Recommendations

Palm OS 4.0, due to be released at the end of 2001, appears to have resolved the issue of weak password obfuscation. However, it is highly recommended that a thorough analysis of OS 4.0 takes place before a security-critical application is deployed.

In the current state, it is recommended that Palm OS devices should not be trusted to store any critical or confidential information. In lieu of this, users and vendors are encouraged to adhere to the following guidelines for increased password security:

• Engage a challenge/response mechanism. These mechanisms will minimize the potential for adversaries to glean passwords through passive monitoring of the transport medium. The transfer of a secret component, even if it is encoded or obfuscated, over accessible buses (e.g., serial, IR, wireless, or network) is a risky design decision. Unfortunately, it's common practice that applications choose to simply obfuscate passwords instead of using encryption.



• Encrypt and salt credentials stored on systems. Simple obfuscation and reversible transforms lull the user into a false sense of security and simultaneously show a lack of concern about security from the vendor. The use of a salt, such as the Palm user name, user ID, or unique serial number of the Palm device, minimizes the possibilities of a password being represented on multiple systems with the same hash.



• Implement policy to lock and encrypt data on the device. The Palm OS Security application provides ``system lockout'' functionality in which the Palm device will not be operational until the correct password is entered. This is meant to prevent an unauthorized user from reading data or running applications on the device. Although this protection can be bypassed as discussed in §5, it provides an additional layer of security for particular deployments. The encryption of data can be achieved with a number of third-party applications, though care should be taken to verify secure storage of the encryption components.



• Implement an alternative password scheme. Third-party solutions exist which provide power-on and data protection by requiring a handwritten signature, physical button taps, or other form of password before allowing access to the device. Ths use of graphical passwords on PDAs is studied in [12].