OBEX Security

Windows Mobile 6.5
A version of this page is also available for

Object Exchange Protocol (OBEX) has the following potential security risk:

  • OBEX supports plug-in services from third-party vendors. If these extensions do not use proper security and authentication procedures, they could compromise the security of a device or local network.

OBEX is a session layer protocol that allows devices to exchange data in a simple and spontaneous manner. The protocol can be supported over a variety of transports. In Windows Embedded CE, the supported transports are over IrDA and Bluetooth transmission technologies. OBEX provides security support by incorporating an authentication mechanism that uses a challenge and response scheme. Any connection attempts that do not pass the authentication procedure are disallowed.

Although authentication is an option for OBEX, Microsoft recommends that you turn authentication on by default to allow only authorized individuals to make connections and exchange data with the server.

Sensitive information can be encrypted prior to being sent over the network. This prevents unauthorized users from viewing data in transmitted packets.

The server can ask for authentication in response to a connection request. Once a connection is established, authentication can be challenged for various requests. Both Kerberos and Secure Sockets Layer (SSL) authentication mechanisms are supported.

You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.

For OBEX registry information, see OBEX Registry Settings.

No specific ports are used for OBEX.

Community Additions