Windows Phone Thoughts: Airscanner Audits Pocket IE, Demonstrates Concept Vulnerability

"There are several weaknesses in Pocket IE that can be used to trick end users into submitting local and/or sensitive data, such as usernames and passwords. The potential for exploiting these vulnerabilities are restricted only by an attacker’s imagination. However, Pocket IE is not as powerful as its big brother, and as such, an attacker is limited in what techniques she can use to launch the attack. For example, Pocket IE has no support for the IFrame tag, which is extremely useful in XSS and browser-based attacks. In addition, Pocket IE does not support every JavaScript command commonly used by attackers. The final example presented below is an attempt to combine these individual flaws into one attack and is only meant to serve as a proof of concept."

While most of these aren't explicit flaws or vulnerabilities, Seth over at AirScanner gives a demonstration of how they could be used to transmit potentially sensitive information, and how it might be worth hardening Pocket IE. Still, as Seth points out, Pocket IE is simply much less vulnerable to most attacks by virtue of being a less sophisticated piece of software. It's also worth pointing out that since Pocket PCs are ARM-based, it's difficult to get targeted exploit code on your device. Nevertheless, if you do sensitive financial transactions and the like from your Pocket PC, use your common sense and make sure not to use potentially spoofed links from third parties. (Note that the site has examples of spoofed URLs, so if you're accessing it from a corporate environment that might filter or tag such stuff as malicious code you might want to access it from somewhere else. There is no actual exploit on the website, just examples of what one may be able to do.)