The point: Script unsafe ActiveX in HTML pages opened in Pocket
Internet Explorer without compromising the device security.
Note about the downloads: All they contain also
newObjects ActiveX Pack1 family to give you rich set of
components to use with AXGate. See "What to download" in the end of
the page for more details.
Version 1.1. of AXGate supports better Windows Mobile 2003 SE and Windows
Mobile 2005. Now the dialogs displayed are sized to the screen and support the
soft buttons (see the screen shots below). Rotating the screen while one of the
AXGate dialogs is opened is supported as well.
The ActiveX Gateway (AXGate) is a specific solution for Pocket Internet
Explorer (PIE) that overcomes the limitations for the ActiveX scripting in it.
If you ever tried perhaps you already know about the problem - PIE silently
disallows any unsafe ActiveX usage in the HTML pages. In many cases it is quite
convenient to build some small applications or parts of applications as HTML
pages with some scripts in them. Obviously depending on the functionality
intended such pages will need some way to save or read data from local files,
data bases or even access other system resources such as registry and network.
Even many of the utility ActiveX which have no unsafe functionality are rarely
marked as safe because they are initially planned for server side usage (ASP for
example) or as components for development tools such as eVB/VB and others.
products and tools
ActiveX Pack1 family
About 30 components for CE and desktop. Links to some of its parts:
Core - file system, collections,
NetStreams - networking
SQLite COM - SQL database
SQLite3 COM - Advanced SQL databse
HashCryptStream - cryptography
CE App manager Inovker
You may need this for your Pocket PC installations.
newObjects Development Library - combined documentation for all the
components produced by newObjects [ ].
So, AXGate provides a simple but powerful solution that allows HTML pages to
perform complex operations in HTML pages. This may be extremely useful for
corporate and utility applications that are part of bigger systems. For example
very often you may need relatively small module working on a pocket device for
information collection and some simple queries over the data kept on the device.
Even if most of the work is done on a server or a desktop PC (after
synchronization for example) sometimes having part of the functionality on a
handheld is a must. AXGate gives you a very simple way to implement this. AXGate
also integrates with newObjects ActiveX Pack1 family. This in
turn gives you over 50 ActiveX ranging from file access, networking,
cryptography to fully featured embedded database engine.
With AXGate is even
possible to implement a corporate WEB site that serves small applications
that work on the device and make them capable of sending/requesting data to/from
the server by form submit or in the background (through NetStreams for
instance). Thus the opportunities are here - it is up to you
to decide if HTML pages with AXGate fit your needs or you need something bigger
such NSBasic, C++ or ALP to implement more complex solution.
AXGate is for Windows Mobile 2003 and later (also referred as Pocket PC 2003
in many places and non-oficial conversations). It is for PIE and will not run
with the full Internet Explorer even if the processor type is the same (The PIE
and IE provide a bit different interfaces to the ActiveX). Unfortunately Pocket
PC 2002 lacks some features and this trick is not possible there. For Pocket PC
2002 something can be done in theory but it wont run the way developers expect
and will require big deal of accommodations which is non-practical for older old
How it works?
In contrast to the security manager as we know it on the desktop IE an full
IE for Windows CE.NET AXGate works not on a per-object basis. Instead it uses
profiles which list a number of objects that can be created through it. The
authentication/permission request is done when the page activates the profile.
If a single profile is enough for all the work the page does, no matter how many
objects are created from it the user will be asked just once (if user
interaction is configured) or authentication will be done when the profile is
activated only (if password protection method is configured for the profile).
Thus the access to the components is in packets of classes grouped together by
means of their functionality and potential impact over the system
The profiles are kept in a configuration file named AXGate.cfg which must be
in the same directory where the AXGate.dll resides. There are several standard
profiles listing components from our popular DLLs such as newObjects ActiveX
Pack1 and NetStreams. The download packages in the header of this page contain
these DLL in order to provide you with fully functional solution with working
samples (note that there are some additional external samples in VBScript - you
may need the VB
runtimes from Microsoft in order to run them).
You can create your own profiles as needed. The standard profiles can be used
as base or examples, but we do not recommend changing them. We are trying to
establish something like a standard with them in order to allow wider usage of
the AXGate features. Another reason to not change them is their design - we
carefully estimated the functionality included and its security impact so they
are consistent as they are. Also using your own profiles (especially for company
specific applications) will minimize the security risks in case of wrong profile
configuration. This means that even if you made a mistake in the profile and
that mistake may lead to risky situations the attacker will need to know the
name of your profile - additional precaution is always a good idea today. see
more about the profiles in NDL and a little overview for the first time users
Aside of the COM classes list AXGate supports several useful features such as
creation of pre-configured objects. For example the LogFile profile contains a
class named "Log" which is not just a COM class listed there but a
section that specifies certain file on the device. When the page creates the
object "Log" it receives a SFStream object attached to that file. This
allows sandbox techniques. The standard profiles implement them to allow even
untrusted applications save/read data from your local file system, but only to
certain file or OLE storage. This allows extended functionality to be used with
online pages without risk to
harm the entire device.
There are several samples included in the packages. They are all for PIE (the
sample pages will not work on PPC2002 or full IE). You can see how you can do a
lot of work from a page. Special attention deserve:
Using SQLite3 COM which demonstrates true SQL database functionality
inside a WEB page.
Fetch HTTP examples which demonstrate how to implement networking
features with NetStreams. I.e. the code works in a HTML page but that does not
mean that you are limited to what the browser offers you, through NetStreams
you can use TCP/IP directly and use the page only like an user interface.
DataCollect example demonstrating the sandbox usage.
IRDA devices lookup demonstrates how to use the IRDA capabilities - the
devices discovery part (see the NetStreams documentation in NDL
for more information)
Request for opinion!
This solution is for Pocket PC/Pocket IE only. However it seems reasonable to
expect some benefit of similar or extended solutions supporting not only PIE but
also the full Internet Explorer and desktops. Let say some kind of sandbox
technique that will allow complex work to be done on HTML pages. Making possible
to access the local resources in a restricted way but still making possible to
do things impossible without usage of unsafe ActiveX seems to be interesting. Of
course, this is not the way one will build a big and complex product, yet
running applications online and allowing them store data locally is quite
tempting as technique employed for some of their parts. With all the networking
today there are many cases in which certain employees will work detached from
the main office or the network. Doing everything online involves too much spending
- for all the active time. If it is possible to do part of this work offline it
will lower the costs considerably. AXGate demonstrates one more way to do so and
it is quite simple. May be extending the idea to something more flexible will be
interesting? We will be glad to hear
your opinions, needs and thoughts. There are certain technical specifics and
certain needs - finding out the balance between them and the actual needs may
lead to something useful.
AXGate is FREEWARE! You may include it with your solutions, build custom
applications that include it as long as the copyright markings are not stripped. For
your convenience there is a raw download package that containing the
files without installation. Use it to obtain the AXGate DLL, the AXPack1
family DLL and the standard
configuration if you want to include them in your installations. Most often the
real-world applications wont need all the AXPack1 DLL - check which modules are
actually needed and exclude the unused DLL from your application's distributive.
The full AXGate documentation is included in NDL (newObjects Development
Library). It is an Windows HTML help file that contains the documentation for
all the products and components we develop. We hope that this approach is more
convenient than having the documentation spread in many small help files, having
it in a single file enables you to follow links to other components without need
to search and download additional files. You can download it here.
The documentation library is updated frequently (usually on two months basis).
You can also use the online version of NDL - here.
What to download?
The list of the downloads is in the top of the page. The ZIPped and SFX
install packages contain the AXGate and the AXPack1 family for Pocket PC. They
have a tiny desktop setup that enables you to unpack them and install through
ActiveSync. The CAB package is for download and install directly on the Pocket
The Raw files ZIP contains the AXGate and AXPack1 family binaries. It is
intended for the phase when you want to pack your work in some kind of
re-distribution package. From the raw files archive you can get all the binaries
you actually use and put them in your application's package. Note that it is not
very likely that any application would actually use all of them. For instance
there is no point in using SQLite COM and SQLite3 COM which are two different
database engines - usually you will choose one of them. So, if you want to
reduce the size of the package see which files are not needed and skip them from
your application's package.