Handheld OSes Due for Security Advances

Just a few years ago, one could expect little more from a handheld computer than a convenient means of storing and retrieving data such as phone numbers and to-do-list items.

Just a few years ago, one could expect little more from a handheld computer than a convenient means of storing and retrieving data such as phone numbers and to-do-list items. Today, these devices have evolved greatly in terms of power, functionality and network connectivity, but as handheld computers and the mobile operating systems that drive them grow more complex, so, too, grows the potential for the sort of security vulnerabilities that plague their desktop- and server-based brethren.

Earlier this month, such a vulnerability surfaced in the Linux-based Sharp Electronics Corp. Zaurus SL-5500. It was discovered that a flaw in the FTP service the Zaurus uses to conduct desktop synchronization could allow a malicious party to take control of the devices file system via a network attack.

Handheld computings two big mobile operating system vendors, Palm Inc. and Microsoft Corp., have seized on security as a selling point in their offerings, and we can expect significant security advances in the next-generation handheld operating systems from these companies.

Microsofts Windows CE .Net, which will serve as the foundation for the next version of the Pocket PC operating system (Pocket PC 2002 is based on Windows CE 3.0), contains a number of security technologies inherited from full-size operating systems.

Among these technologies is support for wireless LAN security based on the 802.1x standard. Coupled with the Wireless Zero Configuration capability featured in Windows XP, 802.1x should be a boon for companies that wish to provide the convenience of mobile network access to their handheld device users without sacrificing security.

Many companies already have VPNs (virtual private networks) in place for supporting remote workers. (Click here for some VPNs worth checking out.)

We also expect to see support for on-device data encryption in future Pocket PC releases, based on the Protected Store functionality of CE.net, as well as support for biometric and smart-card authentication.

With the focus that Microsoft is placing on Web services on every possible sort of client, the security and authenticity of network links will take on increased importance. Future versions of Pocket PC will also benefit from support for the Kerberos authentication protocol and for Secure Sockets Layer 3.1 protection for Web connections.

The next-generation handheld operating system from Palm—Palm OS 5— will include significant security improvements compared with the current Palm OS family.

Looming large among these improvements will be the inclusion of systemwide 128-bit RC4 encryption, provided through Palms partnership with RSA Security Inc. In addition, Palm has announced that future versions of its operating system will feature a plug-in cryptographic architecture that will enable developers to build in other encryption schemes.

Also on the way for Palm OS 5 is an authentication and authorization framework that will enable administrators and developers to control device access with smart-card and biometric extensions.

No less important will be Palms move to the ARM chip architecture, which will make for faster devices that are better able to meet the processing-power needs of cryptography.

Technical Analyst Jason Brooks can be reached at jason_brooks@ziffdavis.com.

Related Stories:

  • For Users, Its Back to Basics
  • Security in Hand
  • Mobile Management Tools to the Rescue