Windows Mobile, and secrets…..

September 26, 2008

How exactly are you supposed to keep a secret on a mobile device anyway? Most of us are too annoyed at having to enter a password to use a device every time you take it out of your pocket, but how does this interact with if you need to keep a secret on a mobile device? Take, for example, my Imap Pusher Service. If the user wants to save the password that will be used to log onto the destination IMAP server so that he doesn’t have to re-enter this each time, how can this be kept secret? Any encryption I put on the password is easily reverse engineerable (app is open source), so all I would be achieving is security via obfuscation, which has always unsettled me. The only way around this that I know of, it to have the OS guard the encryption key, or base the encryption key on a key that the user provides to establish a session with the device. And in both cases, this would require the user to enter some kind of password to establish a session with their device, hence rendering it less useful again. Can we just have fingerprint scanners on our phones already???