A new report by Airscanner’s Seth Fogie available on msmobiles.com takes a look at how some Windows Mobile third party applications store passwords. And the report is not encouraging with multiple examples of passwords stored unencrypted in the registry or using weak encryption. Sadly, Windows Mobile developers have not yet been held up to the same scrutiny as desktop software developers. For instance, you may think your ‘encrypted’ or ‘secure’ data is safe on a Pocket PC because the vendor stated as much, when in reality the data is insecure.
The article looks at issues where passwords are stored in plain text, weak or flawed encryption algorithms, ineffective password protection schemes and miscellaneous information disclosure bugs. For each section, examples of 3rd party programs that are vulnerable are identified. The article wraps up with suggestions that you can implement to improve the security of your device and of the software you use.