Looking out for the little guy

Due to its small size, flexibility and ease of use, the Personal Digital Assistant or PDA has become a ubiquitous business tool. Its ability to retrieve email, run applications and store company data via wireless communication with your network has made the PDA a tremendous asset to mobile workers – and a serious risk to corporate data.

No longer can you be satisfied with only protecting your internal networks with layers of firewalls. Wireless devices inside and outside of your network, including PDAs, have created new risks. And PDAs are of particular concern due to their small size, which increases the chance of loss or theft.

For example, the likelihood of leaving your PDA powered on and unlocked in the back of a taxi are considerably higher than leaving your laptop in the same state. Therefore, you must carefully consider what applications you put on the device, what information you store on it, and what the business impact could be if the device falls into the wrong hands.

With PDAs, you have to worry about the physical system security, network security and data security. Four key concerns with PDAs are:

? Theft of a device that has not been password protected

? Unencrypted data stored on the optional memory card

? Malicious applications that try to steal company information

? Cameras on PDAs that can take pictures of sensitive information.

The open nature of Java-based platforms facilitates the development of rich and compelling applications for PDAs. That openness also presents challenges and risks, and malicious applications are likely to increase in number and complexity in the future. Therefore, mobile application related security is a key issue for the mobile industry.

The good news is that PDA manufacturers are focused on security and work with industry standards as well as proprietary approaches to provide a secure device platform for corporate users. The bad news is there are always hackers who will try to work around the implemented PDA security in order to try to steal your corporate information. A 100 percent secure environment does not exist, as there are always new forms of malicious code.


Controls to mitigate these threats should be implemented in a manner that does not impact the ability to run your business. To help ensure that an appropriate level of control can be established, you should first understand how much risk you are exposed to, as well as your risk tolerance. A Threat Risk Assessment (TRA) can help to identify the critical IT assets that are important to your business and the type of controls that you need to implement in order to secure them. Not undertaking a TRA can leave organizations open to situations that could damage or destroy their ability to conduct business.

The TRA process is a continual one that should be reviewed regularly. The assessment should address security requirements pertaining to integrity, availability and confidentiality, and should be thought of as an integral part of the overall lifecycle of the infrastructure.

You should implement PDA security policies at a corporate level, dictating the usage of the device, as well as at a technical level on the server that provides applications to your users. Furthermore, the secure coding of applications is critical to help protect data from hacking attempts.


The following are some important aspects of a good corporate security policy for PDAs:

Corporate applications deployed to the PDA should be designed with a security mindset and tested and digitally signed by an approved authority. The developer should prove his identity before applying for a digital certificate and matching key pair used for digitally signing applications.

The use of cameras should be prohibited unless deemed necessary for business use. The removal of sensitive information via images from corporate premises should be reviewed and approved by management.

Appropriate security policies at the technical level on the PDA server should be established in order to define what is allowed to run on the PDA. The policies should be centralized; if they are not, they may differ across PDA networks, which may lead to questions and concerns about compliance and risk mitigation.

Passwords and forced change of passwords should be used.

An inactive period should also lock the PDA.

Anti-virus software and personal firewalls should be installed on corporate PDAs. Data stored on PDA media cards should be encrypted with an approved and corporate-assigned digital key and matching certificate. If passwords must be stored on the PDA device, they should be stored in an encrypted database.

The use of Bluetooth and infrared ports should be disabled on the PDA device. If wireless only communication is possible with the PDA device, the company may also consider disabling the USB port, as this can be used to transfer data.


Manufacturers and software vendors work together to develop secure platforms for PDAs. However, without such things as an effective policy in place and user awareness training, your corporate data is at risk.

Vendors use a technology called digital signatures to identify applications that have been ‘authorized’ to run on your PDA. The digital signature includes a software key and often an associated digital ‘certificate of authenticity’ that provides proof that the software key used for signing your digital message is valid. The digital signature and associated key only belongs to one person and is unique, just like your signature with a pen and ink. If the key used to digitally sign is lost, there should be a method to revoke that key. Furthermore, before issuing the key, the authenticity of the person applying for a key should be validated.

In order to identify applications that are authorized to run on your specific PDA, application vendors use these keys to digitally sign applications (code signing keys). Part of the challenge is that often the company applying for a digital key to sign their developed applications can obtain keys anonymously via the use of prepaid credit-cards and false details. PDA vendors can revoke the use of these keys if they are identified for malicious use, but nothing can be done if the keys have already digitally signed applications before the key was revoked.

Here are but a few of the security concerns associated with this problem:

? A malicious signed application can send a message containing a link to download an application. If a user opens this link, he will be prompted to install a worm code from a remote Web site.

? Over the Air application installations may trick the user into thinking that an application is signed and the user may install the application thinking that the software is intended to run on his PDA device.

? Java applications can modify themselves once installed on the PDA without the user’s knowledge. Without a firewall turned on, the newly modified application can perform unwanted actions to access corporate data.

? Applications can access files (including pictures taken by a PDA camera) and directories on the PDA file system, as well as create, edit and delete directories.

? An application could cause a Denial of Service attack (the PDA becomes completely unresponsive and only replacing the application or a hard reset – removing the battery – will rest