We propose a model and associated algorithms for information flow control to prevent information leakage in mobile computing environments. The model employs access control lists and encapsulated security monitors under a fully object-oriented framework. We show that our model prevents unauthorized direct access to sensitive information from a mobile user to the server, as well as any attempt on indirect access through intermediate entities. To understand the feasibility of our model, we suggest an event-driven approach and efficient implementation for the realization of the model. A Java-based preliminary implementation and performance evaluation results demonstrate that our model can successfully prevent information leakage with very low overhead.