PDA security to get stronger

Palm and Pocket PC devices rely on little more than a single password for security, but one company is hoping to change all that

The next few months will see a string of encryption products launched for the ever-growing number of PDAs devices that currently have few security features.

Security on the Palm and Pocket PC platforms consists of little more than password-based authentication. As users keep sensitive corporate data on their handhelds, these represent one of the most significant holes in corporate security. As a result, many IT managers are reluctant to deploy PDAs on a large scale.

One firm addressing the need for better security is Certicom, which last week launched its MovianCrypt product for Palm OS. The product, which uses the new Advanced Encryption Standard (AES) algorithm, encrypts each record in a Palm's database.

MovianCrypt requires users to enter a password when turning on their PDA. To improve performance, it decrypts only records that the user requests, and re-encrypts them using idle CPU time once the user is finished. The user's password ­ which is required for HotSync operations ­ is not stored on the Palm, thereby protecting it from attack. A Pocket PC version of the tool is under development.

Better PDA security is what many firms have been waiting for. "Users [of PDAs] tend not to think much about security and privacy," said John Luo, director for psychiatric informatics at the University of California Medical Center, which has been beta testing MovianCrypt.

Luo has rolled out the application to users in his department who previously had Palms with just password protection. "We need encryption in this industry because the data is so sensitive. Our PDA solution has to be secure."

F-Secure has taken a slightly different approach. Its Security@Hand, due to ship in August, will include its FileCrypto software, with support for the Pocket PC and Symbian platforms as well as Palm OS. FileCrypto uses 128bit encryption and requires a password to decrypt files. Encryption is controlled via policy administration tools, which lets IT managers retain some control over the way users handle sensitive data.

Chris Vargas, president of F-Secure, which is based in Helsinki, said, "In security, users are the weakest link, so you want to take those decisions out of their hands."

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.