Input Method Manager (IMM) Security (Windows Embedded CE 6.0)
1/6/2010
Some input method editors (IME) and Software-based Input Panels (SIPs) have a text entry feature that saves words to a database. The input method tries to complete a word for a user by comparing input text with entries stored in a database. As a user enters text, words are stored so the input method can suggest words to reduce the amount of text entry.
Input methods such as IMEs and SIPs must not store user input for password fields as this creates a security risk. If the device is shared, a user may unknowingly compromise the security of the device if a password appears in a list of suggested words.
Note
Users may have the option to disable the word suggestion feature in the IME.
Input method editors for software–based input panels should be aware of the field that is receiving input and not store the input from a password field. As an example, a single line edit control used for password input should protect the user input and not display the password. One way of doing this is to create a window using the Win32 function CreateWindow function with a class style ES_PASSWORD. An application should be aware that the window with current focus has the ES_PASSWORD class style and should not store user input from this window.
For more information about Windows Embedded CE security services, see Enhancing the Security of a Device.