Discussing Data Security

What initially started as a review of Toysoft’s SecureX secure-entry and encryption application has redirected into an invitation to open general discussion of data security on the Palm OS.

Toysoft's SecureX is a secure-entry and encryption application with some unique features. Previously, Jack Draisey did an excellent, thorough review of v1.0 here and, since then, SecureX has gone through a few minor revisions to its current v1.3 which I have been testing over the last few days on my GSM Treo 650.

Short verdict: I will not be using SecureX, or any other encryption application, but it may not be the fault of Toysoft, or any other respective encryption developer. I am, however, exploring the issue of security more thoroughly.

Testing

The SecureX test started out well enough. Install was fairly straightforward, guiding through setup that took a little bit of time to understand but eventually got up and and running.

SecureX runs encryption each time you turn off your Treo, and decryption each time you turn on your Treo. This takes a few seconds each time — some may find this annoying, others accept it as a small price to pay for some peace of mind. Had I kept this on my Treo long enough, I think it would have become increasingly annoying to me.

One of the features that makes SecureX unique is its alarm handling. Rather than just smother alarms behind encryption as other applications are reported to do, SecureX provides a bypass that allows applications of your choosing to run automated processes even when the Treo is locked down (for example, a backup app that runs on a scheduled basis).

Crashing

Unfortunately, regardless of the features, it crashed my Treo during encrypting processes. Worse yet, the database that was mid-crypt when it crashed corrupted, and the data was gone. This happened to my Calendar, Memos, Versamail (yes, I still use it - but that’s for another discussion) and SMS Messages databases several times in the space of three days. To be fair, this is documented in their user manual; but telling me it's going to corrupt my data doesn't make it ok to go ahead and do it.

Now, I DO use a backup application (Resco Backup), so I was able to restore the databases. But it became clear to me that, in order to use SecureX, I'd have to be prepared to restore lost databases on an ongoing and regular basis, and I just can't get excited about that. Speaking of restoring data, you do use some form of backup yourself….don’t you?

Deep Thoughts

It's more of a philosophical question — what's more important, data, or data security? I'm not sure what the correct answer is, but for me, the most important thing is the data - if I have no data, there's no need for data security. If I buy something that is supposed to protect my data, it should not be the thing corrupting my data. The first time my hired bodyguard takes a swing at me, he's fired.

However, inasmuch as we've established the primacy of data, I'm also faced with the idea that "the medium IS the message." If my security measures are poor, it is a reflection that my data is not worth protecting. The corollary: if my data is important, my security measures should reflect accordingly.

Testing SecureX reminded me again that I ought to spend some time thinking about how I secure my data. I've changed my backup setup now, which further reduces my exposure to losing data.

I also tested at least one other encryption app — TealLock — and found that although the features were numerous and highly configurable, that again I had corrupted databases. So, at least, it appears the problem is beyond SecureX (conflict with some other 3rd party app? Palm OS's intrinsic level of stability??).

One more thing – SecureX's documentation did mention that it does not encrypt data on my expansion card. They do have a product (mEncryptor) that will, but I don't want to pay for a separate application that ought to be a functional part of SecureX.

Resco Backup does have the ability to initiate a backup whenever I exit an application, and can be overridden to prevent it from backing up if I'm still actively using my Treo, which is what I'd need to feel comfortable using SecureX. But, for those who do not yet use this level of backup, SecureX may not be stable enough for you.

To be fair, I must reiterate: the problem may not specifically be SecureX, but a conflict with any of the other 3rd party apps I have installed. As such, you might find that SecureX works without a problem on your Treo, in which case it might be the perfect solution for you.

Speaking more generally about security, data security and convenience are two polarities in the question of "how many security hoops are you willing to jump through?" A strong password ought to be 16 random characters, but that's both hard to remember and a pain to enter every time you want to access your Treo. So we tend to use passwords with fewer characters, and less random, so that we can remember them. Then we set up our Treo not to lock on shut down, but, oh, say, only after the Treo's been off for 10 or 15 or 20 minutes, because, again, it's too inconvenient to have it lock when I may be accessing my Treo on an intermittent basis.

Security tends to lose the competition to convenience. And it's probably in part because we really just don't believe the security measures are sufficient, so why bother?

Things that make me go, “Hmmmm…”

Palm OS offers some security: a password. Great, but there are ways around a password. So, I can get software that also encrypts my data. Terrific, but, there are ways around encryption. So, on top of a password, and encryption, there are apps which offer SMS wiping where I can send a text message to my lost/stolen PDA instructing the software to wipe my Treo and expansion card clean. But isn’t this just another way of saying "even with a password and encryption, I'm STILL not sure my data is secure?"

And then the horror sinks in as it dawns on me: "If that's the case, then why did I bother with all the inconvenience of a strong password that was hard to remember, and the encryption which took precious seconds every time it had to encrypt or decrypt data I wanted to use if, at the end of the day, I still won’t feel safe until I’ve wiped the data altogether?”

Yet Another Conundrum

mSafe is an app that dispenses with the facade of secured access and encryption. Its main offering is simply wiping your data clean if you lose your Treo. I've lost my Treo and the person who found it was good enough to read my owner screen and return it. What if I had sent the text to wipe the Treo before it was found? I'd be facing another outlay of hundreds of dollars to get a new Treo and SD Card, instead of the $20 reward the guy was happy to take to return my Treo intact. I'm not in a hurry to wipe my Treo clean. But, you may not be willing to gamble that the person who finds your lost Treo will do the right thing. So perhaps you ought to use a strong password, and a wiping app such as mSafe.

Help, anyone!

Hey, I'm going around in circles. I guess I'm just not "getting it." So, those of you who have elevated your security efforts beyond the Palm password by installing some 3rd party app, you tell me - what is or is not sufficient security for my sensitive data? Locking, encryption, wiping, some combination of the three, or some other approach...?

I did read another of Jack Draisey’s reviews, a comparison of mSafe vs. Warden vs. Teal Lock here — and I’m still left with having to choose between various apps that do a lot of things well, but doesn’t completely close the gap.

Am I making this more complicated than it has to be?! Have you got it all figured out and sleep well at nights knowing your data is absolutely secure? How did you do it?

Related Links

Real World Data Security

mSafe

Resco Backup

SecureX

Join the Treo Discount Club and save up to 60% on all your store purchases!

In Depth Review of Treo 680 - Nov 22, 2006

American Idol fans, this one's for you! - Sep 02, 2006