As part of my new computer and Palm security kick, I’ve decided to try PGP Mobile, PGP’s PDA encryption software. In my last post I talked a bit about making my Palm situation a bit more secure, and how could that be complete without secure email?
I tried the OpenPGP version I could find, but it was not really finished, and wasn’t very stable on my Palm T3. PGP makes their PGP Mobile edition which looked pretty good on their website, although they hadn’t responded to any of the questions sent by email. After doing what research I could, I learned that I should expect something a bit iffy. As it turns out, in the documentation that is included in the download (but NOT available to those who haven’t purchased) is a statement that the software hasn’t been tested with Palm OS5, and some features may not work. Yikes!!!
In actual practice, the email functions seem to work fine, the vault works ok, but the ability to encrypt a database is not supported. For myself I haven’t decided if that’s a reason to ask for a refund or not. I do think it incredibly unprofessional to sell software that isn’t compatible with the majority of target systems being sold without stating that fact pre-sale. Along with this complaint is one about the tapping random data process. At times the software will ask you tap the screen to produce random data. There are 5 or 6 segments of a bar graph that fill in to show progress. Hereâ??s a tip â?? tap slowly, as it seems to be time rather than the number of taps that matters. Also, try to tap randomly. Last but not least, be patient â?? the first few times it asked me I gave up â?? the total lack of bars filling in convinced me that it was broken. This is a big hassle, and I would think plenty of random data could be had by having people draw on the screen rather than tap.
The way the software works is a copy-clipboard-paste kind of scheme. You access PGP’s encrypt, sign, decrypt, and verify functions via the command bar, which comes up when you do a command stroke. By clicking a small padlock icon, you can select which function you want. Once you select a function, you are taken to a screen where you choose the key, and complete the operation. Then you’re taken back to the window you came from. Given this approach, it’s likely that you will find a 1000 character limit on message size, as that’s the limit of the palm clipboard. It also means that attachments aren’t going to be encrypted. It worked fine with SnapperMail, the docs suggest MultiMail (now called VersaMail) and mention that the old â??mailâ?? sync-only client wonâ??t work.
The really cool part of this clipboard-style scheme is that you can encrypt basically anything that the software can cut & paste with. Notes in contacts and appointments, memos, pretty much anything I would guess. I encrypted a note on a contact with no trouble. It didn’t work with Documents to Go, but I recall reading that cut & past between apps doesn’t work with DtG. One thing to note is that encrypting even just a word or two balloons the size of the text to a minimum size, which I’m guessing would be the block size of the algorithm, but is several hundred characters. I may play with the different encryption algorithms (AES, CAST, IDEA and TripleDES) to see what effect that has. Another thing to note is that without the encrypt database function working, you can encrypt only text fields.
The vault is basically a memo space attached to a category. You can edit it on the PC (if you have PGP installed there) but it’s just plain text space – no fields. You can add categories though. I think I’ll stick with SplashID.
You cannot create keys on the palm. You can import them from a memo, or via hotsync using the included conduit and a desktop installation of PGP. This is nice in that if you accumulate a large collection of public keys it’s easy to get them into the Palm. It would be nice to create keys on the palm, however. Also missing is any way to get the key for someone when you don’t have it – i.e. there’s no key server functions. I suppose that for the Palms this was originally written for there wasn’t much thought about internet access, but it should be doable with todayâ??s machines. Another possibility is to use WebPro to surf to the point where you can get the desired key as text (some people put them on their web pages), and then copy it into a memo, where it could then be imported into PGP. I donâ??t know if there is a public key search tool â?? my attempts to get to keyserver.pgp.com have failed using a browser.
I have not yet seriously tested this software, and given how rarely it is necessary to send encrypted or signed email it may be a while. But in the mean time this package seems to work mostly as advertised, although somewhat slowly. If you want PGP on a Palm, itâ??s the only game in town.