From Provider Notes

Contents 1 This page has been frozen as of the presentation to SUG and IT Roundtable on February 12, 2007 1.1 Areas of Security to Consider 1.2 Products to Consider 1.2.1 Windows Mobile 1.2.1.1 Standalone 1.2.1.2 Server Based 1.2.2 Palm 1.2.2.1 Standalone 1.2.2.2 Server Based 1.2.3 BlackBerry 1.3 Evaluation criteria checklist 1.3.1 First Round Products 1.3.2 Second Round 1.3.3 Final Recommendations 1.4 Previous Penn Evaluation Efforts 1.5 Resources

This page has been frozen as of the presentation to SUG and IT Roundtable on February 12, 2007

This page was created by the Fall 2006 Mobile Device Security Team as a place to collect documentation and resources regarding mobile device security.

The 2006 Mobile Device Security Team worked together from November 11 until mid-January. For more information on the evaluation, please visit the [2006 Mobile Device Security Team website].

Areas of Security to Consider

• Physical device security
  • Make sure that a power-on password is enabled
    • There needs to be a balance between device security and useability, or the end user will turn off password protection
  • Suggest that contact information for the device owner be displayed even if the password is not entered?
• Anti-Virus
  • Do we want to say that AV software is recommended?
• Encryption
  • Device level
  • Storage Card
  • Over the air
    • 802.1x as an example
    • VPN options
• Integrity of data
  • Regular backups are a necessity
• Device end-of-life disposal and hacker recovery techniques

Products to Consider

Windows Mobile

Standalone

• Safeguard PDA Security
  • On the fly file encryption
  • Multiple products in the Utimaco portfolio
  • PDA Security appears to be the most appropriate for our needs
    • Secure user authentication to device
    • Secure screen saver
    • Comprehensive encryption capabilities, from data on device to GSM voice traffic
    • Automatic encryption
    • Central management possible for both Win Mobile and Palm OS
• Sentry 2020
• SafeBoot device security
  • Multiple encryption products for various platforms
  • Pre-boot authentication
  • Secure hibernation
  • "Data-bomb"
  • Pre-boot event logging
  • Password resets and policy management through SafeBoot Management center (as well as other capabilities)
  • Automatic encryption/decryption when device is turned on and off
    • Includes encryption of external media
• Splash ID
  • Shows user ID on boot
• Subsembly Wallet Pocket
• Code Wallet
• Secure Now
• Pocket Secure

Server Based

• BlueFire Security
• Mobile Edge Device Security by Trust Digital
• Good Technology
  • Mobile Defence

Palm

Standalone

• Mergic VPN
• Antha/Movian VPN
• PDASecure VPN
• Warden security for Treo
• M-Safe for Treo
• Teal Lock
• Safeguard PDA Security
• Mobile Edge Device security by Trust Digital
• SafeBoot device security

Server Based

• Good Mobile Defense by Good Technology, Inc.
  • Remote access?
• Teal Lock

BlackBerry

We need to identify some products for this space

Evaluation criteria checklist

This checklist is from the meeting of 11/27/2006. This should be updated over time, but will give us a first pass at eliminating products that don't meet the basic criteria.

• What does it work on?
  • CE
  • Palm
  • BlackBerry

• Does this provide data encryption?
  • how "strong" is the encryption (AES256, 3DES, ?)
  • content (user enters it into an encryption program)
    • files
      • real-time?
      • on-demand?
      • external media supported, or just internal?

• Is there device-wipe capability?
  • locally
  • remotely
    • how?

• Ease of installation?

• Ease of use by end-user?

• Noticeable performance impact?

• When was the latest version of the product released?

• Cost?

• Comments? (Include mention of any server-based components that we're not reviewing right now)
  • Is it smartphone-only or for the entire platform?
  • Or for particular models that aren't smartphones?

First Round Products

The following products and testers have been identified for this first round of our survey:

Tester	Product 1	Product 2
Steve	Good Tech	Teal Lock
Dan	laptop/file
Mikki	SplashID	SecureNow
Bob	Safeguard PDA	SafeBoot
Jorj	CodeWallet	Secure Now
Liam	Warden	M-Safe
Dave	Trust Digital
Steve	Teal Lock
Caroline	Sentry 2020	Teal Lock

Second Round

As of our meeting on December 11, 2006, we have narrowed down the list of products that we will consider. For ease of capturing the evaluation information, we are creating pages for each of the products. Please either make your notes directly on the page, or email them to the team co-leads, and we will post them for you:

• /TealLock
• /Good Technologies
• /Credant
• /SafeBoot
• /SafeGuard PDA

Final Recommendations

In order to keep clarity between the initial work and our final recommendations, we have created a separate page for our findings:

Mobile_device_security:Findings

Previous Penn Evaluation Efforts

• The 2006 Hard Drive Encryption team has some specific instructions on encrypting hard drives for Windows XP and Mac OS X on their results page. The document covers EFS for Windows XP and File Vault for Mac OS X.
• In 2005, the Data Encryption team created a Word document with specific recommendations for email and file transfer. Specifically, it discusses the use of SSL, PGP, and secure methods of FTP. DataEncryption20060108.doc

Resources

del.icio.us page for the Mobile Device Security Team

Palm's Mobile Security page

Yale Med computing article on PDA security

Carnegie Mellon University site Mobile Device Security Guidelines

MSMobiles article on Windows Mobile security vulnerabilities

Mobile/Laptop File Encryption software comparison (Work-in-progress)

US-CERT articles:

• article on PDA security
• Cyber Security for electronic devices