Devil's Advocate: Defeating the viruses in your Palm

Allowing greater security and manageability at an OS level may be Palm's biggest battle yet - but one it may just have to win, says Martin Brampton…

Last week, I was reflecting on the vulnerability of widely used operating systems to malicious code such as viruses. In very timely fashion, PalmSource has come along with proposals to harden the Palm operating system in its next version.

The primary aim of PalmSource is to encourage the corporate market to start taking Palm devices seriously and to prefer them to rivals with Microsoft or Symbian software. This will be a tough job, given that most corporate IT departments feel most comfortable with a Microsoft system, which seems familiar, even though significantly different.

Fear of nasties such as viruses is an interesting lever to use on the business market. Indeed, if corporate buyers can be persuaded to wake up to security issues there are a number of very serious issues needing attention. Whether or not IT has formulated a company PDA policy people are certainly buying company PDAs. One favourite use for the company PDA is to store a complete collection of PIN numbers, usually unencrypted.

Vital company documents are perfectly likely to be transferred to the PDA, as the first accessory most company users want is a synchronisation cradle. The situation has been dangerous enough when the main risk was that the PDA might be stolen, and the thieves might be sophisticated enough to take advantage of the stored data. Organisations that have sophisticated policies for securing their fixed local and wide area networks typically have little in place to manage the security of laptops, let alone PDAs.

Dangers multiply as the PDA becomes part of a public network. This is increasingly likely, as Bluetooth becomes established and Wi-Fi wireless networks start to be available in public places. There is then no guarantee that everyone that has a data link to the company PDA is well intentioned. In fact, all the legitimate benefits that are driving the popularity of mobile devices also have an appeal to malefactors of every kind.

The ability to establish easy links into the global internet using a wireless link in a public place has obvious appeal. But it also creates a situation that is incredibly difficult to police. It is hard enough to trace what has happened when an incident occurs within the wired internet. How much harder will it be to pin down disconnected users who do not want to be traced?

Into this dangerous environment PalmSource is claiming that it can introduce root and branch reform at the operating system level. The principles are obvious. The system is to provide as standard the ability to limit what programs can run. It will constrain programs to their own address spaces and provide the basis for a virtual private network (VPN) as standard. This is a logical response to problems such as the plague of viruses, which first arose through the willingness of widely used operating systems to run just any old program.

Whether PalmSource can pull it off remains to be seen. There may well be problems if the security is over zealous and prevents users from easily running new and legitimate software. It will also be difficult to find truly workable solutions to the contradictions inherent in the more extreme ideas on web services. If a device is to dynamically find code across the internet and run it, the security checks need to be both robust and lightweight.

Certainly Palm needs something like this to boost its market position. Otherwise, it is in danger of being squeezed between the might of Microsoft and the volumes of the mobile makers. Microsoft will doubtless leverage its strong position in corporate systems and Symbian is rapidly achieving huge numbers of units as Nokia and others push smart phones into the consumer sector.

Palm has long led the PDA market, at least in numbers of units. Will security keep it in the game?

** Martin Brampton is a director and founder of Black Sheep Research (www.black-sheep-research.co.uk ), an independent consultancy providing research, writing and speaking services on a wide range of business and technology subjects. Martin was previously a director at Bloor Research, and has worked with IT as a user and analyst for over 20 years. He can be contacted at silicon@black-sheep-research.co.uk.

For past Devil's Advocate columns see the links below, or type 'Devil' into our search engine.