RAPI Restricted Mode Security
4/8/2010
With the release of Windows Mobile Version 5.0, RAPI restricted mode was introduced for Windows Mobile devices. Previously, Windows Mobile had no such security policy. Restricted mode behaves the same on all Windows Mobile devices and has implications for both Remote API and Remote API 2 functions.
You can provide increased security for Windows Mobile devices by using security policies and specifically by using the RAPI security policy. The RAPI security policy provides the following options:
- Closed Mode. All RAPI calls are disabled and access to ActiveSync is denied.
- Restricted Mode. RAPI calls and access to ActiveSync are enabled. In restricted mode, files in ROM and files that have the System flag set are read-only through RAPI. Also, only signed dlls and dlls that have been added to the RAPI section of the metabase can be invoked with RAPI. For more information on adding a dll to the metabase, see the Remarks section. Also, in restricted mode, protected registry keys are read-only through RAPI. When a device is running in restricted mode and an application attempts to use RAPI to access a restricted file, dll, or registry key, there is no dialog displayed on the device prompting the user to allow the operation. The RAPI method invoked will simply fail. For a list of the protected registry keys, see Privileged APIs.
- Open Mode. Enable full access to all RAPI calls and access to ActiveSync. This is the least secure mode. An attacker could potentially put a .dll on the device using RAPI, use CeRapiInvoke to run it Trusted, and thereby compromise security.
**.
RAPI Restricted Mode and CeRapiInvoke
CeRapiInvoke loads the device-side DLL named in pDllPath, then calls the RAPI extension named in pFunctionName.
It is the responsibility of the RAPI extension to release the IRAPIStream object (that is, to call pIRAPIStream->Release();).
As of Windows Mobile Version 5.0, the Remote Access Security Policy on all Windows Mobile devices is set to Restricted by default. These devices are considered "Locked," which prevents you from using CeRapiInvoke to invoke device-side DLLs — unless you take extra steps to satisfy the requirements of the Remote Access Security Policy. **
Note
Even if it is locked, CeRapiInvoke is permitted on a Windows Mobile Classic device.
CeRapiInvoke gives elevated privileges to any DLL that can be invoked on the Windows Mobile device.
RAPI security policies are set in the project.reg configuration file.
RAPI Restricted Mode and Database Access
By default, databases cannot be accessed by RAPI on devices running in restricted mode. Attempts to use RAPI's database functions such as CeOpenDatabase (RAPI) and CeOpenDatabaseEx (RAPI) will result in an access denied error.
Before attempting to access a database in a mounted database volume, you must mount the volume using CeMountDBVol (RAPI). This action will also fail by default under RAPI restricted mode security. To use this function, you must first modify the permissions of the database volume in the metabase.
A provisioning XML file can also be invoked at installation time by passing it to the CAB wizard using the /postxml command line option when generating a CAB file. For more information, see CAB Wizard.