Security well in hand

The two manjor handheld OS vendors, Microsoft Corp. and PalmSource Inc., have been going out of their way to make handhelds more secure.

"We've been hearing from our enterprise partners, as well as those in the smart phone space, an increasing sensitivity to security issues," said Steve Sakoman, chief product officer at PalmSource.

It follows that the Palm handheld and Palm OS 5 -- as well as its related SDK (Software Development Kit) that ships in early summer -- will include a plethora of security features. A client-based VPN from an unnamed supplier will be an included option. A developer seeking to license the VPN software must deal directly with the owner. Look for personal firewalls as a future addition.

The CPM (Cryptographic Provider Manager), a set of APIs that sits above and below OS 5, allows third-party developers to write to the API and plug in different encryption algorithms, including RSA Security's RC4 encryption algorithm, Certicom's Elliptic Curve Cryptography, and the AES (Advanced Encryption Standard). The AES was pioneered by the U.S. government and is a default requirement for any company that hopes to win a government contract.

CPM also lets developers write to CPM APIs when designing biometric security tools such as thumb print, voice recognition, and retinal scans.

Another major fear shared by companies is that of users putting rogue applications on a handheld. When deployed, an unauthorized application could find its way back into the network and cause serious disruption. To prevent this, OS 5 is designed with what Sakoman called a requirement for "signed code." When an application writer distributes code, he or she goes to an authority who vouches for that author's identity. The developer includes that certificate when the application ships.

"When IT sets up the handheld, they only allow this set of entities to run on the device using the authentication and authorization," Sakoman said.

Pocket PC 2002, already shipping, includes many of the same security features that will be found in OS 5. "We have security at every stage but there is always more being asked for," said Doug Dedo, group product manager at the Microsoft mobile devices division. "It looks like Palm is trying to play catch-up in the security space," he added.

Pocket PC 2002 offers power-on password capability, 128-bit encryption, authentication, a challenge-response mechanism that talks directly to Windows Server, as well as two flavors of VPN, either IPsec or PPTP (Point-to-Point Tunneling Protocol), some of which most of the hardware OEMs are bundling with their devices.

Microsoft Terminal Services using RDP (Remote Desktop Protocol) also encrypts data as it goes from thin client to terminal server.

But with deployment of mission-critical apps still well below 30 percent, according to the March 2002 Deloitte Consulting study "Mobile Technology in the Workplace," whether Microsoft is ahead of PalmSource for another half-year will probably make very little difference to IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Advanced Encryption StandardAES EnvironmentalCerticomDeloitte ConsultingMicrosoftPalmsourceRSA, The Security Division of EMC

Show Comments