Mobile Security

Page 652

FIGURE 22.5 Bind mobile List controls to arrays or other data sources.

Mobile Security

As you can imagine, sending information over the air is even less secure than sending it over a LAN, cable, or phone line. When you're exchanging messages wirelessly using cell phones or PDAs, you might as well consider yourself a radio station.

You can, of course, encrypt sensitive data, and you should. As described in Chapter 6, .NET includes several powerful encryption routines that can easily be added to your programs to ensure your privacy. As for authenticating callers, you'll find the following authentication section in the Web.config file:

 <!--  AUTHENTICATION           This section sets the authentication policies of the application. Possible modes are ''Windows","Forms","Passport" and "None"           "None" No authentication is performed.           "Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to its settings for the application. Anonymous access must be disabled in IIS.           "Forms" You provide a custom form (Web page) for users to enter their credentials, and then you authenticate them in your application. A user credential token is stored in a cookie.           "Passport" Authentication is performed via a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites.     --> 

ASP.NET relies on cookies when performing form-based authentication, so you should probably avoid this approach (so many mobile devices don't support cookies). For details about the features of Windows-based authentication, see Chapter 5.

You can specify user names, roles (such as administrator), and other modes of access such as passport. IIS stands guard in front of the localhost (Web simulator) or the Web itself in a deployed mobile application. You can use IIS's Internet Services Manager in Control Panel's Administrative Tools folder to modify security policies rules.