|
|
Wallet - a simple secure personal data manger for mobile devices
What is this?
Wallet is a simple personal data manager for mobile devices with Java (MIDP1.0)
support. Its main function is to provide a safe and convenient place to store
small snippest of confidential data, such as passwords and credit card details.
Many mobile phones and PDAs have utilities to store snippets of information;
the problem with these utilties is that they don't necessarily encrypt the
data. While this doesn't cause a problem in normal operation, if the device is
lost of stolen there is little to protect your data from villains. Wallet uses
the IDEA encryption algorithm to scramble the stored data; this algorithm is
generally thought to be unbreakable. Even if an unauthorized person does get
access to the data stored by the Wallet application, the encryption ensures
that it will be gibberish without your password.
Requirements
Wallet needs a Java-enabled device with MIDP (version 1.0) support, and at
least 14 kB of nonvolatile memory for application storage. There also needs to
be enough storage for your data; obviously the more data you store, the more
memory the application will use.
Basic principles
The Wallet application stores data in the form of labelled snippets.
Each snippet can be up to 4 kB long (harware permitting), while the
label is a short title: up to 32 characters. Until you have entered
the password, neither the labels nor the snippets are visible.
The number of individual snippets is limited only by the mobile device's
memory. In use, the application displays the titles on the main screen;
selecting a title reveals the rest of the entry.
How to use
As mobile devices vary enormously in their keypad and button layouts, it is
impossible to describe exactly which keys to press. In addition, the screen
appearance and layout will vary from one device to another. The description
that follows is based on the Motorola i85 mobile phone.
The first time you use Wallet, you will be prompted to enter a pass code:
You will need to enter it twice, so you can't easily enter a duff pass code by
mistake. Pass codes must be four to eight digits long (letters won't
work - because the pass code is not shown on the screen as you type, it is
virtually impossible to enter letters from a phone handset).
After entering the password, you will see a list (initially empty) of items in
the database. To create an item, select `New from the menu (the location of the
menu will vary from device to device. On some phones the New command will be
mapped onto a button, rather than a menu). You can then enter the title of the
snippet, and the text. When a number of snippets have been entered, the initial
list screen might look like this:
You should be able to view an existing item by navigating through the list of
titles, and selecting the one required. Again, the way this is done varies
from one device to another. On the Motorola, you can use the arrow keypad to
navigate, then press the `lift handset' button to select. You will then see the
text of the item.
As well as viewing the item, you can change it. Changes are automatically saved
when you select the `OK' buutton or menu.
You will only be prompted to create the wallet database the first time you use
the program. Thereafter, you will only have to enter the password once:
Without the password, you won't be able to view or edit anything. As mentioned
above, the password doesn't just control access to the program, it is used as
the encryption key in the database.
Intallation
Installation depends on your particular mobile device. Your installation
software will typically require a JAR file, and possibly a JAD file as well.
Both are in the download package wallet.zip, in directory bin.
Source code
J2ME Source code is included in the download package, in the directory
src.
Caveats
This software has a number of limitations of which you should be aware.
- The title you assign to a snippet of information serves to identify
it uniquely in the database. You can't have two snippets with the same
title, nor can you change the title after creation. You can, of course,
delete a snippet and re-create it with a different title.
- Wallet uses an encryption algorithm that is generally believed
to be unbreakable. There are no `back doors'. If you forget your
pass code, say goodbye to your data.
- If you don't view or edit any data within five minutes, the
program will shut down. This is a feature, not a bug. Some mobile devices
keep programs running even when they are not visible on the screen. Since
Wallet is intended to be a security aid, its purpose would be
defeated if it continued to run after
your mobile phone was stolen. The villain wouldn't have even
to guess your password - he could just switch to the running Wallet
application. In practice this means that although in principle the text
of an item can be 4kB long, in reality you are limited to how much you
can type in five minutes.
- Wallet looks ugly on a sophisticated mobile device like the Ericsson
P800. The screen is just too big to suit the inflexible layout
imposed by MIDP.
- The data stored by Wallet is, by its very nature, meaningless to other
applications. As a result, you will not be able to synchronize Wallet entries
with any other application.
Technical notes
Wallet uses the standard `record store' paradigm of MIDP to store data. This
way that MIDP provides for the storage of persistent data, even if the
underlying hardware supports a real filesystem. Where the Wallet data ends up
being stored on a real device is, therefore, at the discretion of the device
vendor, and can't be configured in software. IDEA is a symmetric
encryption algorithm with a 128-bit key. In applications where paranoid
security is required, it is typically used in cipher feedback (CFB) mode.
Wallet does not use CFB, because it significantly increases the computation
time - this is likely to be important on a mobile device. In any case,
CFB only markedly improves security when there is a substantial amount of
data, and Wallet is not really designed to deal with large data volumes.
Legal, etc.
Wallet is copyright ©2003 Kevin Boone. This software is provided
free-of-charge in the hope that it proves useful. There is no warranty of any
kind. The author accepts no responsibility for any adverse consequences of its
use. Encryption is, by its very nature, a way of turning readable data into
gibberish. Every possible care has been taken to ensure that this software can
convert the gibberish back to meaningful data; but if it doesn't, that's too
bad. Please test thoroughly before relying on this software. If you can't
accept the foregoing , please don't use this software. You may freely copy this
software, or use it in any way you see fit, apart from claiming it as your own
work. Please send bug reports, etc., to the author.
|
