It comes to be more and more tempting to store and process important business docs on our mobiles/smart-phones as the devices keep growing bigger, mightier and more usable. Together with the time saving benefits we get from being able to do the work while on the go, there is also a still growing danger of our precious information being stolen together with the device and used by a thief for whatever evil purpose they intend it to use.
And face it, you wouldn’t work on a report or an email while in a cab or a plane if it wasn’t an essential and really urgent thing to do. So, I guess we can safely assume that the data you have on the device may be worth a lot for someone who knows this and that about your business.
So, what options do we have here? Not getting much into technical details, let’s just try to figure out what could work for someone who most importantly wants to do their job without their phone driving them nuts and secondly wants the solution to provide a reasonable level of security to the precious data in it. It’s quite obvious that we need to encrypt, but how? Again, technical details aside, let’s just focus on user-device interaction.
First question seems to be this: should we encrypt the whole thing or is it enough to encrypt just the important stuff? If you think about it, in the light of what I said earlier, this question doesn’t make much sense. Just to reiterate: the most important docs that you carry around are about your contemporary business and are accessed a lot and changed a lot. So, if you encrypt these and agree to all the hassle (whatever they might be, like typing in the longish password over and over again), you may as well encrypt also the less important, less frequently or even barely accessed data. And if you do so, you free yourself from the trouble of deciding what is unimportant enough to stay unencrypted and from remembering to actually keep all the important data in an encrypted part of the storage. So, if you can, it seems to be the best option to stick with the whole-memory encryption.
And this leads us to another important question: how to make this solution at least remotely acceptable to a user? It’s quite obvious that no sane person would agree to type in a strong password on a phone keyboard (even a QWERTY) each time they need to access their mailbox. And to make the solution reliable it’s quite important to automatically expire the session after a short period of inactivity (hence even more of password typing). Also, what if the phone is taken from us while it’s in use and unlocked?
So, to restate the question: how could we make it user friendly and mugger unfriendly enough to eventually turn it into a useful feature and not just another pseudo-solution that nobody wants to use?
Here is what we need: 1) a quick and easy way to authenticate (unlock the encryption key and allow memory to be decrypted), 2) a quick way to lock the device and the encryption key when someone wants to snatch our mobile and 3) an automatic device locking mechanism.
So, how about building a quality fingerprint scanner into a phone providing an easy way to quickly authenticate and unlock it? As for a quick and super-easy way to automatically lock the device and an encryption key – ever heard of an accelerometer? A motion sensor. Some phones already have it, Wii remote has it. How about locking a phone just by shaking it? This way when someone snatches the phone from your hand and runes… well… they may as well wave all the data goodbye as the phone will instantly lock itself. And timer based locking mechanisms, well, that’s been already done like a million times.
Well, Nokia, there you have it! How about a fingerprint scanner and an accelerometer put to some good use in the next business-targeted phone for a change?