How can you exchange securely encrypted emails with your work colleagues and business partners from your cell phone or tablet easily when they access their messages using a variety of different mobile devices? That's the problem that Toronto, Canada-based Echoworx hopes to solve with mobilEncrypt, a new cloud-based encrypted email system.


In the past, if you wanted good mobile email security you would probably buy Blackberries for your staff, but today an increasing number of employees are buying their own smartphones -- predominantly Apple iPhones or devices running Google's Android operating system. What's more, they are using them in their work life as well as their personal life, and that means they expect to be able to send and pick up work-related emails while on the move.

But creating a third party encryption application that works reliably on all smartphone operating system is something that's very hard to do, said Michael Ginsberg, CEO and president of Toronto, Canada based encryption software company Echoworx.

"The problem is that there are quite a few different operating systems, and they are changing all the time. If you make an application for Apple's iOS that works with iOS email and then Apple makes a change then it may well not work anymore. It's the same with Android, Blackberry and Windows Phone. So the best way to get good mobile security is in the cloud."

So what is mobilEncrypt?

On the face of it it's similar to a webmail service like Gmail or Yahoo Mail: You can access it with a browser over an SSL connection, but to make the system more convenient to use you can also access it via the mobilEncrypt app, which acts as an interface to the webmail system and which is available for the iPhone and iPad, Blackberry phones, and the soon-to-be-released Blackberry Playbook tablet, as well as Android phone and tablet platforms. A Windows Phone 7 app is also in the works and will be available soon, the company says.


How it works

A typical usage scenario for mobilEncrypt might involve a small company with a mix of Apple, Blackberry and Android cell phones and tablets who need to exchange emails containing confidential client information on a regular basis. The group signs up for the mobilEncrypt service using their existing email addresses, and then select passwords to protect their mobilEncrypt accounts.

Sending a secure message to a colleague is the as simple as firing up the mobilEncrypt smartphone client (or heading to the mobilEncrypt webpage,) signing in, and clicking "compose" to write a new email. Once the message has been written it is sent to the colleague's normal email address by clicking the "send" button, just like any other webmail system.

The difference with mobilEncrypt is that instead of sending the message to the recipient, the message never leaves the Echoworx data center, of which there are three located in Canada, the U.S. and the UK. Instead, it is encrypted using the TDEA (3DES) block encryption cipher and stored, while a notification email is sent to the colleague's email address informing them that they've received an encrypted message.

The recipient can then start their mobilEncrypt app or point their Web browser at the mobilEncrypt webmail system and log in over a secure connection to automatically decrypt and view the email. Since the messages are never downloaded to a standard email program, they are never stored unencrypted on the handset, and since the connection to mobilEncrypt is always secured using SSL the system can safely be used from an open WiFi hotspot in a public place.

Using the cloud, mobilEncrypt makes sending and receiving secure emails to existing email addresses almost hassle free.

There are a few drawbacks to the system. To send secure emails you need to use the mobilEncrypt app or use a browser to log in to the service, and it would be all too easy to forget to do this and send a confidential email through your phone's built-in email client out of habit. Lack of integration with the device's built-in address book could make using mobilEncrypt rather inconvenient for all but the smallest organizations. This functionality is planned for a future release, however.

Finally, on the initial mobilEncrypt screen there's a option to keep yourself logged in -- which is troubling from a security perspective. The company says that this times-out after 30 minutes but, even so, this effectively removes much of the security that the system provides to any incoming emails during that window.

Overall, these are fairly minor drawbacks and the service is very easy to use with the downloadable client app. MobilEncrypt is available as a service for around $2.00 per user, per month via providers including Symantec, McAfee, AT&T and Verizon. For a small or medium sized business that needs to keep email communication between its employees and partners secure it provides a simple and effective solution.

Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.