Most people don’t think much about what would happen if they lost their Treo, or when they do, they mainly think about the cost and inconvenience associated with replacement. However, a Treo is much more than a phone and the consequences of losing it could be far worse than the expense or even the time and inconvenience of getting a replacement.

What, Me Worry?

What happens if your Treo is lost or stolen? Paying for and reconfiguring a replacement can be both expensive and inconvenient. But if you look a beyond the physical phone itself you will realize that your Treo contains a lot of personal and confidential information. If you are like most Treo users, your Treo contains the following information:

• A comprehensive schedule for all of your personal and professional appointments
• An address book containing the phone numbers, email addresses and home addresses of all of your friends, family members and professional contacts
• A long list of tasks that includes your personal and professional goals
• An email program that provides full access to all of your personal and professional email accounts along with offline copies of your emails
• Important documents that may contain sensitive or confidential information
• Photographs taken of friends and family to capture special moments
• A program or file containing passwords to your many user accounts

In the best case scenario, you accidentally lose your Treo and it is found by a Good Samaritan that has nothing but good intentions and only looks at the information in your phone so that they can return your Treo to you. But even in this case they may see things you might not want them to see as they search for your contact information (assuming they can find it at all).

However, in a less ideal (and maybe more realistic) scenario, your Treo is found (or stolen) by someone that is a little less saintly and a little more curious. In this case, how would you feel if …

• All of the pictures in your Treo were viewed by a stranger and possibly posted on the Internet?
• Everyone in your contact list was sent a link to the above pictures?
• The private phone numbers and home addresses for all of your contacts were made public?
• Your entire personal calendar was made public to everyone you know?
• Both your professional and personal calendars were made public to all the employees in your company?

Not only would you feel violated or betrayed, but your friends who also value their privacy and would feel the same way. Additionally, they might even be upset at you for being careless enough to let their private information become public. If you lead a boring life and never do anything that you prefer to keep private, then you have little to worry about. However, if you are a celebrity (or someone in your contact list is) the negative consequences could be much greater if this private information became public.

Now imagine an even worse scenario: someone actually holds a grudge against you and steals your Treo. Imagine the damage they could do to you or those you love with the information contained in your Treo. They would have access to all your friends and family and would know about every appointment you have during the coming weeks. And since this person has your phone, there is the risk that they could make or receive a call and impersonate you. The Caller ID information would make them appear to be you, so unless the person on the other end of the phone knew your voice they might not be able to tell the caller wasn’t you.

We all like to think that things like this could never happen to us, but they can. The more I began to think about these risks, the more I realized that I should do more to protect myself and those I care about by protecting the information in my Treo.

The more I explored different options, the more frustrated I became because all of the solutions I found were either incomplete or unacceptably inconvenient. And then I discovered Warden Release 2.0.

Warden Release 2.0

The new release of Warden isn’t the only security program out there, but from what I’ve seen it has the most comprehensive approach to securing your Treo that I’ve seen. While evaluating Warden I have talked extensively with Chirag Patel, the President and CEO of Corsoft, and I am convinced that he is committed to making Warden the most comprehensive and flexible security program possible.

Installation

The first time you run Warden you are prompted to enter the password you wish to use whenever you need to configure or unlock your Treo. As you enter the password you are given feedback on the strength of the password, from “weak” to “medium” to “strong” based on the length and types of characters used in the password. Using a combination of upper and lower case alpha characters combined numeric and special characters will result in a more secure password and the longer the password the harder it is for someone to guess what it is.

You are next asked to confirm your location and then enter a registration key or select the 15-day evaluation. You are then taken to the main configuration screen.

A few notable items about the Warden installation process:

• Warden obtains information about you (the owner) by getting it from the Business Card contact specified in the Contacts program. If you have not selected your contact information as the Business Card you will be asked to do so.
• Warden replaces the built-in Security application, so once you install Warden you will no longer see the original Security program (it is actually hidden).
• You cannot delete Warden using the Treo's default Delete process. In order to uninstall Warden, you must use open Warden and select Uninstall from the menu. This is intended to prevent someone that has stolen your Treo from deleting the Warden application before you have a chance to lock it remotely. Unfortunately, third-party launchers like zLauncher can still be used to delete Warden because they ignore the “do not delete” file attributes set by Warden.
• Updating to newer releases of Warden requires you to completely uninstall the current version, reinstall the new version, reenter your registration code and then reconfigure all of your settings.

Locking Options

Warden takes an intelligent and flexible approach to locking your Treo so that you rarely have to enter a password when using your Treo. The difference is that Warden assumes that you normally have possession of your Treo and therefore shouldn’t have to re-enter your password every time you use it. The reason Warden can make this assumption is because it allows you to lock your Treo after you lose it by sending an SMS message to your Treo telling Warden to lock your Treo. This is called “Remote Lock”.

You can send the SMS message telling Warden to lock your Treo using any phone or any web site capable of sending SMS messages. You just need to know how to send the proper command to Warden. By default, this command looks something like this: “WardenSecurityForTreo LOCK yourpassword”. There are other products that allow you to lock your Treo in a similar manner using an SMS message, but the main problem with this approach (for Warden and these other products) is that you need to remember the correct command to send to your Treo. Unless you have this information written down in your wallet or purse (and they weren’t lost along with your Treo), you may not be able to remember the precise command required to lock your Treo.

Warden addresses this issue by having a web site called LockMyTreo.com. All you need to do is go to LockMyTreo.com, enter your phone number, email address and password (the same password you specified when installing Warden) and you can lock your Treo.

The LockMyTreo web site includes some additional features that make the process of locking your Treo not only easier, but also more secure by providing feedback on the results of your lock command. These features include:

• You can lock your Treo using Secure SMS or ClearText SMS messages. In the Warden program on your Treo you can specify whether to allow Secure SMS, ClearText SMS or both.
• You can specify a message that will display on the Warden “lock screen” that can be read by the person that finds your Treo.
• You can easily specify all of the different options for locking and securing your Treo without having to remember the specific commands.
• You can send a test message that will let you confirm that you will be able to lock your Treo remotely
• You will also get confirmation emails showing:
  • That your message was sent to your Treo
  • That your Treo received and completed the commands in your message
  • Whether your Treo has been unlocked after it was remotely locked

If you ever need to remotely secure your Treo, the last thing you want to worry about is whether you sent the right command and whether the SMS message was received and executed by your Treo. Therefore, the ability to do a “test lock” and receive email confirmation is an invaluable feature that gives me confidence that I will be able to successfully lock my Treo and secure my data if it ever becomes necessary.

Local Lock Options

So now that there is a way to easily lock your Treo remotely, you no longer have to worry about locking it during normal use, right? Wrong!

The remote lock feature requires your Treo’s radio to be turned on in order to receive the SMS message. But if your radio is turned off or your Treo is out of network coverage it can’t receive the SMS message telling Warden to lock your Treo. Warden therefore provides a wide variety of additional criteria that will cause your Treo to lock. These include:

• If the radio is off, secure the Treo whenever the screen is turned off (ON by default)
• If the radio is on, lock the Treo when it loses access to the network (ON by default)
• Lock the Treo whenever the SD card is removed (ON by default)
• Lock the Treo whenever it is reset (ON by default)
• Lock the Treo when the side button is pressed (OFF by default)
• And of course you can use the more traditional (and inconvenient) methods of locking the Treo whenever the screen is turned off, at a specified time each day, or a certain number of minutes after it is turned off (OFF by default)

Some additional features that show Corsoft’s extra attention to detail include:

• The ability to automatically turn the phone on after a system reset
• The ability to specify the signal strength that is considered a network outage. This is very useful if you work or live in an area where you may have low quality signal because it will help prevent the phone from locking every time the signal dips down a bit
• Since Warden replaces the standard Security application, it gives you the ability to show, hide or mask records marked as “private” like you would normally set with the Security program

The combination of remote and local locking options allows you find the right balance of security and convenience to meet your individual needs.

Protection from Tampering

As described above, your Treo can become locked if you send a remote command to lock it or because one of the “local lock” conditions has been triggered. The reason your Treo locked will determine what course you want to follow next. Fortunately, Warden provides very detailed control over what happens after your Treo is locked.

As shown in the following dialog, there are four reasons why your Treo will be locked and Warden lets you configure different settings for each lock situation.

For each lock situation, you can:

• Enable remote data destruction – You may want to disable this feature completely if you are more worried about your data getting deleted than you are about it getting stolen.
• Disable inbound phone calls – This is a feature that I believe is unique to Warden and is very useful if you are worried that someone may steal your phone and try to impersonate you. Also very useful if you want to protect the identity of people that may be calling you after your phone has been stolen. This feature also allows you to only receive calls from the numbers on your Contact Card or those listed in your ICE contact list (described in more detail below) so you can call the person who has your phone and ask them to return it.
• Destruct if not unlocked for X days – Useful if you want to make sure that the data in your Treo will be deleted after a certain period of time even if you can’t send an SMS message to remotely delete the data.
• Delete after X attempts – This will delete the data if the finder of your Treo tries to guess your password too many times.
• Unlock at TIME for X minutes – After calling Corsoft I learned that this feature came from user feedback and is intended to keep your phone locked while allowing certain programs to run that need the phone to be unlocked. An example might be if you had a program like BackupBuddy.Net schedule to sync your Treo’s data to their web service at 2am every night. This is another example of the people at Corsoft really listening to their customers.

Unlocking Your Treo

If you want to err on the side of caution and security, you will configure your Treo so that it will lock whenever it is in a situation that it can’t receive an SMS message. This means that you may still have to unlock your Treo a few times a day. This isn’t ideal, but it isn’t nearly as inconvenient as having to unlock your Treo every time you turn it on.

However, remember that you should be using a high security password which means that it should be a combination of at least 8 or more letters, digits, and special characters. The people at Warden knew that typing in a secure password can be a real pain and that some people would be tempted to use a shorter and less secure password, so they added another method of unlocking your Treo called “Quick Access” so that you don’t have to sacrifice convenience for security.

The Quick Access feature allows you to specify a combination of the Treo’s hard buttons (the Phone, Calendar and Email buttons) that will unlock your Treo. How can they do this and still make it as secure as a longer and more complex password? Well, the trick is that you only get one chance to enter the Quick Access password and you must press all of the buttons in the correct order within a limited period of time (about 10 seconds).

This means that if you know the Quick Access password you can enter it very easily and quickly using one hand. But if you don’t know the Quick Access password it is very unlikely you will guess it on your very first try. And if you press one of these buttons and don’t complete the Quick Access password within the time limit, the only way to unlock the Treo is to enter the regular (and much more secure) password.

I love the Quick Access feature. Prior to having this feature I used to dread seeing the “Locked” screen because I was forced to type a long password that often required both hands in order to enter the numbers, caps and special characters in my password. With Quick Access, the “Locked” screen doesn’t bother me at all

Securing Data on the SD Card

Most likely you store pictures, email, documents, audio, and other information/media on your Treo’s SD card. Warden addresses this vulnerability by allowing you to send a remote lock command that will lock your Treo and encrypt the information on the SD card.

If you store additional SD cards with your Treo you can manually encrypt the contents of each SD card before you remove it from the Treo so that it will be secure even if it is lost with your Treo. Then, when you are ready to use the card you can manually decrypt the card so the files on it can be accessed.

At this time Warden only encrypts the files in the Palm folder on the SD card and does not encrypt files stored in other directories on the card. By default it will encrypt all files under the Palm folder, but it also lets you disable encrypt of a few file types so you don’t spend time encrypting/decrypting files types that you feel are not related to security.

The encryption method used is very secure, but the downside is that it can take a while to encrypt the data on your SD card because the encryption rate is 1MB/minute. If you have a lot of information in your SD card’s Palm folder it can take many minutes or even hours to encrypt it all. However, the people at Corsoft have told me that this is an area they are working on so we will hopefully see improvements in this area in a future release.

Additional Features

The people at Corsoft have listened to their customers and have added nearly every security-related feature you can think of to the new release of Warden. And if there is something you think should be there and isn’t, they want to hear about it because their goal is to make Warden the best and most comprehensive security program possible for the Treo.

A partial list of some of the additional security features include:

• Lost and Found Integration – If you are using a “Lost and Found” service such as Stuffbak, this feature allows you to enter the information these services will require so they can return your Treo to you.
• Customizable date/time display on lock screen
• Customizable lock message
• In Case of Emergency (ICE) – If you are unconscious and being treated by medical personnel, they may check your cell phone in order to locate your emergency contacts. Warden lets you select multiple emergency contacts and identify their relationship to you. You can also specify important medical information about yourself such as blood type, diabetes, asthma and blood pressure risk. All of this information can then be easily accessed from the Lock screen.

Administrator Features

If you are an IT administrator in charge of deploying Treos to several employees in your company, you will be glad to know that Corsoft also offers Warden Admin, a program that allows you to setup an admin account for each copy of Warden installed on each employee’s Treo. This admin account allows you to remotely lock any of the Treos you manage and prevent the individual employees from making changes to Warden’s configuration settings.

Security Holes

Security is a game of cat and mouse. No matter how hard you try to protect something, there is always a way to get around the barriers that have been put in place. Warden is no exception to this rule. While the people at Corsoft have done a great job of protecting your Treo from the most common attempts to access the data on your Treo, there are still a few security holes that can be exploited by a knowledgeable and determined thief or hacker. The people at Warden believe that the best protection comes from having the best tools to protect your data and the knowledge of what those tools can and cannot do so you can use the tools properly and manage the risks intelligently.

Here are a few security holes I’ve found that are really a consequence of the lack of security features built into the Palm OS rather than problems with Warden. I mention these security holes not because I want to help hackers get access to your data but because the biggest risk to security is ignorance and if you know about these vulnerabilities you will be able to make an informed decision regarding the information you are willing to store on your device.

1) The Treo’s warm reset is intended to allow you to recover from an endless reset loop without having to perform a hard reset (which will delete all of your internal data). However, a warm reset bypasses Warden’s Lock Screen.
2) If you are using a third-party Launcher and a user is able to get access to your Treo before it has been locked they can delete Warden and prevent you from locking your Treo.
3) As mentioned previously, while you can encrypt the data on your SD card, this only works if the user leaves the card in your Treo long enough for you to send the Lock command and long enough for Warden to encrypt the data on the SD card.

Do these vulnerabilities mean that you shouldn’t use Warden? In my opinion, absolutely not! I believe Warden does a great job of protecting your Treo’s data from the vast majority of situations where your Treo might be lost or stolen. The main risk is if your Treo is stolen by someone that is specifically targeting your Treo, who knows enough about how both Palm OS and Warden work, and can figure out how to circumvent the layers of security before you have a chance to lock your Treo or delete your data. If you suspect that your Treo has been stolen by someone like this, or even if you just want to be extra safe, I would recommend that you send the command to erase all data in your Treo and on the SD card as soon as you notice your Treo is missing.

Future Enhancements

There is one feature that is advertised in Warden that is coming soon -- the “Phone Lock” feature. This feature, when completed, will allow you to remotely lock your Treo using any phone, without having to send an SMS message. Instead of going to the LockMyTreo web site to send an SMS, you will call a special phone number where you can enter your phone number and a special Phone Lock key (all numbers so it can be easily entered using a phone keypad).

Three Versions, Different Features

Warden comes in three versions: Lite, Standard, and Professional. The Professional version includes all of the features I’ve described above while the Standard and Lite versions only include a subset. The differences are summarized in the table below:

All versions include the ability to remotely lock or remotely delete the data in your Treo.

Conclusion

After using Warden for a couple of months I’ve decided that it provides the best balance between security and convenience that I’ve seen in a security product for the Treo. It also provides a vast array of configuration options that allow you to configure it to meet your individual needs and preferences.

While I realize that my Treo’s data will never be 100% secure, I feel much better knowing that it is as secure as it can be given the current limitations of the Palm OS.

Pros

• The combination of Remote and Local locking allows to you ensure that your Treo’s data will always be secure from prying eyes without making your Treo impossibly inconvenient to use
  
• The Quick Access feature is a great way to allow you to quickly unlock your Treo without sacrificing security
  
• The LockMyTreo web site and confirmation emails indicating successful receipt and execution of remote commands provide invaluable feedback
  
• Warden Admin program is very useful if you need to manage and secure multiple Treo’s for your company
  
• Corsoft provided outstanding customer support and shows a commitment to making Warden the best and most comprehensive security program available.

Cons

• Installing updates to Warden requires uninstalling the current version, forcing you to re-enter registration information and reconfigure all of your settings.
  
• Encryption of files on SD cards is slow and is limited to items in the Palm folder.
  
• There are still a few security holes in the Palm o/s that can be exploited by a knowledgeable and determined thief
  
• Though I’ve been told that it should be ready soon, the User Guide for Warden 2.0 has not yet been released. Fortunately most screens have built-in help but I still prefer a printable user guide that describes each feature in-depth so I know when I should use it and how to use it correctly.
  
• The “Phone Lock” feature is visible in the Warden 2.0 program but is not yet available for use. On the positive side, when the feature becomes available the current version may not need to be updated.

Tested using Treo 700p

Related Links

Download / Buy Warden Version 2

Corsoft Star Developer Area in the Treo Discussion Forum.

Treo Security Alert

Social bookmarking: or

Possibly related entries...

All Your Lists in One Place - ListPro - May 22, 2008

PowerGrid - May 20, 2008

Review of SplashMoney for Windows Mobile - Mar 28, 2008

Why I Love Genius - Mar 27, 2008

Iambic's ToolBoxToGo - Sneak Peak - Mar 17, 2008