A few weeks ago I wrote an article called “Windows Mobile 5.0 Snafu." In that article I was talking about how Windows Mobile 5.0 did not “see” Multi User Interface (MUI) files if the “Security Prompt” feature of the OS was activated. At that moment I did not have enough information about what Microsoft did in WM 5.0 so I assumed that it was a bug. Today I know that as usual what seems to be a bug is in reality a new feature of this Operating System. Let me clarify something here, I still think that it’s a bug. Why? Because when you are permitting to run or install any application by Answering YES to that prompt, that authorization should be passed to MUI files needed by that “user authorized program.” But according to Microsoft, “On Smartphone 2002, MUI files did not require signing. With Smartphone 2003 and moving forward
, MUI files need to be signed along with the other required binaries (EXE, DLLs, and CABs).” And this applies to Windows Mobile 5.0. When an application is signed, the OS will not ask you for authorization to run/install any application, since it's able to read that particular MUI file. If the application is not signed, the OS will ask you for authorization but no matter what your answer was,which is because the OS won't let the application read the MUI file because this one is not signed.
MUI files are used to keep different sets of objects that can be retrieved during the load process of the application. That allows programmers to select the proper language to be used in the executable or to choose the proper configuration to be used according to conditions present in each individual device. The requirement of a signature in MUI files tells me that Microsoft thinks that MUI files could be used by viruses to attack mobile devices. So this requirement is understandable, but if you are allowing users to install applications that are not signed, you create a bigger risk compared to when you let users decide what to install or run in their devices. Therefore, it doesn't seem logical to authorize the executable and to not authorize the MUI file.
But this is a minor problem considering that not too many programs use MUI files; yet for those that do, there are some ways around the issue that can be used by developers as long as “Microsoft Security Initiatives” are not implemented fully like they have been with Smartphone devices. Allow me to elaborate a bit on what I mean. Let’s take the Motorola i930 currently sold by Nextel in USA. This phone is completely “application locked.” What does this means? This means that those owners can’t install anything that has not been digitally signed by Nextel. To get an application signed by Nextel the author has to submit that application for an approval and paid signature. The cost of the signature in the case of Nextel is unknown to me, yet but taking in consideration what others Microsoft’s partner ask, the amount could be within $300 to $2000 depending of how many times you are allowed to sign that same program. This explains why Nextel has signed only 18 applications so far and why i930 owners have started an Online Petition to decertify this Smartphone.
But why worry about something that is not closely affecting us yet? Well, to think in this way is completely wrong. We have seen how this “Security Initiative” affects MUI files but I’m sure that many VGA device owners are looking for versions of ozVGA and SE_VGA to use in their new Windows Mobile 5.0 devices, not knowing that these two applications have been affected for almost the same issue.
In Windows Mobile 5.0, we already are aware that “only drivers signed with a privileged certificate (regardless of the device's security policy) can be loaded during the boot process.” Well, the DLLs used by ozVGA and SE_VGA were extracted from a QVGA ROM and in the process of extracting these files they lost the so-called “privilege signature.” These DLLs contain the images for mainly the majority of the buttons used in the OS, and if they are unable to be seen/used by the OS because they are not signed, all these images are not seen/shown when users have applied all changes needed to the OS to change the screen resolution using ozVGA and SE_VGA.
There are many people looking for a work-around but believe me, I have been looking for a solution to run Tweaks2K2 in the i930 of Nextel since that phone was released to the market. Beside having to legally sign all files, there is not any way to go around the problem. Do you think that authors of SE_VGA and ozVGA will pay several hundred dollars to have their FREEWARES
signed? Do you think that an application like Tweaks2K2 will be “approved” by Nextel?
I know that some users have found a way to use the DLLs with ozVGA. They have used a privileged certificate from the developer’s tools to sign the DLLs and then they have installed that developer’s certificate in the device where they want to use these DLLs. This means that from that moment, anything signed with that certificate will be able to function in any way needed. In another words, Microsoft has pushed users to fully open their devices to any attacker.
Now my main question to Microsoft is: How good of a security system is it that pushes users to do things like this? Is this system really for the benefit of the user, or just another way to make money?
