GB2401011A - A client terminal and a server are each provided with a message queue to facilitate session independent transfer of messages - Google Patents

Abstract

The invention provides a session independent platform for data transfer which enables delivery of messages over a network to be reliable, even if an unreliable protocol such as UDP/IP or ATM is used. In this asynchronous communication method each message is preferably individually acknowledged, authenticated and encrypted. The client terminal is preferably a wireless mobile terminal such as a smart phone and may be used for e-mail. Rather than sending a complete data set between the terminal and the server, it is only necessary to send an "event" listing the changes to the data stored at terminal or server. The invention may enable messages containing an ID of the mobile terminal to be mapped to the dynamically allocated IP address of the terminal. The server and terminal may together act as a client to a second server.

Description

240101 1 A DATA ACCESS, REPLICATION OR COMMUNICATION SYSTEM

COMPRISING A MESSAGE QUEUING COMMUNICATIONS PLATFORM

FIELD OF THE INVENTION

This invention relates to a data access, replication or communication system comprising a message queuing communications platform.

DESCRIPTION OF THE PRIOR ART

The current consensus is that message queuing communications platforms, such as message oriented middleware, generally use session based transport protocols, such as TCP/IP. TCP/IP has many advantages, in that it gives a reliable connection. However, the TCP algorithm was developed for a wired connection with relatively low latency and presents challenges in some networks, such as wireless networks. For example, in areas of poor coverage the available wireless bandwidth reduces and this is compounded by TCP which assumes the network is congested and "backs off". The net result of this is that a TCP connection over a cellular wireless network is not an efficient transport. It results in a large overhead of re-sent packets leading to slow and costly data transfers.

These disadvantages apply also to wired networks, although arguably less forcefully.

However, the overwhelming technical bias runs in favour of session based protocols and, as a consequence, data access, replication or communication systems have therefore traditionally relied on session based protocols.

SUMMARY OF THE PRESENT INVENTION

The present invention envisages a data access, replication or communication system comprising a message queuing communications platform that enables delivery of a message over a network to be reliable, even if an unreliable transport protocol is used, in which the platform operates in a session independent manner.

It therefore challenges the orthodox bias in favour of session based systems. Session based systems tear down a session In various situations (e.g. when data transfer rates fall below a threshold or there is a period of inactivity (a timeout) or there is a change in PDP context such as switching from nternet browsing to media messaging) and then initiate a new session. This may happen frequently (particularly in a GPRS or UMTS wireless network due to the highly variable bandwidth and high latency associated with these kinds of networks). It requires the exchange of data traffic, which is costly if users pay for the amount of data transmitted. A 'session independent' platform however does not deliberately tear down a connection if data rates fall because of network performance in order to re-establish a new session with better performance. Rather, a session independent communications platform accepts the inevitable connection constraints of the network and addresses them in ways which do not require the high overhead tearing down and re-establishing sessions, as occurs in prior art systems. (We distinguish here the situation where the system releases the current underlying PDP context for use by other applications, or the current underlying PDP context is lost or otherwise times out.

The system merely suspends communication activity pending re-acquisition of a PDP context- the system does not need to re-establish a "session", as such and is hence still session-indepeodent).

The system, whilst itself session independent, may well use low level protocols such as PDP that are session dependent. But in a conventional system, session dependency is a property that permeates up from the lowest level (e.g. PDP) right up to the highest level, the program the user interacts with. Hence, in the prior art, network congestion can trigger a time out in a session based system, with effects felt at the highest application level (e.g. a web browser will simply freeze). A very high data overhead is incurred in tearing down and re-establishing a session; that may be acceptable where the priority is to have a network with reliability achieved through diverse toutings (the core design requirement behind TCP) That requirement does not apply to all networks however, especially wireless networks. With the present invention, the communications platform, because it is session independent, is itself unaffected by network vagaries that would in the prior art lead to session tear-down; the platform also insulates higher level calling programs from these vagaries.

A key element in achieving this is combining session independence with a message queuing system.

The communications platform may then provide communications services to a program running on a wireless terminal, in which the program can also operate in a session independent manner because it sends messages using the message queuing system of the communications platform to insulate the program from the state or performance of the network connection. Hence, an end-user can continue to use the terminal device irrespective of the state or performance of the network: he remains insulated from that.

The same insulation can apply to a program running on a server that the wireless terminal communicates with. Hence, session independence in combination with a message queuing system directly addresses many connection constraints, particularly (but not solely) the connection constraints affecting wireless networks (namely variable bandwidth, high latency, unreliable coverage, unpredictable disconnections, and the need to minimise data traffic to reduce end user cost).

Further, in one implementation, each message that is queued defines part or all of an 'event', in which an event describes a change to the data stored at either the wireless terminal or server; and data replication is achieved by sending events (rather than the conventional approach to data replication, requiring a complete dataset of stored data for synchronization to be sent over an uninterrupted session for synchronization against another complete dataset). The queued events persist in non-volatile memory until positive confirmation that they have been successfully received and processed and are hence also session independent. This approach is not synchronization as such since there is no guarantee that terminal and server side initialise with the same datasets: cvcot based data replication simply (and reliably) replicates changes across datasets.

The transport protocol that is used may be unreliable and may also be session independent (at least at its higher levels - at the lowest level, it is likely to be scsson based, such as PDP); the features of a session based protocol arc then provided by the communications platform itself. (\Y1hilst a reliable protocol could be used, that introduces unnecessary extra layers and hence overhead since reliability will duplicate the reliability provided by the communications platform itself). Placing the features onto the communications platform gives an opportunity to design solutions that fully meet (a) the connection constraints identified above (variable bandwidth, high latency, unreliable coverage, unpredictable disconnections, the need to minimise data traffic to reduce cost) but (b) also terminal resource constraints - particularly important where the terminal is a resource (CPU, memory) constrained wireless device such as a smartphone. If one is tied to the session based consensus, this is far harder to achieve. Although the advantages are particularly compelling for smartphones using a wireless network, the present invention is not limited in application to such devices and covers any kind of data access, replication or communication system (e.g. PC based as well) using any kind of network (e.g. wire-based).

More specifically, the features of a session based protocol that are provided by the communications platform may be one or more of: (a) reliability of message delivery; (b) sender authentication; (c) message security; (d) data rate flow control; (e) packet rousing.

Taking these in turn: À Each message sent from a queue is acknowledged as received and separately acknowledged as processed or consumed by the application making use of the communications platform to give reliability at the individual message level and not at a level which is associated with a superset of messages, such as a session.

À Authentication of a sender occurs at an individual message level by the communications platform and not at a level associated with a superset of messages, such as a session.

À Messages are encrypted individually and not solely at a level associated with a superset of messages, such as a session, by the communication platform using a key derived from a cryptographically strong hash function derived from one or more of the following inputs: (a) secret information which is shared between both the terminal and the I O server (b) a code unique to the mobile terminal (c) a code unique to the server (d) a predictable sequence number (e) an application channel number (3 a session number À A flow control algorithm is applied by the communications platform that optimises the useful data rate by progressively increasing or decreasing the data rate until the useful data rate peaks, in which the algorithm measures and alters the flow rate of packets to optimise the flow rate to the available bandwidth and not to determine when to terminate and re- establish a new session. . À The communications platform enables the correct routing of messages addressed to the lD of a wireless terminal by mapping that ID to the actual dynamic address needed to reach the wireless terminal. The address might, for example, be a dynamic IF address allocated by a NAT box or similar device and the communications platform only initiates a message transfer if there exists a 'valid' mapping. A mapping is refreshed to create a valid mapping whenever a specific kind of small, dedicated message (referred to later as a 'Network Update') is received from the wireless terminal. Whenever a valid mapping exists, any queued events at either the terminal side or server side of the message queuing system are automatically sent: hence, automatic, timely, background data replication is achieved. Further, with a session independent protocol, there is no rc- establishmg of a session as such; instead, a sending component simply re- starts sending as soon as it knows how to address its messages to the receiving component of the distributed client. This is especially useful in the wireless context since a wireless device does not (unless and until IPv6 is available) have a permanent IP address at all, but instead can only receive IP based messages via an arbitrarily selected IP address that is frequently changed. Hence, session independence fits well the requirements of sending messages to wireless devices with transitory address, yet with the minimum of overhead needed to cope with these changing addresses, since it avoids the overhead of session re- establishment. An advantage of tints session independent approach is that, if a connection break occurs, the communication platform allows the next message, in a sequence of related messages held in a message queue, that has not been acknowledged as processed or consumed to be scat as soon as the appropriate message address is known and the connection is re- established, and does not require the entire sequence of related messages to be re-sent, as a session based system would.

The unreliable transport is selected from the following list of transport protocols: UDP/IP; IP; raw GPRS; raw UMTS; raw Ethernet; ATM.

In one implementation, UDP is the transport protocol and the network is a GPRS network, m which UDP packet size is sized to be no larger than the path MTU (Maximum Transfer Unit) of IP over GPRS.

In another implementation, the communications platform is used by a software application that is distributed across a wireless-terminal-side component running on a wireless terminal and a server-side component; in which the wireless-terminal-side component and the server-side component (i) together constitute a client to a server and (ii) collaborate by sending messages over a network using the message queuing system provided by the communications platform. l

DETAILED DESCRIPTION

1. Introduction

The present invention will be described with reference to an implementation from Psion Digital Limited of London, United [kingdom. The implemcotation comprises a middleware communications platform called MobileMQ_ and a distributed application layer called Transcend Mail_.

Transcend Mail is an end-to-end GPRS-connected application that runs on (i.e. is distributed across both) a SymbianOS_ smartphone wireless terminal and a Windows 2000 server. It allows an e-mail, contacts and calendar application on a SymbianOS smartphone to use the MobileMQ platform to perform automatic data replication over GPRS with a Microsoft Exchange_ mail server. MobileMQ is a message-oriented middleware platform that is again distributed across both the smartphone and the server.

It provides the GPRS-effcient, reliable and secure means of communication that enables many aspects of Transcend Mail's user experience. MobileMQ can be used wherever there is a requirement for remote data access, replication or communication over a network (whether wired or wireless). MoblcMQ uses an unreliable underlying transport protocol that is session independent.

Transcend Mail allows mobile workers to access their company email, contacts and calendar entries from their Symbian-based GPRS smartphones. It is designed to meet three needs of the mobile worker: 1. It enables them to remain 'in-touch' whilst away from their desk, enabling them to be responsive to customer, market, and business needs.

2. It ensures that their contacts and calendar remain 'up-to-date' so that these can effectively be co-ordinated with co-workers.

3. It enables productive use to be made of 'dead-time' whilst between appointments, waiting for transport, or during travel.

Transcend Mail enables the following features: À Allows the terminal device user interface to work with local data so the GPRS latency, low and variable bandwidth and intermittent coverage does not stop the i

J

e-mail, contacts and calendar applications from being always available and responsive À Automatically replicate changes between the local data and the server side data in a timely way and in background, without bothering the user À Be parsimonious in using GPRS so that the customer gets appropriate value from the network operator's GPRS tariff and does not get what is sometimes called "bill shock" À Allows flexibility in the way that customer organisations connect their workers' GPRS mobile phones to the company LAN À Integrate as seamlessly as possible with the mobile phone application suite so that the user does not have to learn a new system À Integrate as seamlessly as possible with the back end email server so that the IT administrator is comfortable and has a good user experience too À Different applications on the terminal device can send/receive independently, so that one can still update one's calendar even though downloading a very large e mail attachment.

2. Core Design Principles In an implementation of the present invention, we split (be. distribute) the functionality of the Transcend Mail application that serves as the client in a client-server configuration (for example, in a Microsoft Exchange environment) into component parts that run on two or more physical devices that communicate with each other over a wide area connection using the MobileMQ message oriented middleware. The component parts collectively act as a client in a larger client-server arrangement, with the server being the Exchange mail server. We call this a 'Distributed Client' model. A core advantage of the Distributed Client model is that it allows a terminal, such as mobile device with limited processing capacity, power, and connectivity, to enjoy the functionality of full-featured client access to a server environment using minimum resources on the mobile device by distributing some of the functionality normally associated with the client onto the server side, which is not so resource constrained. i

But unlike other distributed models, in Transcend Mail, each component part can provide functionality (that goes beyond merely accessing cached/stored data) independently of the other, even when the network connection is absent. For example, in a conventional distributed client, such as e-mail web access using a web browser and a web server distributed client accessing a Microsoft Exchange mail server, if you break the connection between the browser and the web server then the browser has no functionality, other than to continue to display any cached e-mails. But with Transcend Mail, the user experience of using the e-mail or PIM (contacts, calendar) applications on the smartphone is exactly the same, whether there is a connection or not. The user can continue to create e-mails, edit contacts ete. on his smartphone. The user is insulated from the state of the network connection because the terminal can queue messages, using MobileMQ (and its own queue as well if the MobileMQ queue Is full), until such time as the connection is re- established and can then automatically send the next queued message. Similarly, the next queued message stored server-side can be automatically sent when the connection is re-established. . This approach is also better when the network is a wireless network, with highly unpredictable bandwidth, coverage and availability because it facilitates making the terminal side insulated from the vagaries of network performance by interposing a message queuing platform (i.e. MobileMQ) across the network. Hence, the Distributed Client model directly address not only the problem of providing a good user experience at the terminal (e.g. always able to interact with his contacts, calendar, and e-mail applications, irrespective of network coverage) despite the terminal having major resource constraints and despite the connection having major constraints. This is schematically illustrated in Figure 1.

The MobileMQ message oriented middleware (MOM) communications platform enables the component parts to effectively and efficiently store messages to be sent between component parts and actually send them reliably. The MobileMQ MOM enables message delivery over a network to be reliable, irrespective of whether the underlying transport protocol used Is reliable or not; and independent of any session. The transport protocol is therefore referred to as 'session independent'. This again marks a major departure from normal networking protocols, such as WAP, which are session based.

Session independent' (as noted carlicr) therefore stands in contrast to session based.

Session based protocols tear down a session when data transfer rates fall below a threshold or after a timeout. They will then initiate a new session requiring the exchange of data traffic, which is (a) costly in a wireless system where users pay for the amount of data transmitted and (b) not infrequent due to the highly variable bandwidth associated with wireless networks. A session independent protocol however does not deliberately tear down a connection. (We distinguish here situations where the underlying PDP context is merely released or reassigned for use by other applications, or the current underlying PDP context is lost or otherwise times out. In these types of cases, the higher layer session-independent protocol merely suspends communication activity pending re- acquisition of a PDP context - it does not need to re-establish a 'session', as such.) The combination of MobileMQ MOM and session independence addresses many connection constraint problems, as illustrated in Figure 2: Further, with a session independent protocol, there is no re-establishing of a session as such; instead, a sending component simply re-starts sending as soon as it knows how to address its messages to the receiving component of the distributed client. This is especially useful in the wireless context since a wireless device does not (unless and until IPv6 is available) have a permanent IP address at all, but instead can only receive IP based messages via an arbitrarily selected IP address that is frequently changed. Hcoce, session independence fits well the requirements of sending messages to wireless devices with transitory address, yet with the minimum of overhead need to cope with these changing addresses, since it avoids the overhead of session re-establishment.

Transcend Mail also adopts 'event' based data replication - i.e. a log is kept of all new events which define a change to the data stored on the client or the server sides and only these events are queued in a log. When a connection is established between each side of the distributed client, then each queued event (as represented by one or more message depending on the complexity of the event) is sent, with a single message being carried by one or more packets. Because MobileMQ allows the efficient and reliable transfer of messages, it is particularly well matched to an event based data replication system, which itself requires no more than the efficient and reliable transfer of messages.

The higher level applications using the MOM have no awareness of connection status - i.e. MobleMQ is a MOM layer that insulates applications using MobleMQ from needing to be aware of the existence or non-existence of an underlying connection (such as an active PDP context). At the application layer, the system is 'connection independent'.

The term 'session independcnt'thereforc equates at the application layer conceptually to a system in which there is a single session that persists independently of whether an actual connection is established or not in the sense that, when a connection is re- established after a break, an application can re-commence message transfer at exactly the same place where it ceased - i.e. the next message sent by an application is the same message that would have been sent had there been no connection break. In session based systems, that does not happen. Instead, considerable overhead is first taken up in re-establishing a session. Once the session is re-established message transfer re- commences, although re-commencing the message transfer might well involve re transmitting huge portions of previously transmitted message data - yet more unproductive data transfer.

In MobileMQ, reliability (i.e. being able to guarantee that a message has been reccivcd) is achieved without recourse to high overhead session based protocols. Instead, we require receipt at the sending device of an acknowledgement that an individual message has been received and properly processed at the receiving device before allowing another message to be sent. This 'message level' reliability is much more data efficient since it requires minimal overhead in re-starting communication if a connection is lost, unlike session based systems. This is a critical advantage, especially in wireless networks, where lost connections are not infrequent.

Authentication is, in the prior art, achieved with high data transfer overhead at the start of a session. Because the MobleMQ MOM is session Independent, it instead provides for authentication of each message: 'message level' authentication. This may be combined with session level authentication, based on session numbers that increment whenever a device is rebooted. )

MobileMQ when combined with Transcend Mail is a comprehensive and effective solution to the twin problems of efficiently handling terminal resource and connection constraints, as shown in Figure 3.

Figure 4 shows how the combined design allows session independent features provide by the MOM that would normally be provided by a session based system to be deployed in a manner that is fit for the purpose of resource constrained terminals, such as smart phones. These features include: (a) reliability of message delivery; (b) sender authentication; (c) message security; (d) data rate flow control; (e) packet routing.

Likewise, it shows how the combined design allows features designed to be fit for the purpose of a distributed client to also address connection constraints. The main feature is the use of 'evens' teased data, and because of this gains the character of being session- independent.

3. Core Design Principles in More Depth 3.1 Distributed client The purpose of the distributed client is to allow a mobile device with limited processing capacity, power, and connectivity, to enjoy the functionality of full-featured client access to a server environment using minimum resources on the mobile device by distributing some of the functionality normally associated with the client onto the server side, which is not so resource constrained. The client applications arc PIM (calendar, address book etc.) and messaging (e-mail, MMS, fax, SMS etc).

In effect, we have a split client-server application that collectively acts as the client in a larger client-server application. A typical configuration is to install software on a mobile device such as a smart phone (the small client) and corresponding software on a server ( device (the small server). These two pieces of software communicate with one another- normally over high latency, low bandwidth, metered wireless connectivity such as GPRS or UMTS, via a MOM, such as MobileMQ. The small client and small server collectively act as a client (the "large client" or "distributed client") in a traditional client-server environment. The large client then communicates with the relevant server such as Microsoft Exchange (the large server) as normal. Thus, the large server is only aware that it is communicating with the large client. The large client appears to the large server like any other client with which it normally communicates and the distributed nature of the large client is invisible to the large server. (In a typical configuration, it is assumed that the small server will reside on or near the same device where the large server resides.) Figure 5 schematically illustrates this.

Functions within the distributed client arc split between the small server and the small client. This split has been optimised to take advantage of the "smart" nature of the mobile device, while limiting the impact on that device's limited resources.

Thus, the small client residing on the mobile device (i.e. Transcend Mail, in this case working in conjunction with the local e-mail application) generally acts as the user interface for the mobile user, acts as a local data store, and undertakes certain data processing tasks locally. Among others, the small client undertakes the following functions: À Displays a list of emails in the mobile in-box À Acts as a viewer for the body of email text À Accepts user requests to forward, create, or reply to email À Accepts user input for new email text À In response to user input, releases email from mobile device memory only (a Release action) À In response to user input, releases email from mobile device memory and generates a notice to release the same email from the large server (a Delete request) À Accepts end user input of logon password for the large server and passes this to the small server (see below for description of 'distributed logon') À Monitors the local data store for changes to that data (such as new, modified, or deleted entries), creates an event detailing the changes, and sends these to the small server.

À Receives events from the small server, and uses the details of changed data to update the local data store.

Equivalent or analogous PIM and non- e-mail functionality would be handled where the small client handles/intcgratcs to PIM and non c-mail (c.g. other kinds of messaging) functions.

Similarly, the small server resides on other media (typically a LAN connected to the large server) and communicates with the mobile device via a data network connection that traverses wireless infrastructure (e.g. GPRS) and generally acts as the direct interface to the large server (such as Microsoft Exchange) and undertakes many data processing tasks normally associated with the large client. Among others, the small server undertakes the following functions: À Completes construction of emailsrequested by the mobile user in accordance with the large server API, taking components received from the small client, the small server, and the large server as necessary À Takes emails from the large server and splits these into component parts, sending only those parts deemed strictly necessary to the small client À Responds to requests from the small client to deliver additional email content (e.g., additional text of long emails and/or attachmcats) À Takes logon password data (supplied by the end user via the small client) and saves this in local memory, thus enabling extended logon to the large server (see below for

description of distributed logon)

À Monitors the local data store at the large server for changes to that data (such as new, modified, or deleted entries), creates an event detailing the changes, and sends these to the small client.

À Receives events from the small client, and uses the details of changed data to process updates to the local data store at the large server.

Equivalent or analogous PIM and non- e-mail functionality would be handled where the small client handles/integrates to PIM and non e-mail (e.g. other hinds of messaging) functions.

One consequence of this approach is that mail on a large server cannot be said to be forwarded' or 'redirected' to a device in the manner of a conventional push e-mail system: instead the device (where the small client resides) together with the small server is simply another client to the mail server (and that client is also not a simple wireless device client as well).

The Transcend Mail small server and the small client communicate with one another via the MobileMQ MOM. As noted above, this enables the unusual feature of the small server and small client (which together constitute the large client in a distributed client server system) to operate asynchronously of one another.

There are various permutations of the small client: for example, as shown in Figure 6, the small client could be implemented as a terminal-side component, that either includes or communicates with a client side MOM; the Small Server can then be implemented as a server-side component, that either includes or communicates with a server side MOM.

Figure 7 shows how the Small Client can include a program - e.g. an Small application, plus plug-in lining it to the terminal-side component.

Figure 8 shows that the Small Client can also exclude the program, e.g. a contacts program. The terminal side component then communicates with the contacts program via the contacts database (with event triggers from that database bemg sent to the terminal side component). Figure 9 shows how this is conceptually equivalent to a middleware architecture.

3.2 Distributed logon The distributed client splits the logon function between the small client and the small server. The small client obtains the user password from end user input. Upon receipt of the password input, the small client sends this data to the small server. The small server retains this data locally in memory, and then communicates the logon to the large server.

Hence, Transcend Mail acts as the wireless terminal user's agent on the server; it caches passwords and does other logon-related acts that are normally done by a user when interacting with the mail server. Only when a password is time expired by the mail server administrator will a user therefore need to personally log in again with the new password.

This is a big improvement in security over other mail redirection methods which require to log on as a super-user which can access all email accounts.

Another advantage of distributing the logon in this fashion is that it allows the distributed client to continue communication with the large server without additional logon activity (and associated wireless data traffic) even if there is an interruption in communication between small server and small client. This also allows possession and lS use of the mobile device (which may have its own security protocols) to serve as a substitute for additional large server logon activity. Once the small server has the password information it becomes possible to replicate logons to the large server based on the assumption that control of the mobile device serves as a kind of substitute for logon information. This allows the distributed client to access the large server after an interruption in service without prompting the user for additional password data. This provides advantage by reducing data traffic associated with logon activity, and also speeds up end user access to the large server, particularly on mobile devices with small keyboards that are inconvenient for entering password data.

3.3 Remote Message Construction Transcend Mail also minimises use of wireless transmission by employing a method of constructing messages remotely. When the distributed client "retricvcs" messages from the large server, some of this data is queued at the small server and the small server then determines how much of this data is sent to the small client. The specific amount of data sent to the small client can be influenced by end user configuration and by specific request. For example, the end user can specify a maximum number of lines of email text are delivered to the small client, and the end user can then request that the small server send additional text and/or attachments. Remote message construction comes into play when the end user directs an action such as replying to or forwarding an email. When forwarding an email with an unmodified attachment, the small server is able to construct the bulk of the email message locally without the need for full transmission from the small client. The queued message simply references the relevant unmodified data held on the large server (in this example, an attachment). In effect, the small client is only required to transmit that part of the message that has been modified by the user at the small client device. The same principal applies to email replies. The small client does not need to transmit the entire body of the original message - the small server constructs the total reply by taking new text transmitted from the small client to the small server and combining this with the original email text- already known to the small server since it is stored on the large server. In effect, the small client has issued an instruction that results in the small server constructing the total message taking parts from both the small client and the large server. Avoiding unnecessary key input is valuable for a small keyboard smartphone. Thcsc are both methods for dramatically reducing the amount of data traffic between the small client and the small server.

3.4 Tidy process Transcend Mail also helps to conserve memory on the mobile device using an automated memory "tidying" function. The small client monitors use of non-volatile memory on the mobile device. When nonvolatile memory in use exceeds a trigger amount (for example, 80% of memory capacity in use) then it automatically starts to "tidy" the local data related to email information on the device. This consists of selecting certain emails which have not been accessed locally for a longer period of time and releasing from local memory much of the data associated with these emails (for example, attachments and message text), whilst retaining the email header information in local memory. The data released from local memory is selected using prc-set criteria such as age of the relevant email message (oldest first) or history of access by the user to this emal; email messages not accessed for long periods of time are removed from local memory before newer or recently accessed email messages.

Message data is not released from memory if the relevant message is marked as unread, open for user viewing or action, or there is a pending action related to the email requesting additional data from the large server. r

This removal process continues until the small client detects that nonvolatile memory in use has descended below a pre-set "safe" level (for example, 70% of memory in use).

The email data is not "deleted" as the large server retains all email data and the small client retains email header data.

The removed data can be replaced in local memory by downloading it once again from the server to the mobile device on user request (a 'Retrieve' action). The user is clearly warned before such a Retrieve takes place. This allows the user an opportunity to decide whether or not Retrieving the message data is cost effective.

The tidy function also includes safety mechanisms that handle the circumstance where a particularly large email or attachment might push the mobile device beyond the trigger point for tidying without an opportunity to review the downloaded. In other words, the l5 design is meant to avoid a circumstance where the mobile device might remove email data before it is read. In this circumstance, the system temporarily adjusts the trigger level and the safe level of memory use to allow the end user an opportunity to review the large in-bound email.

3.5 Converted Attachment download option A perennial difficulty in mobile devices that share replicated data with a server is how the user can make best use of the limited memory and processing capacity on the mobile device. In mobile email applications, this problem has traditionally been addressed (in MS ActiveSync and others) through limiting the amount of email data that Is shared with the mobile device. This limitation usually takes the form of replicating only limited number of days of email data, and limiting the size of the email data shared. One common method of limiting the amount of data replicated is to withhold email attachmcuts from replicating on the mobile device. Typically, the end-user may then request the attachment if they are willing to suffer the delivery time and memory overhead involved. Other systems have produced a method of sending only a limited form of attached files to the user which can then be used on a simple viewer program.

Transcend Mail provides the end-user with two options for downloading email attachments to the mobile device. If the user wishes to download the attachment, he or she can choose between downloading: (1) a smaller version of the file translated from its original form (e.g., a text-only version of an MS Word or PDF Ale) intended for viewing-only using a simple viewer program resident on the wireless terminal; or (2) the original unaltered attachment.

In Transcend Mail these options are presented to the user at the same level of the menu hierarchy.

3.6 One-touch Release Problems arise as a conventional mobile device begins to be clogged with older emails.

Often when the user attempts to "delete" these cmails from the mobile device, they are then also deleted from the server at the next synchronization. This may fly directly in the face of the user's desire who may simply wish to free up memory on the mobile device, and yet preserve the email on the server. In order to accommodate this, some synchronization systems give the cod user the option either: (1) to delete an email entirely on both mobile device and server (which we call a "Delete" instruction), or (2) to delete only the copy of the cmail that is resident on the mobile device - leaving the server unmodified (which we call a "Release" instruction) In Transcend Mail, these options are presented at the same level in the menu hierarchy other systems have either hidden these options within a series of different menu levels, or have dealt with this by asking the user each and every time a deletion is requested whether or not the end user actually wants a complete deletion or merely to clear local memory. Both solutions are not user-friendly, as they reduce flexibility for administering the mobile mailbox and require multiple key entries to accomplish.

3.7 Session independence Data communication with mobile telecommunications devices using technology such as GPRS is made extremely difficult due to high latency, intermittent and interrupted coverage, and the cost of metered bandwidth. Traditional communications methods and protocols are not well suited to this type of environment. For example, applications that require a network connection over a wireless link such as GPRS usually use a TCP connection as this gives a reliable session based connection. However, the TCP algorithm was developed for a wired and relatively low-latency connection and is not "wireless friendly". In areas of poor coverage the available bandwidth reduces and this is compounded by TCP which assumes the network is congested and "backs off". The net result of this is that a TCP connection over a cellular wireless network is not an efficient transport. It results in a large overhead of re-sent packets leading to slow and costly data transfers. Further, protocols like TCP rely upon the concept of a communications "session" with a server. A session typically will expire if no traffic passes for a defined period of time (a time out). Establishing each new session requires use of additional data traffic and is also time consuming.

MobileMQ envisages a wireless optimised alternative to TCP using only raw UDP packet transfers. MobileMQ delivers UDP based messages between (1) a mobile device using a wireless network and (2) a server in communication with that device (whether or not directly connected to the wireless network), so as to minimise wasted data traffic as a result of the high latency intermittent connectivity. MobileMQ focuses upon providing a high level of resilience in the message transmission process, effectively guaranteeing message delivery.

This is accomplished by employing a system for managing data communications that does not rely upon the traditional concept of a "session" - it is "session independent". In addition, the invention provides a method of guaranteeing that messages are properly delivered both to the destination device and to the destination application, while minimising the amount of data traffic transmitted. This has the added benefit of assuring a high degree of resilience with a minimum of data traffic.

MobileMQ is distributed in that it resides on both a sending device and receiving device, typically facilitating message traffic from other systems on the same hardware platforms.

The sending device takes a Message - the core transmission unit - from the sending application (for example, an email program). Each Message is restricted to a maximum size intended to optimise use of data traffic. When a sending application asks the system to send a Message, the system first persists (stores) the Message in local non-volatile memory at the sending device. This assures Message survival even if the sending device suffers a reset. The Message is then compressed and optionally encrypted. s

The Message is then segmented for transmission. Each each segment is positioned in a UDP packet with the intention that each packet does not exceed a relatively short byte length, which is related to the underlying transport protocol of the low bandwidth high latency network. In a typical implementation in a GPRS environment, the UDP packet length might be restricted to 1500 bytes as 1500 bytes is the typical maximum payload in a GPRS packet. Otherwise if a UDP packet were to occupy, say, 2 GPRS fragments, then a failure of one GPRS packet would mean that both GPRS packets would have to be rc-sent. MobileMQ avoids this by scaling the message to match that of the bearer packet.

3.8 Flow Control Both segment size and transmission rate are controlled by a flow control system that analyses traffic to and from the sending device and strikes a balance between transmission speed and total number of bits transmitted in an effort to keep transmission cost-effective. UDP packets can be received in any order by the receiving device, and the receiving device transmits a packet acknowledgement following receipt of each packet.

Where the sending device fails to receive a packet acknowledgement for a packet, the flow-control system delays packet retransmission until a reasonable period has elapsed.

The precise length of the delay depends upon network response times observed by the flow control system at the sending device. The delay period and packet size are both continuously recalculated based on changes in observed return times. If a packet acknowledgement is received within a predefined time, the flow control progressively increases the data rate until it peaks.

The flow control system also serves as a replacement for the normal concepts of "session" and "timeout" often used in data transmission devices. If one of the communicating devices suffers a significant connectivity failure (which could arise, for cxamplc, due to moving out of range of a wireless base station or moving between ( roaming networks) the flow control mechanism interprets this as increasingly slow network response, and steps down transmission rates accordingly. If the service outage continues, the flow control continues to lengthen the period between "retries". The net effect is that transmission efforts come almost - to a complete stop until the sending device starts to receive return traffic from the receiving device. As more reply packets make their way back from the receiving device to the sending device the process reverses: the flow control system starts to "wake up" and becomes more adventurous in its willingness to transmit packets. As the connection becomes more solidly re- established, the transmission rate once again increases until it reaches a reasonably ideal level - balancing overall speed with the need strictly to limit packet loss (as lost packets may still incur network transmission charges). Thus MobileMQ does not rely upon the concept of "session" and does not reeognise the concept of a "timeout".

Following receipt of all packets that comprise a Message, the receiving devotee transmits a brief acknowledgement that the entire Message has been received. Once this Message acknowledgement reaches the sending device, the sending device will not attempt any further resends of packets that made up the Message - even if individual packet acknowledgements have not been sent to or received by the sending device. This is primarily intended to restrict the amount of data traffic. The Message delivery sequence is not yet complete.

After transmitting the Message received acknowledgement, the receiving device then passes the Message to the relevant destination application (such as an email program).

The receiving device then awaits a signal from the destination application that the relevant Message has been received and processed in accordance with whatever rule set is employed by the receiving application. The intention is that the receiving application processes the received Message so that it will survive a breakdown in the receiving device - such as a system reset. Once the receiving application is satisfied that it has received the Message irretrievably from MobilcMQ, the receiving application then responds with Anal confirmation that the application has "consumed" the Message. This final confirmation from the receiving application triggers the receiving device side of MobileMQ to send a brief "Message Consumed" acknowledgement to the seeding device.

Once the sending device receives the "Message Consumed" acknowledgement, it forwards this information to the sending application and then prepares to transmit the next available Message from the sending application. In this way, MobileMQ guarantees delivery of the entire Message before accepting any additional Message traffic from a sending application.

MobileMQ is able to process Messages from multiple applications simultaneously, but will not process more than one Message from the same application simultaneously.

3.9 Event based data replication Synchronisation between servers and mobile devices traditionally takes place using relatively high bandwidth, low latency, un-metered connectivity (e.g., USB or JR). As a result, synchronization systems often employ a methodology that transmits large amount of data and is not very robust when data is lost in transmission or the underlying transmission is interrupted. For example, server based dataset synchronization typically requires all connected devices to download their entire datasets (e.g. all e-mails, all contacts etc) to the server over a single session, which can then perform a comparison against its master copy of the last fully synchronized dataset in order to update the master and hence all other datasets. This approach Is unattractive for synchronsing wireless devices because of the power drain it imposes, the potentially long connection time and costly data transfer.

In Transcend Mail, instead of a wireless device downloading its entire dataset, it records only dataset changes (or new 'events') into log (preferably, but not necessarily, time sequcnual) and sends a log of these events to the server when connected to it. An event gives enough detail to enable data replication to take place without the need for a synchronization cogine; data replication (as opposed to true synchronization) is more simply achieved by sending events rather than a complete dataset (or sub-scts of a dataset) of stored data for synchronization by a synchronization engine at the small server.

I

Whenever a change to a record on the device is made (e.g. new mail is created and sent from the device; old mail is deleted; a new contact created etc.), an entry defining just this event or change is stored on the device In the time sequential log; this event log is stored until a connection is present, at which point the log contacts are sent to the server, which updates its master copy of the relevant datasets. For example, the event might be 'delete record no. x', or delete field 'y'in record 'z'. This is enough information for the recipient to replicate the change that occurred at the sender that generated the event.

There is no need for the device to pass through an entire dataset to determine records that have changed or to ensure maintenance of a single session whilst the entire dataset is transmitted and received. Any changes to the datasets on the server (e.g. receipt of new mail) are also stored as an event log and the log sent to the wireless device using MobileMQ. Because only relatively small event logs are generated and exchanged, the CPU and data transfer overhead are far smaller than conventional sync mechanisms.

Hence, when data subject to replication is entered, modified, or deleted (on either the large server or the small client) the sending device creates and logs an "event" on the sending device.

The event is sent as one or more messages to the receiving device; messages are sent using UDP packet transfer and not the more conventional TCP. Whilst TCP provides a reliable connection and is currently a focus of commercial activity, it is not (as explained above) an efficient transport for wireless because of its pronounced back-off during times of perceived network congestion, which arises not infrequently when wireless coverage is poor, leading to a large overhead of re-sent packets, leading to slow and costly data transfers. For efficiency, UDP is used (see above) with UDP packet size restricted to 1400 bytes, - just under the transmission packet size available in GPRS.

The receiving device passes individual messages defining the Event to the relevant destination application (such as an email program). The sending device then awaits a signal from the destination application that the relevant message[s] defining the Event has been received and processed In accordance with whatever rule set is employed by the receiving application. The intention is that the receiving application processes the received message[s] so that it will survive a breakdown in the receiving device - such as a system reset. Once the receiving application is satisfied that it has received the messagels] irretrievably, the receiving application then responds with final confirmation that the application has "consumed" the messages. This final confirmation from the receiving application triggers the receiving device side to send a brief "Message Consumed" acknowledgement to the sending device.

Once the sending device receives the "Message Consumed" acknowledgement, it repeats the process for all messages defining an Event until it has been safely received and 'consumed' at the rcceving device. It then concludes the "event" process by deleting [event instruction information?] from sending device memory. It repeats this process for all other events in the Event log or queue.

In this way, Transcend Mail guarantees delivery of the entire message before accepting lS any additional message traffic from a sending application. Processing messages from multiple applications simultaneously is possible, but not processing more than one message from the same application simultaneously.

An entire Event can therefore be sent reliably over a wireless link, despite the use of unreliable UDP.

3.10 A /B / X Flags The system also guards against duplicate Message transmission by coding each Message with a flag with three state options: A, B. or X. In normal operation, each Message [from an application] is transmitted by the sending device with alternating A or B flags. As the receiving device starts to receive the Message, it writes the A or B flag to local memory.

Upon receiving the complete Message from the sending device and the consumed signal from the destination application, the receiving device writes to local memory the flag identity of the Message just processed before transmitting the Message done / Message consumed acknowledgement. If the receiving device resets after scoding a Message done/consumed acknowledgement signal but before an acknowledgment is received back, then it will not know if the message consumed was properly received or not. But if it flags the sequence of acknowledgments relating to a given message with one type of ! flag, then it knows that any acknowledgement back must match the flag in order to be relevant. An acknowledgement with a different flag must relate to the next message and hence should not be actioned.

A flag of X signals the receiving device to ignore the flag and no flag is written to receiving device memory. The intention is for a transmitting application to use the X flag if the application is unconcerned about the risk of duplicate message transmission.

to 3.11 Client Device Addressing and Network Update Sending a data transmission to a mobile device on many current mobile data networks (such as those using GPRS) is made difficult because the mobile device has no fixed IP address. Instead, when the mobile device connects to a network (either the home network or a roaming network) the network operator dynamically allocates an IP address to the device. Further, this dynamically allocated address is usually a private IP address and not directly usable on the public Internet. Instead, data traffic from the device is routed by the network operator to a Network Address Translator (NAT) and the NAT maps the private IP address to a public IP address and ephemeral port numbers drawn from a very limited list of public addresses (sometimes just two) and a larger block of ephemeral port numbers (several thousands usually) available for use by the network operator.

Thus even if a mobile device retains the same dynamically allocated IP address and ephemeral port number for a longer period (c.g., many hours), it might make use of multiple "public" IP addresses and ephemeral port numbers allocated by the network operator. Further, although the mobile device is aware of the private IP address allocated to it by the network operator it will have no record of the public IP address and ephemeral port number allocated by the NAT. From the perspective of anyone communicating with the mobile device, they will "see" only the public IP address and ephemeral port number allocated by the NAT. This creates a significant challenge to anyone who wishes to originate and send a datamessage for transmission to a mobile device that uses such a network because there is no guarantee that the last known public IP address and ephemeral port number associated with a given device will be valid for more than a few minutes.

MobileMQ provides the small server with network address data on a regular basis to enable routine transmissions of messages from the small server to the mobile device.

Examples of implementations would include enabling an office email server to send email traffic to a mobile user without intervention by the mobile user.

The method involves sending an extremely short message (a 'Network Update') from the mobile device to the small server upon the occurrence of any of the following events: À when the mobile device is first switched on and acquires an address from a mobile network operator; À when the mobile device receives a new address from a network operator (perhaps as a result of moving the device from home network coverage to a roaming network or between roaming networks) À whether or not a new address is allocated to the mobile device, on a regular timed basis in an effort to obtain a new public address and ephemeral port number that may have been allocated by an intervening NAT and advise this new public address and ephemeral port number to the small server Upon receipt of the short Network Update message, the small server notes the originating IP address and ephemeral port number of the packet (which will be the assigned public lP address and ephemeral port number from the NAT, assuming that the interested party is not directly connected to the same private IP network) and enters this information in a reverse lookup table.

The Network Update messages are intentionally short due to the assumption that data traffic is charged on a metered basis. A typical implementation might involve only 17 bytes of data transmitted by the mobile device and 5 bytes returned in each Network Update message cycle (assuming no packet loss).

Each of these message cycles serves to confirm: (1) the continuing validity of the public network address and (2) that the mobile device is available to receive Traffic.

The small server is then able to attempt its own - unprompted - data transmissions to the small client on the mobile device by using the most recent address for the device S found in the reverse lookup table, assuming that the allocated public IP address and ephemeral port number has not been reallocated from the ume of the Network Update message. Hence, receipt at the small server of the Network Update message from a device acts as the trigger to start sending any events queued in the event log (see Event Based Data Replication section 3.9). The system can be configured so that only events present in the log at the ume the Network Update is received are sent; any later events have to wait until the next Network Update is received. This differs from continuous push e- mail.

The entry in the reverse lookup table is also umed, and if more than a certain amount of IS time has elapsed the small server assumes that it is no longer possible to transmit messages to the small client unuil a new Network Update message is received. In this circumstance, outbound messages from the small server are held in a queue until a new Network Update message is received. The ume is set at substantially less than the normal interval used by the NAT to re-allocate public IP addresses to mobile devices (e.g. 5 minutes if the NAT re-allocanon interval is 20 minutes). The system can dynamically adjust the ume so that when there is very high network uscage, associated with much shorter NAT re-allocation intervals, the ume can be shortened.

Taken together, this means that the small server and the small client are able to establish a time window during which it should be possible for the small server to send traffic to the small client. The window starts at the Dime of a Network Update message, and ends when the pre-programmed idle time expires. For example, if Network Update messages are sent by the small client every 60 minutes and the idle timeout is set to 10 minutes, this results in 10 minute communication windows that recur in periods of not less than 60 minutes. By increasing the frequency of Network Update messages the small client can also create more or less continual communication transmission opportunities for the small server.

3.12 Security Existing security methods to assure secure end-to-end communication over non-secure data communication infrastructure (such as SSL) are not well suited to a wireless data communications environment due to a number of factors, including high processor overhead, high bandwidth overhead, high latency, and dynamic allocation of addressing information to the mobile device.

MobleMQ provides secure end-to-end messaging between a mobile device and a server lO using a cryptographic implementation designed specifically for a mobile telecommunications device.

The process begins when the system is first installed on the mobile telecommunications device. The mobile device (for example, a mobile email reader connected to wireless lS network) and the server (for example, a corporate email server connected to fixed line Internet service) are both loaded with shared secret information. In order to secure messages between them, the sending device (either the mobile telecommunications device or the serve) first calculates a message key by using a hash function to calculate a hash from the following inputs: À a code unique to the relevant mobile device, for example the IMEI code of a GSM telephone handset (if the mobile device is the sending device it uses its own unique code and if the server is the sending device it uses the unique code of the intended recipient device) À the shared secret, and À additional data relating to (but not necessarily unique to) each message (he., the incrementing message number, application/port number, and session number) that can be calculated independently by both the sending and the receiving devices This key is then used in a symmetric cryptographic algorithm to encrypt the message.

Thus each message is encrypted using a key sequence that is mathematically related to the individual mobile device identity code, the shared secret installed on the mobile device and server, and additional data that can be independently derived by both sending and receiving device that is mathematically related to each message.

To assure authenticity and integrity of the encrypted message, the sending device then calculates a Message Authentication Code ('MAC') using a cryptographic hash function where the inputs are the message itself and the key that was used to encrypt the message.

The resulting MAC is then appended to the encrypted message.

The receiving device calculates the first hash function (the key) for the relevant message (based upon its knowledge of the mobile device unique code number, the shared secret, and the additional traffic data), and uses this key to decrypt the message. Finally, the receiving device takes the decrypted message and the key and uses these to calculate the second hash value for comparison with the MAC appended to the message. If the second hash value is identical to the MAC received with the message, then it is assumed that the message is authentic and unaltered. If, on the other hand, the second hash value calculated by the receiving device does not match the MAC received with the message, then the receiving device issues a challenge to the sending device in an effort to re- establish secure communication. Once security is established, this then triggers retransmission of the message. Thus the authentication system serves in a back-up role to assure the data integrity of the message - any bit errors in transmission would result in failure of the MAC, a security challenge, and message retransmission.

In addition to assuring confidentiality, authenticity, and integrity of messages themselves, the security system also serves to reduce the cost and performance impact to the mobile device user if third parties attempt to masquerade as the legitimate mobile device user.

The small server keeps a reverse lookup table with the most recently reported address (and epEcmeral port number) assigned to the mobile device. (See description of Network Update at section 3.11) The small server operates on the assumption that all in-bound data packets from the mobile device should come from the address and port number that matches the currently- valid address and port number for the device listed in the small server reverse lookup table.

If data is received that purports to come from the same mobile device but has a new return address (and/or new ephemeral port number), the small server issues a security challenge to the device at the new address using the same cryptographic mechanism outlined above. If the new address returns the correct answer to the challenge, then the small server continues to process in-bound traffic from the new address and also updates the reverse lookup table with the new address. This would normally happen only if the mobile device is assigned a new address or ephemeral port number in such a manner that the mobile device is not aware of the change (e.g., if a network operator NAT box made such an assignment), as changes notified to the mobile device already trigger a Network Update message. (See description of Network Update at section 3. 11.) If, on the other hand, the new address is unable to respond correctly to the security challenge then the small server does not update the reverse lookup table and simply ignores the data received from the new address; (This could happen if, for example, a malicious third party attempted to interrupt communication to the legitimate mobile device by sending spoof data traffic to the small server.) Communication with the legitimate device (at the old address with the old ephemeral port number) continues uninterrupted and without the need to re-establish security using an additional challenge to the old address. No unwanted data traffic is generated from the small server to the small client; this is important since, with many GPRS and UMTS tariffs, the users' costs depend on the amount of data traffic received, so being able to bar denial of service attacks at the small server Is very valuable.

This system will have a significant cost and performance benefits to the Icgtimate user because security challenges and responses use relatively large amounts of both processing time and data transfer.

3.13. Tenninal application lock Mobile communications terminals (such as "smart" phones using GRPS) present certain security risks to device users and the organisations that act as their primary communications server (such as an employer-operated business email server). Loss of the device could result in unauthoriscd access to communications applications (such as an email client application), which could then have negative consequences for both the end- user and the organisaton providing background server capability. At the moment this security risk is addressed by various systems (1) to lock local access to the mobile device itself- normally at the request of the cod user, (2) relying upon mobile operators to deny communications with the device, or (3) deny remote access to the main communications server. The first method is inconvenient to the end-user, as locking the device may deprive the user of access to other applications resident on the device. The second method relies upon swift and appropriate implementation of blocking instructions by the mobile operator. It is further limited in circumstances (such as a GSM network using SIM cards) where authentication with the wireless network is undertaken independently from the mobile device - the person who possesses the device may still be able to access locally resident data. The third method is flawed as it only blocks access to the organisation server, and does not disable access to data locally resident on the mobile device.

Transcend Mail provides a system to "lock" operation of the entire communications application under prescribed circumstances to protect both the end-user and the organisation responsible for a corresponding communications server, without the need for intervcnton by the wireless network operator that normally carries traffic from the mobile device.

Access to the relevant communications application on the mobile device can only proceed after the end-user has entered the appropriate locking code in the mobile device.

The system can specify a minimum code length, but otherwise allows the end-user to change the locking code. The organisation administrator (who also administers the Transcend Mail server) can also change the lock code on a remote basis, thus enabling a code reset if the end-user forgets the code or the device is lost or stolen. This protects e mail resident on the device and also the mail server, but under the control of the organisation, rather than an end-user or network operator - a critical difference.

In its locked state, the application lock can be de-activated by entering the appropriate lock code into the mobile device.

If the lock code is stored locally on the mobile device, it can be stored using a cryptographic hash value based on the following inputs: À a unique device ID for the mobile device (such as an IMEI code on a GSM handset) À a secret key À the unlocking code This way, the lock cannot easily be circumvented by simply taking the hashed code value from one device and replacing the stored has value on another device. s

After being unlocked, the application lock is then triggered by a number of different events, such as: À passage of time without accessing the application (a pre-defned idle time) À remote change of lock code by a system administrator À end-user requests application lock À mobile device or the relevant application is rebooted or restarted for any reason À a remote message directing the application to enter a locked state If the application is in a locked state, the end-user is unable to access local data and is also unable to access the remote server.

Claims (22)

1. A data access, replication or communication system comprising a message queuing communications platform that enables delivery of a message over a network to be reliable, even If an unreliable transport protocol is used, in which the platform operates in a session independent manner.

2. The system of Claim 1 in which the communications platform provides communications services to a program running on a wireless terminal, in which the wireless terminal program can also operate In a session independent manner because it sends messages using the message saucing system of the communications platform to insulate the wireless terminal program from the state or performance of the network connection.

3. The system of Claim 1 in which the communications platform provides communications services to a program running on a server, in which the server program can also operate In a session independent manner because it sends messages using the message queuing system of the communications platform to insulate the server program from the state or performance of the network connection.

4. The system of Claim 2 or 3 in which each message that is queued defiers part or all of an event, in which an event describes a change to the data stored at either the terminal or server in enough detail to enable data replication to take place without the need for a synchronization engine; data replication being achieved by sending events rather than a complete dataset (or sub-sets of a dataset) of stored data for synchronization.

5. The system of Claim 1 in which queued events persist in non-volatle memory until positive confirmation that they have been successfully received and processed and are hence also session independent.

6. The system of Claim 1 in which the transport protocol that is used is unreliable and also session independent, and the features of a session based protocol are provided by the communications platform.

7. The system of Claim 6 in which the features of a session based protocol that are provided by the communications platform are one or more of: (a) reliability of message delivery; (b) sender authentication; (c) message security; (d) data rate flow control; (e) packet routing.

8. The system of Claim 7 in which each message sent from a queue is acknowledged as received and separately acknowledged as processed or consumed by a program making use of the communication platform to give reliability at the individual message level and not at a level which is associated with a superset of messages, such as a session.

9. The system of Claim 7 in which authentication of a sender occurs at an individual message level by the communication platform and not at a level associated with a superset of messages, such as a session.

10. The system of Claim 7 in which messages are encrypted individually and not solely at a level associated with a superset of messages, such as a session, by the communication platform using a key derived from a cryptographically strong with a hash function derived from one or more of the following inputs: (a) secret information which is shared between both the terminal and the server (b) a code unique to the mobile terminal (c) a code unique to the server (d) a predictable sequence number (e) an application channel number (f) a session number

11. The system of Claim 7 in which the communications platform applies a flow control algorithm that optimises the useful data rate by progressively increasing the data rate until the useful data rate peaks, in which the algorithm measures the flow rate of packets and not any superset of packets, such as a session, to optimise the flow rate to the available bandwidth and not to determine whether to terminate a session and re- establish a new session.

12. The system of Claim 1 in which, if a connection break occurs, the communication platform allows the next message, in a sequence of related messages held in a message queue, that has not been acknowledged as processed or consumed at a device meant to receive the messages, to be sent as soon as the appropriate address for the next message is known and the connection is re-establishcd, and does not require the entire sequence of related messages to be re-sent.

IS

13. The system of Claim 7 in which the communications platform enables the correct routing of messages addressed to a terminal identified by an ID by mapping that lD to the actual address needed to reach the wireless terminal.

14. The system of Claim 13 in which the address is a dynamic IF address allocated by a NAT box.

15. The system of Claim 14 in which the communications platform only initiates a message transfer if there exists a valid mapping.

16. The system of Claim 15 in which a mapping is refreshed to create a valid mapping whenever a specific kind of small, dedicated message is received from the wireless terminal.

17. The system of Claim 1 in which the communications platform only allows a message to be deleted from a sending component after the sending component has received an acknowledgement that the message has been fully processed or consumed at a receiving program.

18. Thc system of Claim 6 in which the unreliable transport is selected from the following list of transport protocols: UDP/IP; IP; raw GPRS; raw UMTS; raw Ethernet; ATM.

19. The system of Claim 18 in which UDP is the transport protocol and the network is a GPRS network, in which UDP packet size is sized to be no larger than a GPRS packet size.

20. The system of Claim 1 in which the communications platform is called by a software application that is distributed across a wireless-terminalside component running on a wireless terminal and a server-side component; in which the wireless-terminal-side component and the server-side component (i) together constitute a client to a server and (ii) collaborate by sending messages over a network using the message queuing system provided by the communications platform.

21. A method of data access, replication or communication, comprising the step of delivering a message over a network by using a message queuing communications platform that enables delivery to be reliable, even if an unreliable transport protocol is used, characterised in that the platform operates in a session independent manner.

22. The method of Claim 21 as performed by a system as defined in any preceding Claim 1 - 20.