The PDA Guerrilla: Security

Actually one of the benefits of the Palm is that one of the main risks to data, malware, just does not exist on this platform. Admittedly that is not due to any special security in the device -- as it comes out of the box it is a low-security system. Rather, it rides under the radar of the criminals who write most of the malware these days. And while it is possible to connect a Palm to the Internet either through the Palm wired modem, a Bluetooth connection to a cell phone (my preferred method) or via WiFi, these connections tend to be short lived -- enough time to download the latest e-mail, check a Web site or upload something -- if for no other reason to preserve battery life. Thus invasive types of attacks in which a hacker gets access to your files on your computer are impractical on the Palm. And Palm owners who want to further protect themselves from the possibility of such attacks can set "discoverable" on their Bluetooth modem to off and turn off their WiFi, if they have a TX, when they are not actively using it.

However, PDAs are exposed to potential theft and accidental loss. I carry my PDA everywhere. Last night, for instance, my wife and I went out for dinner and a movie. I had my PDA out the minute I sat down at the table to record what I intended to order into my diet and later what I spent. As soon as I sat down in the movie theater I was recording what I spent on the tickets. It is easy to leave a PDA behind on the table at a restaurant or in a conference room or on an airplane or taxi. And certainly PDAs are exposed to pickpockets, purse snatchers and other thieves. And while usually the people who end up with these misplaced or stolen units aren't interested in the data on them, I certainly do not want to expose my personal information to the possibility of unauthorized access.

How secure you want on your PDA to be depends on the value of the information on it to others and your own paranoia level. The answer to this is very different for me than say for an FBI special agent. And the good news is that today a variety of third-party technologies are on the market that can offer different levels of security.

Out of the box Palm Tungsten PDAs come with a built-in password security application that locks the device when it is not in use. However, I have found this security software unstable, to the point that a year ago for no apparent reason it scrambled my password and activated itself (it was turned off at the time), locking my device and access to my data. When I figured out what was causing my problems (which took about half a day of experiment) I was able to delete the security file in the backup folder on my SD and do a hard reset to clear everything out and then restored my data without the bad security file. I then deleted the application itself from ROM using JackSprat (www.brayder.com).

Instead I use TealLock from TealPoint Software (www.tealpoint.com). This has proven dependable over the year I have used it, and it gives me some extra flexibility. One feature I particularly like is the ability to exclude an application. In my case, I exclude the Audible.com client so that even when my PDA is locked I can turn Audible on and off and change programs. This is very convenient since I tend to listen while walking and driving, and often need to change recordings as one ends.

On the other hand I can choose files or applications for encryption when the PDA locks. I do this with my most private files such as my financial records. Of course this is just password-based software security. But it is enough to make getting at my personal information more trouble than it is worth to anyone and certainly protects against casual unauthorized access should I leave my PDA somewhere.

However, stronger security is available for the Palm platform. Early this month I attended the FOSI conference on computing in government, and I spent time there with Palm Inc., which, as is its practice, had several third-party vendors showing their wares in its booth. There I met RIVA, which makes a smart card reader that hitches to the back of the PDA and requires three-point identification (the card, the card code, and the user's password) to unlock the device. I have not yet seen fingerprint scanners attached to PDAs, but given the trend toward fingerprints as a biometric ID on networks, I am sure that it is only a matter of time before they appear, if they are not already available. So if you are keeping sensitive information on a PDA, products are out there to make your palmtop more secure.