Many users of mobile devices, such as a smartphones, computer tablets, and laptop computers, connect the devices to wireless networks to send and receive data. These wireless networks range in security levels from open, unsecured networks to secured networks with levels of encryption and security methods that vary in complexity. Sending data across a wireless network carries an inherent risk that the data in transit could be captured and viewed by unintended audiences. The severity of the aforementioned risk depends on at least two factors: (1) the sensitivity or confidentiality of the data and (2) the presence and effectiveness of (or the absence of) a security method and encryption on the data as it traverses the wireless network. A user is often unaware of the type of data being transferred and the level of security applied to a particular transfer, especially if the transfer is performed by a background process or an application that the user did not explicitly initiate. If any of the data being transferred is sensitive or confidential to the user and the network on which it is being transferred does not adequately protect the data, then the security and privacy of the user can be compromised.
Known network desktop firewalls are limited to performing a simple permit or deny of traffic based on general characteristics such as application, port and type of network to which the user is connected. For example, if the network desktop firewall detects that the user is on the user's company's intranet, then the firewall will allow certain applications such as file sharing. If the network desktop firewall detects that the user is on another network, then it will disable file sharing.
U.S. Pat. No. 7,877,506 to Curtis et al., issued Jan. 25, 2011, teaches automatic detection and encryption of sensitive data, such as a password in the payload of a message packet, which is performed by a gateway device, downstream of a sender of the message packet. If the message packet is not encrypted, a gateway device determines if the message packet is configured to determine if the data is sensitive, and if so, the gateway device determines the standard that governs the format of the message packet. Based on the standard, the gateway device determines the location of the data in the payload of the message packet. Subsequently, the gateway device determines whether the data is sensitive based on a match of the signature of the data within the payload to an entry in a table that associates data signatures with corresponding rules. If the gateway device is able to match the signature of the data to an entry in the table and the data is sensitive, the gateway device determines from its configuration file an Internet Protocol (IP) address of a network containing an encryption device and forwards the message packet to a virtual private network where the encryption device encrypts the message packet. The encryption device forwards the encrypted message packet to a router which routes the encrypted message packet to its destination through a non-secure network.