|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
Security Overview (Devices)
Devices restrict the installation and execution of applications and access to system resources, based on security policy settings and security roles. In order for applications to run correctly on certain devices, they must be signed with the proper certificate, and that certificate must be present in the device's certificate store.
What Files Should Be Signed?
Best practice requires that EXE, DLL, CAB, and MUI (Multilingual User Interface) files be signed. In managed projects, assembly files should also be signed.
There are also several security models that a device can be set to run in. The different security models can restrict access to applications that do not have the proper authorization. For more information on device security models, see Windows Mobile-Based Smartphone Developer's Guide and .
Signing After Post-Build Binary Changes
If you run a post-build step that alters a binary, you need to re-sign the binary; that is, you must disable Authenticode Signing in the project properties, and sign instead as a post-build step. This action is necessary because anything that alters the binary after it is signed invalidates the signature. Thus, the binary must be re-signed.
Provisioning a device refers to adding digital certificates to the certificate stores of the device. When an attempt is made to install or run an application on the device, the operating system of the device checks to see whether the certificate with which the application is signed is in a certificate store on the device. For more information on certificate stores, see A Practical Guide to the Smartphone Application Security and Code Signing Model for Developers.
Smartphones are pre-provisioned by mobile operators.
Windows Mobile 5.0-based Pocket PCs are pre-provisioned by OEMs; earlier Pocket PCs typically were not.
Images for the Device Emulator in Visual Studio are pre-provisioned.
For more information on provisioning, see the Smartphone or Pocket PC SDK documentation.
To aid in developing applications for a variety of security models, Visual Studio 2005 includes the following certificate files, located by default at \Program Files\Microsoft Visual Studio 8\SmartDevices\SDK\SDKTools\TestCertificates:
These .pfx files contain both the certificate and the corresponding private key. (Signing fails if you try to sign an application with a certificate that does not have a corresponding private key.) They have no password.
Import these .pfx files to your Personal Certificate Store on the desktop computer. If you try to import them into another store (such as the Trusted Root Certification Authorities store), Visual Studio displays a detailed Security Warning. For more information, see.