Mobile applications share most of the security issues of traditional networked applications. These include authentication of devices and users, hiding information from prying eyes using encryption, viruses, and access control. However, the mobile world adds some unique issues to the already complex security arena. Mobile devices are easily misplaced or stolen, so physical security is important. Information that is usually confined behind a corporate firewall is now winging its way through the air, possibly spending some time on hosted servers or wireless gateways. If your solution uses a wireless LAN (WLAN) for connectivity, there are a host of WLAN-specific security issues that are currently making consultants a lot of money. Although in its infancy, the hacking of mobile devices (even cell phones!) has begun.
Losing a laptop or hand-held can have a huge impact, not just on an individual, but also on their organization. Confidential data is rarely secured beyond simple user password protection, and there are commonly available tools to defeat this protection. Perhaps the most obvious way to deal with this is a physical lock. Already common in the laptop world, cable locks such as the Kensington products can protect hand-helds as well (see Figure 1). Another important step is to track devices and tag them to allow easier recovery in the event of loss or theft. In an estimate for 2001, the Gartner Group stated that 250,000 cell phones and hand-helds would be lost in airports alone, and that less than 30 percent would be recovered.
Figure 1 Kensington PDA lock.
Most operating systems support login passwords (although in earlier versions of Windows, they do not necessarily protect your files from prying eyes). Palm offers password protection on its PDAs that (on some versions of its operating system) can be bypassed by anyone who has physical access to the device. Some security experts have stated that the Palm OS is not inherently secure, and highly sensitive information should not be stored on these devices. However, products are available that improve Palm security (see http://www.palm.com/enterprise/resources/securing/).
A good compromise between ease of use and total security is to encrypt selected confidential or sensitive files. Certicom offers encryption tools for Palms and Pocket PCs, and some product vendors build encryption right into their products. Hardware encryption of Compact Flash (CF) and PC cards is another option; Casio offers hardware encryption in its CF cards. Even if your data does not fall into the wrong hands, loss of critical information can be costly. Synchronizing and backing up hand-helds and laptops at regular intervals will help to protect against this.
Because email has become so pivotal to organizations, it is critical that security issues be addressed when extending access to the mobile user. There are a variety of secure corporate email solutions for mobile use, typically relying on a server or desktop software installation to provide end-to-end security. The Blackberry enterprise email solutions from Research In Motion are good examples of this. Be careful of ad hoc email solutions that rely on forwarding email to a public ISP's mail server. Although this solution is flexible (allowing retrieval of email via laptop or hand-held), it exposes corporate information both on the ISP's infrastructure and during transmission over the Internet.
Viruses are not currently a huge concern in the hand-held world, although Trojan horses and simple viruses have begun to appear. The major antivirus vendors (Symantec, Computer Associates, and McAfee) have products designed specifically for the mobile and wireless realm. Some of them are focused on protecting the mobile device; others focus on protecting the enterprise from viruses when a mobile device is synchronized.
Hosting a mobile application with an application service provider (ASP) has inherent security and confidentiality risks. Because security is such a hot topic, most ASPs will cover this issue explicitly in their collateral, and it should be a major consideration when evaluating their offerings. Although highly secure applications may rule out an ASP solution altogether, one way to overcome concerns is to use a virtual private network (VPN). In a VPN, the hosted infrastructure simply supports a secure tunnel between the client devices and the enterprise. Certicom offers VPN solutions for mobile applications.