Extra Convenience = Extra Risk

Handheld computers, especially those that come equipped with built-in wireless (such as the iPAQ 4100 series and the Toshiba e800), offer the ultimate in convenience. These pocket-sized devices allow you to access your important business and personal information – contacts, calendar, e-mail – wherever you go, and connect to the Internet or your company or home network anyplace there’s a Wi-Fi “hot spot.”

With this added convenience, however, comes added risk. In addition to some of the same security threats you face with your desktop PC, you also have the risks associated with wireless networking and the smaller size of the device makes it more vulnerable than your laptop to loss or theft. It’s important that you protect the handheld device at three levels:

• Physical security – protect the device from loss or theft, and prevent access to the OS if the device does fall into the wrong hands.
• Data security – ensure that if the device does fall into the wrong hands and the OS is accessed, your personal and business data can’t be accessed.
• Network security – ensure that if the device does fall into the wrong hands and its OS is accessed, it can’t be used to access your network.

We will look briefly at each of these.

Physical Security

This is the first line of defense. If you were always able to maintain physical security, other levels of security wouldn’t be necessary. Elements of physically securing your handheld device include:

• Carrying and storing the device securely. Slipping it into a pocket or open-flap bag slung over the shoulder leaves it much more vulnerable to loss or theft than carrying it in a locked briefcase or on the body in a PDA case that attaches securely to your belt. If you must put it in a pocket (it is, after all, a Pocket PC), use a front pocket that buttons or zips. It goes without saying that you should not leave the handheld unattended or in open view.
• Preventing access to the OS. At the very least, you should set a power-on password that must be entered to access the device. Use a strong password; Pocket PC 2003 supports both four digit numeric passwords and strong alphanumeric passwords of seven or more digits. Guess which you should use. Some models, such as the iPAQ 5500 series, support biometric (fingerprint) authentication instead of or in addition to password protection.

Note:
Third party products can provide stronger authentication for your Pocket PC. Examples include Crypto-Sign from Transaction Security (http://www.crypto-sign.com/about_cs.php) and PDALok (http://www.pdalok.com/pda_security_products/PDALok_details.htm), which use digital signature verification/recognition.

Data Security

The data you store on your handheld system may include sensitive personal and business information. If your physical security measures fail, it is essential that you prevent access to this data. Here are some ways to do so:

• Consider storing sensitive data on a memory card and removing the card when not in use. This makes it more likely that if the device itself does get into the wrong hands, your data won’t.
• Encrypt sensitive data, whether it is stored on the device or on a removable card. There are many file encryption programs for Pocket PC, such as Pointsec (http://www.pointsec.com/products/products_pocketpc.asp) and PocketLock (http://www.applian.com/pocketpc/pocketlock/index.php).
• Restrict access to applications that could be used to read the data, using software such as PDA Defense (www.pdadefense.com/). 
• Use software that will allow you to have the data automatically wiped if there are too many failed logon attempts or the device isn’t hotsynched within a specified time, such as PDA Defense (www.pdadefense.com/).
• Install anti-virus software for Pocket PC, such as F-Secure (http://www.f-secure.com/wireless/pocketpc/pocketpc-av.shtml) or Symantec AV for Pocket PC (www.symantec.com).

Network Security

Handheld computers were originally designed as standalone devices that were synchronized with your desktop computer on a regular basis. Now wireless technology has made the handheld a true network device. This means network administrators and handheld users need to take steps to protect the network, as well as the handheld itself, should the device be stolen or lost. Here are some factors to consider:

• Network administrators should establish policies governing handheld computers that connect to the network.
• Use virtual private networking (VPN) to connect to the company network. PPC 2003 supports Microsoft VPNs. IPSec VPN clients are available from VPN gateway vendors such as Cisco and Check Point.
• Use X.509 digital certificates in a Public Key Infrastructure to implement policies (using policy certificates linked to identity certificates).
• Update your wireless LAN driver to use Wi-Fi Protected Access (WPA) instead of WEP (if available for your PPC model). For example, you can download the wireless driver with WPA support for the iPAQ 5500 series at http://h18007.www1.hp.com/support/files/handhelds/us/download/20969.html.
• Disable BlueTooth and W-Fi (802.11) when not in use. This not only increases security; it also increases your battery life.
• Install a firewall designed for handheld devices, such as BlueFire (www.bluefiresecurity.com/)
• Use a monitoring and notification program such as System Security Monitor for Pocket PC (http://www.net-security.org/software.php?id=548) to detect and track hidden activity on your PPC.

Summary

As more and more people use their handheld computers like miniaturized mobile filing cabinets, storing much of their important information there, security for handhelds becomes a bigger issue. Theft or loss pose the greatest risk to mobile devices at present, but new wireless capabilities make them vulnerable to all the risks of wireless networking, and virus writers have began to develop proof of concept viruses targeted at mobile devices, as well. If you depend on your Pocket PC for easy access to information and networking connectivity when you’re on the go, you should take at least as much time and care in securing your handheld device as you do with your laptop or desktop computer. In this article, we’ve discussed some of the methods and software add-ons that can help you make handheld computing a more secure experience.