevent 3gpp specs). Of course you could find dirty ways to cut off e.g. the GSM speech codecs, but this would possibly not prevent to set up a call - creating cost but not having success when connected.
Tweaking these parts has not been of anyone's interest and thus "in theory" possible but hardly practically feasible.

How can i make changes on the OS?
Thanx a lot Cracing for the positive advice.I was planning to consult the OEM to make changes in the security policies.
I am working with the Synqe device .My main aim is barcode scanning and sending the data via GPRS or Wifi.and at the same time i want that all others connectivities and applications are to be deactivated.
Moreover i wish to restrict the usage of GPRS strictly for my application.
As u mentioned that i will have to make changes in the OS,will the OEM be able to do that for me or should i consult a good Mobile OS developer?

sneha6689 said:
Thanx a lot Cracing for the positive advice.I was planning to consult the OEM to make changes in the security policies.
I am working with the Synqe device .My main aim is barcode scanning and sending the data via GPRS or Wifi.and at the same time i want that all others connectivities and applications are to be deactivated.
Moreover i wish to restrict the usage of GPRS strictly for my application.
As u mentioned that i will have to make changes in the OS,will the OEM be able to do that for me or should i consult a good Mobile OS developer?
Click to expand...
Click to collapse
I see
Going with OEM should be better idea. They have the sources to do anything. Its not so easy for 3rd party Mobile OS developers (i.e here ). Need things and takes long enough to R&D and finish the project.
Hope you will find a good solution for your project soon.
Thanks...
Best Regards

Allow 512Bit Certificates

Hello,
I have been searching high and low for a way to force my shiny new HTC 8x to accept a 512-bit Self-Signed Certificate. Our work email server is Lotus/IBM Domino. We have an EAS server (Notes Traveler) set up for our portable devices. MIcrosoft is the only OS that forces 1024-bit or greater certs. As a result, I cannot connect ot our EAS server.
More info can be found at support.microsoft.com/kb/2661254?wa=wsignin1.0
Through all the research I have been doing, I think it is possible to do this, since you can make it work with WIndows 8 by doing one of two things:
1.Add following in the registry:
reg add "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config" /v minRSAPubKeyBitLength /t REG_DWORD /d 0x00000200 /f
2. use the built-in certutil to modify the registry:
certutil -setreg chain\minRSAPubKeyBitLength 512
Any thoughts on how I can do this with Windows Phone 8? I am in the process of developer-unlocking my device. I just need to wait for the SDK to finish installing into my VM.

As far as I know, there's no way to edit the registry with developer unlock.
You need more elevated privileges (Interop Unlock) and, at this moment, there's no way to obtain that on Windows Phone 8.

I know this isn't the response you are looking for, but recommend to your company to update their SSL certificate to 1024 or 2048 bits. The reason your phone won't support the 512 bit certificate is simply because it is not secure, which Microsoft finally stopped allowing last year..
Since your company is using a self-signed certificate, it should only take them a few minutes to create and install a new one that modern operating systems would support.

klamation said:
I know this isn't the response you are looking for, but recommend to your company to update their SSL certificate to 1024 or 2048 bits. The reason your phone won't support the 512 bit certificate is simply because it is not secure, which Microsoft finally stopped allowing last year..
Since your company is using a self-signed certificate, it should only take them a few minutes to create and install a new one that modern operating systems would support.
Click to expand...
Click to collapse
My IT department was surprisingly open to this, once they realized all the Windows PCs couldn't log into the web interface anymore. It might take a couple of weeks/months of planning to put it into their maintenance cycle, though. Oh the joys of working for a large corporation!
Something else I discovered earlier:
In order to write Windows Phone apps, you need the Windows Phone 8 SDK. To Install the Windows Phone 8 SDK, you need Windows 8. When I have time to set up another DEV box with Windows 8 on it, I might revisit this.

Any thoughts on how the OEM apps always seem to get "enhanced" access? (The HTC Carrier Settings tool, for example). I haven't used Windows Phone since 6.0. Back then, we could do ANYTHING! lol

I didn't even notice the Win8 requirement for the SDK, since I was anxious to upgrade to Win8 once it came out. Hmm. But, I think you could use the older 7.x SDK on older versions of Windows, if you want to get used to dev for Windows Phone (as WP7 Apps should still work on WP8).
About why the OEM can do special things to the device, I think it's a simple matter of, they have the OS code, so they can modify it or access things we can't.

OEM Apps are given additional permissions. They request these using some entries in the App-manifest but even if we were able to set these the system would reject their deployment unless they had a proper certificate. It has been that way on WP7 as well.
As for developing on Win7 and deploying to a WP8 device: it won't work. You can run WP7 Apps on WP8 devices but the deployment tools of the WP7 SDK can't handle WP8 devices. So to deploy anything onto a WP8 device you need the WP8 SDK which in turn requires Windows 8 Pro.