Security Analysis of the Palm Operating System and its Weaknesses Against Malicious Code Threats

Portable devices, such as Personal Digital Assistants (PDAs), are particularly vulnerable to malicious code threats due to their widespread implementation and current lack of a security framework. Although well known in the security industry to be insecure, PDAs are ubiquitous in enterprise environments and are being used for such applications as one-time-password generation, storage of medical and company confidential information, and ecommerce. It is not enough to assume all users are conscious of computer security and it is crucial to understand the risks of using portable devices in a security infrastructure. Furthermore, it is not possible to employ a secure application on top of an insecure foundation. Palm operating system (OS) devices own nearly 80 percent of the global handheld computing market [11]. It is because of this that the design of the Palm OS and its supporting hardware platform were analyzed. The presented research provides detail into specific scenarios, weaknesses, and mitigation recommendations related to data protection, malicious code, virus storage, and virus propagation. Additionally, this work can be used as a model by users and developers to gain a deeper understanding of the additional security risks that these and other portable devices introduce. ∗This paper has been published by The USENIX Association in the Proceedings of the 10th USENIX Security Symposium, Washington, DC, August 13-17, 2001, pp 135-151, ISBN 1-880446-07-3. †Palm OS and HotSync are registered trademarks of Palm, Inc. Other product and company names may be trademarks of their respective owners.