Long time no post 🙂 I had unforeseen delay with a house project that has kept me quite busy lately, and unfortunately WP Mango update NDA prevents phone reviews that I promised earlier 🙁 But now I have a some time to write a short story about security side of Windows Phone. I have not seen too many articles about this, so I thought this might interest someone.
The security model in Windows Phones is based on chambers. These chambers limit what applications can do by putting them inside a security sandbox. There are four different chambers and each of these chambers have certain limitations how applications within them can run.
Trusted Computing Base is the home of the kernel and kernel-mode drivers. TCB has the highest set of privileges. Processes running here have the access to most of the things in the phone. It goes without saying, that you can’t put your own applications here, and even for OEMs they have to be careful what they put here, as it will affect the security and the performance of the phone. TCB chamber can also modify policy and enforce the security model.
Elevated Rights Chamber is the location where the user-mode drivers and services reside. Processes here have access to most of the things except for the security policy. Drivers that reside here are safer in that sense, that they won’t crash the whole phone if they stop functioning, but there is a performance tradeoff.
Standard Rights Chamber is the place for native code applications. All the apps that do not provide services for the whole device are located here. This is the place where the Microsoft apps, like Outlook Mobile resides.
Least Privileged Chamber is the home of the MO/OEM applications and normal 3rd party applications which you load from the marketplace. LPC differs from the other security chambers for it is dynamic by nature. By default it has minimal access rights, but software running there can request a capability, like access to location, media, network, camera, microphone etc on installation time. These capabilities which each software requires are disclosed at marketplace.
Each 3rd party software has it’s own isolated LPC and can have access to only those capabilities that it has requested and they can not be elevated at runtime. Also each software has it’s own file system, called isolated storage and other applications can not access that. There are no communication between applications except through server.
That’s about the main security architecture, if you have further questions, leave a comment!
Update (25.8.11) – I found out that the Hybrid applications do not run in the SPC but in LPC. When they access drivers etc, the security context will be within the LPC