I have an application that runs on Windows Mobile 6 Professional PDA devices. The application is installed by browsing a url from the device and downloading a cab.
Users capture information in the application and this is then replicated back to a SQL 2005 server using merge replication and IIS v6.
Although the user needs to log into the application on the device anybody who knows the url could download and install. Also if you know a users password anyone with a device could update that users information.
I would somehow like to authenticate the devices either at the installation or replication stage (or both).
Is it possible to authenticate a device based on serial number or IMEI (mobile phone ID) number? Is there a way to load a certificate onto the device so only certificated devices are allowed to connect?
I want a system that is not too hard to implement and support. The users must be able to update their own devices and they are not very good at remembering complicate procedures or password.
One possible solution would be to send the unique device id as part of authentication. There’s a post on using
GetDeviceUniqueIDon the Windows Mobile Team Blog.You could store this unique id when the user first connect to the server and verify it prior to each merge.
This approach helps to ensure that the user logging in is doing so from their own phone. It solves the problem of a remote intruder downloading your program to their own phone and logging into a legitimate users account. Of course, if such an intruder has access to your users phone AND password, all bets are off.