Page 1
Page 2
Introduction - the Scenario
You've been asked to design a mobile
application that a sales rep can use to collect market data
while out of the office. It looks like a fairly straightforward
eVB app until someone comes up with the idea of allowing
the rep to make a sale and collect the credit card details
electronically for later processing. In principle this is
a great idea, but in practice the security of the information
your app is collecting suddenly becomes a serious issue
- and you begin to wonder what effect building in the necessary
calls to the CryptoAPI is going to have on your project
plan.
Background Information
This article demonstrates the use of
a pair of encryption tools from TMG
Development Ltd in a similar scenario to the one above.
We will collect data in an eVB application, and hold it
on the Pocket PC. When we re-connect the PocketPC to the
office network using ActiveSync or a LAN connection we will
upload the data to a backend server via an asp web page
and the Microsoft XMLHTTP control. The data will be encrypted
at the point of collection, and only decrypted on the server
for storage in a back-end data store.
The encryption components CryptoText
and CryptoTextCE
are available in a free form from TMG Development with a
limitation on the encrypted text length, and in a commercial
form without restrictions. In this sample we will use the
free version.
Architecture
The Pocket PC application is written
in embedded Visual Basic 3.0 and contains a minimal amount
of code - consisting of a data collection form and a couple
of button click handlers to encrypt an order, and upload
stored orders to a server. The order is encrypted by CryptoTextCE
on the Pocket PC and decrypted by CryptoText on the webserver.
Data is uploaded to the webserver by
posting it to an HTML Form using an HTTP POST operation.
The process of establishing the HTTP connection is performed
by the Microsoft.XMLHTTP COM server, which should be pre-installed
on Windows CE 3.0 machines, and is available in the Pocket
PC and Pocket PC 2002 emulators. Documentation on the Windows
CE version of XMLHTTP is scarce, but information on the
desktop version can be found on MSDN under the XMLSDK documentation
for IXMLHTTPRequest.
Note: the upload process requires that
your Pocket PC has a TCP/IP connection to your webserver,
so if you don't have a LAN or Wireless LAN card you'll have
to make sure that you're using Microsoft ActiveSync version
3.5. This new version of ActiveSync allows you to browse
the Internet using Pocket IE when your Pocket PC is docked
in its cradle without any further configuration - provided
of course that your desktop machine has Internet access.
Our sample application makes use of this TCP/IP link to
establish an HTTP connection to the webserver.
The eVB Application
The data collection application looks
like this on PocketPC 2002. The listbox shows the currently
stored orders - note that the credit card number is stored
in encrypted form:
The code for the click handler of 'Store
on PocketPC' encrypts the credit card number with CryptoTextCE
using the password entered by the user. Note that the code
only stores the order in the listbox in this sample; in
a real-world application you would use a local database,
or your own file format:
Private Sub cmdStore_Click()
Dim s As String, enc As String
enc = crypto.EncryptA( _
txtPwd.Text, _
txtCreditCardNumber.Text)
s = txtOrderDate.Text & "," & _
txtCustomerName.Text & "," & _
enc & "," & _
txtAmount.Text
listDB.AddItem(s)
End Sub
Note that the COM objects used by the
application have been initialised in the Form_Load event
handler, along with the location URL of the upload page:
Private Sub Form_Load()
Set xmlhttp = CreateObject("Microsoft.XMLHTTP")
Set crypto = CreateObject("CryptoTextCE.Encoder")
uploadpage = "http://192.168.1.20/orders.asp"
txtOrderDate.Text = Now()
End Sub
When the 'Upload to Server Now...' button
is clicked, first an HTTP POST connection is established
with the server, then a 'Content-Type' header is set to
tell the server that the following data is in HTML Form
format (See MSDN Q290591:
'HOWTO: Submit Form Data by Using XMLHTTP or ServerXMLHTTP
Object' for further information). Then our stored order
is converted into x-www-form-urlencoded format, which is
essentially 'form element name=form element value' pairs
for each element expected by the HTML form on the webserver,
separated by an ampersand (&) character. A simplified URLEncode
function replaces spaces with the characters '%20' and then
the form data is sent using XMLHTTP.send.
Private Sub cmdUpload_Click()
Dim poststring As String
Dim parts As Variant
Dim i As Integer
For i = 0 To listDB.ListCount - 1
xmlhttp.open "POST", uploadpage, False
' mark as not uploaded yet
xmlhttp.setRequestHeader _
"Content-Type", _
"application/x-www-form-urlencoded"
' prepare data for HTTP POST
listDB.ItemData(i) = 0
parts = Split(listDB.List(i), ",")
poststring = "SubmitOrder=1" & _
"&orderdate=" & _
parts(0) & _
"&customername=" & _
parts(1) & _
"&enccreditcardnumber=" & _
parts(2) & _
"&amount=" & _
parts(3)
' send HTTP POST
poststring = URLEncode(poststring)
xmlhttp.send poststring
Next Page