Mobile device access security: While security issues shouldn't stop your organization from developing valuable applications, or stop customers from deploying them, it's important to face these issues up front. This makes mobilized security an even great challenge.

---

by Alan Zeichick, principal analyst, Camden Associates. Intel Corp.

The race is on, to build new applications that leverage the unique capabilities of mobile platforms such as notebooks, PDAs, and smartphones, or to retrofit existing applications with mobile-aware functionality. Despite the challenges of "mobilizing", applications regard architectural, performance, and user-interface implications of occasionally connected computing, it's easier than ever for developers to create mobilized applications, thanks to embedded Java and the .NET Compact Framework.

On the other hand, there's a new category of challenges facing Independent Software Vendors (ISVs): Mobilized security.

Some of these security concerns may be obvious. Others are less so, and might not even be considered by ISV developers—until they're questioned by worried customer prospects. Let's take a look at some of the major security issues facing mobile developers, along with some brief ideas on how to address them within your hardware choices, system configuration, software tools or applications architecture.

Loss/Theft of an Entire Device
Your author once dropped a Palm PDA at O'Hare airport. Fortunately, it was found and returned intact by airport security. But what if someone had looked through it for critical information, such as access codes or logins? What if someone pilfered the appointment schedule to determine travel dates to key clients? What if someone accessed e-mail records, or pulled other secret information out of the machine, such as remote-access dialup numbers and administrative passwords?

Not only could the loss of a handheld or notebook lead to possible identify theft (how many people have their home address, social security number or credit-card numbers somewhere on their PC's file system?), but the data in that machine could have critical business value, and losing it could have both competitive and legal implications.

Considering the recent headlines about stolen laptops of government officials, and of machines containing lists of social-security numbers and credit-card data, IT management should plan for the loss of a mobile device—including the personal laptops and PDAs of employees who may be storing confidential company information or sensitive applications, or be using the device for VPN access to the enterprise LAN. A similar threat would be the loss or theft of a USB memory key, Compact Flash card or other removable media containing data. Not only would such a theft be easier because the item is pocket-sized, but it may not be noticed for hours or days.

Loss/Theft of Device Contents
The data within a WiFi-enabled mobile device could be stolen—even if the device isn't. How? An easy way would be to secretly enable file sharing on the device, while also turning off any firewalls and other protections; for a skilled Windows or Linux hacker, this would only take a moment. Then, the data could be slowly sucked off the machine while its owner sips a latte.

Less dramatic, but equally possible, would be to copy selected data from the machine—including application binaries, configuration files, messaging files, personal-information-manager data, or even caches and registry data—to a storage device. Again, a USB memory key would do the trick; so too would a portable FireWire or USB hard drive, even a CD-R burner if the device was available for a long enough period.