A LAP is a signed DLL share the following entry points :
- InitLAP : Call by the system to initialise the LAP while loaded.
- DeinitLAP : Call while LAP is unloaded
- VerifyUserStart : Call to start the GUI of the LAP
- VerifyUser : Call to validate the user, with or without a GUI. This functions returns while the user has been authenticated successfully or fails. Multiple calls to this function can be done by the system. Options parameter specifies how the user have to be validated.
- VU_NO_UI : while the system needs to validate the user, without displaying a window to the user.
- VerifyUserStop : Call to destroy the GUI and clean up.
- VerifyUserToTop : Call to bring to top the LAP Window.
- LAPCreateEnrollmentConfigDialog : Used to display configuration window to configure the pass-phrase of the LAP
To implement your own LAP you can start from scratch or use the sample LAP provided with the Windows Mobile SDK :
- for pocket PC : %ProgramFiles%\Windows Mobile 6 SDK\Samples\PocketPC\CPP\win32\LAP
- for smart phone : %ProgramFiles%\Windows Mobile 6 SDK\Samples\Smartphone\CPP\win32\LAP
The Local Authentication Subsystem (LASS) is in charge of the management of the LAP display and user validation.
To define a new LAP, add a new key in the registry :
To select the current active LAP set the
For security reason this pass-phrase should not be saved in the registry as a clear string, but should be encrypted using a custom algorithm or the Windows MobileCryptoAPI.
Validate a User in your application
- ValidateUser is a blocking call to the LASS service, and give a way to provide parameters to the LAP, like an AE Key (specific security policy id), options (like VU_NO_UI to check the user without prompting any Window). Functions will return only after user authentication.
GUID AEKeyForFoo = ...;
if (VerifyUser(&AEKeyForFoo,"App A",hMyWindow,
VU_UNTIL_SUCCESS,0)) // Call into LASS;
// This will
CallSecureFunction() // call into active LAP
// and show LAP-specific UI
// display your own UI
- SHDeviceLockAndPrompt is a non blocking call, but will require user authentication for any activity on the device.