PC SOFT

ONLINE HELP
FOR WINDEV, WEBDEV AND WINDEV MOBILE

Home | Sign in | English US
  • Overview
  • Security policy in Windows CE
  • Diagram of program execution
  • How to sign a WINDEV Mobile application?
WINDEV
WindowsLinuxUniversal Windows 10 AppJavaReports and QueriesUser code (UMC)
WEBDEV
WindowsLinuxPHPWEBDEV - Browser code
WINDEV Mobile
AndroidAndroid Widget iPhone/iPadApple WatchUniversal Windows 10 AppWindows Mobile
Others
Stored procedures
Certificates in Mobile
Overview
A binary file (executable, library, .CAB file, ...) can be signed to make sure that this file was validated by the author of the certificate corresponding to the signature.
Windows CE contains 3 lists of certificates:
  • SPC (Software Publisher Certificate): This certificate guarantees that the setup program (.CAB file) comes from a recognized publisher. This does not concern the execution rights but the authentication of the software publisher (Level 1 Certificate).
  • Unprivileged Execution Trust Authorities. The files signed by this certificate can be run as long as they do not use some sensitive APIs (Level 2 Certificate).
  • Privileged Execution Trust Authorities. The files signed by this certificate can be run and can use all the APIs (Level 3 certificate).
Security policy in Windows CE
The configuration of Windows CE contains three modes for defining the security policy and the access rights. Each mode can be enabled or disabled independently of the others.
These 3 modes are as follows:
  • Privileged Application Policy: When this mode is enabled, the binary files signed by a certificate issued by "Unprivileged Execution Trust Authorities" will be processed as if they were signed by a certificate issued by "Privileged Execution Trust Authorities".
  • Unsigned Application Policy: When this mode is enabled, the unsigned applications (or the application signed by a certificate not issued by one of the three lists of Windows certificates) will be run. If this mode is disabled, the unsigned applications will not be run.
  • Unsigned Prompt Policy: When this mode is enabled, a dialog box displays when an unsigned application is run. This dialog box asks the user whether he wants to run this application coming from an unknown source. If the user answers "NO", the application is not run. If the user answers "YES", the application is run as if it had a certificate issued by "Unpriviledge Execution Trust Authorities". If this mode is disabled, the unsigned application is automatically run as if it was signed by a certificate issued by "Unpriviledge Execution Trust Authorities" (only if the "Unsigned Application Policy" mode is enabled).
The default values for these modes are as follows:
Pocket PCSmartphone
Privileged Application PolicyEnabledDisabled
Unsigned Application PolicyEnabledEnabled
Unsigned Prompt PolicyEnabledEnabled
These settings can be modified by the manufacturers.

Diagram of program execution


Operating mode of WINDEV Mobile applications
Mobile Windows CE 2003Mobile Windows CE 2005Smartphone Windows CE 2003Smartphone Windows CE 2005
Run an unsigned .CABOKConfirmation requestConfirmation requestConfirmation request
Starting a WINDEV Mobile application installed by .CAB (signed or unsigned executable)OKOKOKOK
Starting a WINDEV Mobile application installed by copying the executable and the DLLs (unsigned executable and DLLs)Confirmation requested for the executable and for each DLLConfirmation requested for the executable and for each DLLConfirmation requested for the executable and for each DLL
Running a sensitive API (privileged API) by an unsigned applicationOKOKFailed
Running a sensitive API (privileged API) by a signed applicationOKOKOKOK
How to sign a WINDEV Mobile application?
Signing a WINDEV Mobile application is required:
  • to avoid displaying the confirmation requests.
    Note: If an application is installed by .CAB, the confirmation request will be displayed once when installing the application. Then, the application can be started as many times as necessary without confirmation request.
  • if you are using sensitive APIs (functions for sending SMSs for example).
To sign a WINDEV WINDEV application, get in touch with a signature company (member of "Microsoft Mobile2Market"). Some examples: Verisign, GeoTrust, Baltimore, ...
These companies will help you install the certificates on Mobile or Smartphone devices.
Versions 16 and later
WINDEV Mobile allows you to sign the executable and the libraries when creating the executable. All you have to do is specify the certificate to use in the wizard for executable creation.
New in version 16
WINDEV Mobile allows you to sign the executable and the libraries when creating the executable. All you have to do is specify the certificate to use in the wizard for executable creation.
WINDEV Mobile allows you to sign the executable and the libraries when creating the executable. All you have to do is specify the certificate to use in the wizard for executable creation.
Notes:
  • Orange operator: The signatures such as "Privileged Execution Trust Authorities" (level 3) issued by "Microsoft Mobile2Market" are not recognized by the Orange phones. The application must be signed by Orange.
  • SKT Operator (South Korea) recognizes no signature issued by "Microsoft Mobile2Market".
  • GeoTrust: Only the "Unprivileged" signature is supplied.
  • Verisign: The "Unprivileged" and "Privileged" signatures are supplied. A prior agreement from Microsoft is required for the "Privileged" signature.
Minimum required version
  • Version 10
Comments
Click [Add] to post a comment