PGP Mobile: High security for Palm OS devices

You wouldn't want important data walking out the door of your organization, but it happens every day when users leave the office with handheld devices. Securing them is paramount, as is PGP Mobile, which can help secure Palm and Pocket PC devices.

Handheld devices powered by Palm and Microsoft Windows CE operating systems make it convenient to organize data. But they also create new opportunities for data theft, as they are not well secured. PGP (Pretty Good Privacy) Mobile by PGP Corp. of Palo Alto, Calif. is an excellent program for securing data on a handheld computer. Current PGP Mobile versions are 2.0.2 for Palm and 1.6.2 for Windows CE. Here’s what you’ll face when using PGP 2.0.2 for Palm.

Features and device compatibility
Using PGP for Palm OS, you can encrypt, decrypt, and sign e-mail messages, attachments, and Palm databases. You can maintain keys and passphrases, and beam and receive public keys to and from other Palm users.

A Wipe feature removes all traces of data from application memory and free memory. You can even create a "Vault" that stores encrypted data in a special application. When encrypted, it can't be recovered, even if the handheld is stolen.

PGP Mobile for Palm OS runs on all devices installed with Palm OS versions 3.1 or higher (but note that OS 5.0 hasn't been fully debugged), such as those made by Palm and Handspring, and the Sony CLIÉ and Kyocera Smartphones. It can be installed as a stand-alone program or used with a plug-in to a PC version of PGP.

Limitations and workarounds
For full compatibility, PGP recommends using an e-mail program that doesn't use the Palm OS Mail interface (iMessenger and OSmail are not fully compatible). As with PGP's desktop version, it doesn't incorporate fully into some e-mail programs like Eudora for Palm. A workaround for these apps is to encrypt text via the clipboard and insert it into the message.

In addition, applications that limit text fields, such as Palm's ToDo (limited to 255 characters) and Memo pad, could truncate encrypted text, which renders it unrecoverable. A workaround to this issue is to divide long texts into smaller parts before encrypting.

License fees
PGP Mobile for Palm OS (and Windows CE) costs $60 per device per year for a subscription license, and $125 per device for a perpetual license (never expires). Upgrade insurance as well as additional Level 2 support costs an extra $25 per year.

Download the zip file at the time of purchase. Extract the zipped files to a temporary directory. These files are PGPMobile.prc, PGPMobilePalmConduit.exe, PGP for Palm User's Guide.pdf, a ReadMe file, and .sig files that guarantee the authenticity of the download.

Double-click the prcfile and run HotSync to install PGP Mobile for Palm into your Palm handheld. Click the Reset button on your Palm device when requested. After reset, you will see a PGP icon in your launcher application. HotSync again. This is required to read time zone information from the PC.

To add the PGP desktop plug-in, double-click the exe file to launch the installation (for Windows 2000 and XP, you'll need installation rights). Note that you must already have installed Palm's Desktop software and a version of PGP 7.0.1 or greater on your PC. Accept the license agreement, click Next, then Finish when the installer has completed copying files.

In addition to adding the PGP conduit, the plug-in creates two more File menu items in the PGPKeys app. Choose Start | Programs | PGP | PGPKeys and note the new choices: Open PGP For Palm OS Keyring and Edit PGP For Palm OS Vault, as shown in Figure A.

Figure A
After installing the PC conduit, PGPKeys adds two menu items to manage PGP Mobile for Palm OS on the Windows PC.

Set PGP preferences by tapping the PGP icon on your handheld, then tapping PGP | Options | Preferences. When you do, you’ll see the screen shown in Figure B.

Figure B
First, set PGP preferences.

Note the CryptoBoost option. This feature actually overclocks your handheld's processor. While that speeds up encryption and decryption, overclocking might cause some devices, particularly the Palm m505, to lock up, reporting fatal errors (Palm's version of the Microsoft Blue Screen of Death), or scramble the screen. If this happens, reset the handheld and lower the CryptoBoost percent or reset it to the default value of 0%.

The Conventional Cipher option allows you to change the default algorithm from CAST to AES (Rijndael), IDEA, or TripleDES.

Next, set your time zone or choose to have PGP use your PC's time zone. If this check box doesn't appear, you're either running Palm OS 4.0 or higher, in which case you need to set the time zone in the Palm OS Preferences screen, or you haven't HotSynced after installing PGP Mobile for Palm OS.

The final three options are: Wipe Free Memory On Shutdown, Enable PGP Command Bar Icon (this choice only appears if your Palm device supports it), and Enable PGP Popup Menu. When you're finished setting options, tap Done.

Importing keys
You can easily import keys from your PC if you installed the PGP plug-in. (Note: You can't use PGP Mobile to create keys on a Palm device. Keys must be imported from the desktop).

On your PC, open PGPKeys and choose File | Open PGP Mobile For Palm OS Keyring. Choose a Palm Username from the drop-down list. Then simply drag the keys you want to import from the PC's Keyring into your handheld Keyring window. To reduce the time it takes to process a key on a handheld's slower processor, use a maximum key length of 1024-bit RSA.

After you've copied keys to the PGP Mobile Keyring, close both windows and HotSync. They should now be listed on the Handheld. Launch PGP and check the Keys tab. Tap the name of a key to view its properties, as shown in Figure C.

Figure C
You can always view information about your keys.

If you didn't install the plug-in, it's a bit trickier to import keys. Open PGPkeys on your PC. Click a key you want to copy to your handheld and choose Edit | Copy. Open your Palm Desktop program and create a blank Memo.

Paste from the clipboard into the memo, save, and HotSync. (Note: If the key is too long to fit the memo, it will be truncated and will be invalid.) Open PGP on your handheld. Tap Tools | Import From Memo. Select the memo to import, then tap the part of the message that begins:

Tap OK twice.

If your key is too long to fit on a memo, you can try e-mailing it to your handheld.

Copy a public key to the clipboard and paste it into a new e-mail message in your PC. Send the message to yourself and retrieve it using your handheld's e-mail program. Next, open the message in your handheld. Copy the Public Key Block to the clipboard. Switch to PGP, and choose Tools | Import From Clipboard. PGP Mobile also lets you beam keys. In addition, key maintenance includes deleting and checking the validity of keys on your device, which you should do each time you add a key.

Using PGP Mobile
To protect data on your Palm handheld, launch PGP and tap the Data tab. A list of applications appears, as shown in Figure D. Tap the checkbox for the application whose data you wish to secure. For example, check To Do List to encrypt its database.

Figure D
Choose the application(s) for which you want to encrypt data.

The first time you check an application, you'll be asked to create a passphrase. Enter the text with the keyboard or by using Graffiti. This passphrase will be required from now on to encrypt all of your handheld data. PGP will use the default algorithm you chose during configuration. After typing, tap OK. Reenter your passphrase to confirm and tap OK.

PGP passphrases are case-sensitive. You can create a passphrase with as few as eight characters, but it won't be secure. Enter multiple words with mixed upper and lower case letters, numbers, and special characters. Your passphrase should be unique and easily remembered without having to write it down. Don't use phrases that can be cracked from a hacker dictionary, such as entries from Bartlett's Familiar Quotations. Don't forget your passphrase! If you do, your encrypted data can never be recovered. There is an option to change passphrases, but, naturally, you'll need to enter your old passphrase to do so.

After encrypting, the database is displayed with a lock icon, as shown in Figure E. At that point, the first time you request an encrypted database during a handheld session, your passphrase will be required. For the remainder of the session, you'll be able to work with records transparently. When you turn off the device, the database will be re-encrypted.

Figure E
The ToDo database is now encrypted.

Decrypting HotSync confusion
When a database is encrypted on your handheld, it is not encrypted on your desktop. HotSyncing will not, therefore, protect your PC's information. Also note that if you don't work with the encrypted database during a session (meaning you never enter a passphrase to decrypt it), it won't be HotSynced. Data will only be HotSynced after it has been decrypted by entering a passphrase during that handheld session.

Individual memos can be encrypted without coding the entire Memo database (as can e-mails and the contents of the clipboard). This is useful for creating a secure copy that you will use for beaming, attaching to e-mail, or for other uses. Encrypting a memo will not erase or encrypt the old copy.

In the PGP menu, tap Tools | Encrypt Memo. Select a memo to secure and tap OK. Choose a key to use for encrypting the memo, or choose to use Conventional Encryption, which will use the default algorithm you selected and your passphrase.

When the operation is complete, you will be given a choice of where to copy the encrypted version of the memo—Nowhere, to the Memo app as a new memo, or to the Clipboard, where it can be pasted in encrypted form into other applications.

Note that under Tools, you can also Sign memos. Signing verifies that you are the sender or owner. Memos don't need to be encrypted for signatures to be added. The menu also allows you to Encrypt and Sign memos in one step. You may perform these same operations with clipboard data.

Lock up data in the PGP Vault
A PGP Vault resembles a blank memo page. Vault data, organized by category, is also stored encrypted on the PC. If you installed the plug-in, you'll be able to access and decrypt the data on the PC using PGPKeys.

The seven pre-configured categories include Banking, Credit Cards, Logins, and Misc., but you can add to them or edit the names while in the Vault tab. Select Options | Edit Categories. To create a Vault, launch PGP on your handheld and tap Vault. Enter a new passphrase. Click OK. Confirm your passphrase. Click OK again to view the Vault screen. When you're finished working with the Vault, tap the Keys tab. The Vault contents will be encrypted. Each time you work with the Vault, you'll have to reenter your passphrase.

The next time you HotSync, Vault data will be transferred to your PC. To view or edit it there, launch PGPkeys and select File | Edit PGP For Palm OS Vault, as shown in Figure F.

Figure F
You can work with your vault on your PC (naturally, the Visa number depicted above isn't real).

Wipe your memory clean
The Wipe feature is among the easiest to use in PGP Mobile. Simply launch the app and tap Wipe. Select either Memo Item, Clipboard Contents, Free Memory, or Vault Contents and follow the instructions. In addition, if you configured PGP to always wipe free memory, it will do so each time you power off the handheld.

Power in the palm of your hand
PGP Mobile has strong encryption and, therefore, good data protection for Palm handhelds. The interface is easy to use and clean. Unfortunately, it has some incompatibilities with newer Palm OSs, but these will no doubt be addressed in future releases. One item that was a bit troubling was that, as of press time, it wasn't clear whether the application works with flash cards and other hard storage now popular in handhelds. But, despite its flaws, PGP Mobile is a pretty good extension of Pretty Good Privacy onto Palm-powered devices.

Editor's Picks