Wallet - a simple secure personal data manger for mobile devices

What is this?

Wallet is a simple personal data manager for mobile devices with Java (MIDP1.0) support. Its main function is to provide a safe and convenient place to store small snippest of confidential data, such as passwords and credit card details. Many mobile phones and PDAs have utilities to store snippets of information; the problem with these utilties is that they don't necessarily encrypt the data. While this doesn't cause a problem in normal operation, if the device is lost of stolen there is little to protect your data from villains. Wallet uses the IDEA encryption algorithm to scramble the stored data; this algorithm is generally thought to be unbreakable. Even if an unauthorized person does get access to the data stored by the Wallet application, the encryption ensures that it will be gibberish without your password.

Requirements

Wallet needs a Java-enabled device with MIDP (version 1.0) support, and at least 14 kB of nonvolatile memory for application storage. There also needs to be enough storage for your data; obviously the more data you store, the more memory the application will use.

Basic principles

The Wallet application stores data in the form of labelled snippets. Each snippet can be up to 4 kB long (harware permitting), while the label is a short title: up to 32 characters. Until you have entered the password, neither the labels nor the snippets are visible. The number of individual snippets is limited only by the mobile device's memory. In use, the application displays the titles on the main screen; selecting a title reveals the rest of the entry.

How to use

As mobile devices vary enormously in their keypad and button layouts, it is impossible to describe exactly which keys to press. In addition, the screen appearance and layout will vary from one device to another. The description that follows is based on the Motorola i85 mobile phone.

The first time you use Wallet, you will be prompted to enter a pass code:

You will need to enter it twice, so you can't easily enter a duff pass code by mistake. Pass codes must be four to eight digits long (letters won't work - because the pass code is not shown on the screen as you type, it is virtually impossible to enter letters from a phone handset).

After entering the password, you will see a list (initially empty) of items in the database. To create an item, select `New from the menu (the location of the menu will vary from device to device. On some phones the New command will be mapped onto a button, rather than a menu). You can then enter the title of the snippet, and the text. When a number of snippets have been entered, the initial list screen might look like this:

You should be able to view an existing item by navigating through the list of titles, and selecting the one required. Again, the way this is done varies from one device to another. On the Motorola, you can use the arrow keypad to navigate, then press the `lift handset' button to select. You will then see the text of the item.

As well as viewing the item, you can change it. Changes are automatically saved when you select the `OK' buutton or menu.

You will only be prompted to create the wallet database the first time you use the program. Thereafter, you will only have to enter the password once:

Without the password, you won't be able to view or edit anything. As mentioned above, the password doesn't just control access to the program, it is used as the encryption key in the database.

Intallation

Installation depends on your particular mobile device. Your installation software will typically require a JAR file, and possibly a JAD file as well. Both are in the download package wallet.zip, in directory bin.

Source code

J2ME Source code is included in the download package, in the directory src.

Caveats

This software has a number of limitations of which you should be aware.

The title you assign to a snippet of information serves to identify it uniquely in the database. You can't have two snippets with the same title, nor can you change the title after creation. You can, of course, delete a snippet and re-create it with a different title.
Wallet uses an encryption algorithm that is generally believed to be unbreakable. There are no `back doors'. If you forget your pass code, say goodbye to your data.
If you don't view or edit any data within five minutes, the program will shut down. This is a feature, not a bug. Some mobile devices keep programs running even when they are not visible on the screen. Since Wallet is intended to be a security aid, its purpose would be defeated if it continued to run after your mobile phone was stolen. The villain wouldn't have even to guess your password - he could just switch to the running Wallet application. In practice this means that although in principle the text of an item can be 4kB long, in reality you are limited to how much you can type in five minutes.
Wallet looks ugly on a sophisticated mobile device like the Ericsson P800. The screen is just too big to suit the inflexible layout imposed by MIDP.
The data stored by Wallet is, by its very nature, meaningless to other applications. As a result, you will not be able to synchronize Wallet entries with any other application.

Technical notes

Wallet uses the standard `record store' paradigm of MIDP to store data. This way that MIDP provides for the storage of persistent data, even if the underlying hardware supports a real filesystem. Where the Wallet data ends up being stored on a real device is, therefore, at the discretion of the device vendor, and can't be configured in software. IDEA is a symmetric encryption algorithm with a 128-bit key. In applications where paranoid security is required, it is typically used in cipher feedback (CFB) mode. Wallet does not use CFB, because it significantly increases the computation time - this is likely to be important on a mobile device. In any case, CFB only markedly improves security when there is a substantial amount of data, and Wallet is not really designed to deal with large data volumes.

Legal, etc.

Wallet is copyright ©2003 Kevin Boone. This software is provided free-of-charge in the hope that it proves useful. There is no warranty of any kind. The author accepts no responsibility for any adverse consequences of its use. Encryption is, by its very nature, a way of turning readable data into gibberish. Every possible care has been taken to ensure that this software can convert the gibberish back to meaningful data; but if it doesn't, that's too bad. Please test thoroughly before relying on this software. If you can't accept the foregoing , please don't use this software. You may freely copy this software, or use it in any way you see fit, apart from claiming it as your own work. Please send bug reports, etc., to the author.