Some mobile devices offer content protection capabilities. Content protection provides for the encryption of data that is stored on a mobile device, so that an attacker cannot access the data. This functionality may be particularly useful for securing potentially sensitive or personal data, including electronic mail (“e-mail”) messages and addresses, calendar data, accessed web content and browser histories, and note or task data, for example. If content protection is enabled, then such data, when stored on a mobile device, will be encrypted with a content protection key. Furthermore, when a mobile device receives such data from a data server (e.g. a message management server), that data may be automatically encrypted upon receipt at the mobile device if content protection is enabled, also with a content protection key. Encryption of the data received at the mobile device may be performed whether or not the mobile device is locked.
Data communicated between a data server and a mobile device is also typically encrypted to protect the confidentiality of that data during transport. A master transport encryption key may be used to secure the data communications between the data server and the mobile device. Where a symmetric encryption algorithm is used to secure these data communications for example, a copy of the master transport encryption key will typically be stored on the mobile device. The master transport encryption key stored on the mobile device is used to facilitate, for example, the decryption of data received at the mobile device from the data server. Potentially, at the mobile device, the decrypted data may then be re-encrypted with a content protection key if content protection is enabled, as generally described in the preceding paragraph.
The master transport encryption key, itself, may not be protected when stored (e.g. in flash memory) on the mobile device. Therefore, an attacker who obtains access to the mobile device might retrieve the master transport encryption key from storage, and use it to decrypt data communications between the data server and the mobile device. Accordingly, the security of sensitive data may be breached, despite the protection afforded to the data when it is stored on the mobile device through content protection.