Understanding Windows Mobile Application Security Policies

Execution of programs on Windows Mobile devices depends on the application signatures and their permission levels. Devices can be configured to the following security settings.

• • Security off

Unsigned applications are allowed to run without any prompt and they can access privileged APIs, or protected areas of the registry and file system.

• • One-tier prompt

The device prompts the user before executing unsigned applications. Once the user allows the execution, application has no restriction on permissions. This is usually safe if you trust the application developer or vendor.

• • Two-tier prompt

The device prompts the user before executing unsigned applications. If the user allows an unsigned application to execute, the application executes with normal permissions but cannot access privileged APIs, or protected areas of the registry and file system. Even the signed applications cannot access the privileged resources unless they are signed with a certificate in the privileged certificate store.

• • Mobile2Market locked

Only signed applications are allowed to execute. Unsigned applications don’t prompt the user when executed. Permissions given to signed applications depend on the certificate with which they were signed i.e. signed with certificate from the privileged certificate store or the normal certificate store.