1

Security Threats and Analysis of Security

Challenges in Smartphones
Yong Wang, Kevin Streff and Sonell Raman
Dakota State University
AbstractA smartphone carries a substantial amount of sen-
sitive data and thus is very attractive to hackers, making it an
easy target. For these reasons, ensuring smartphone security is
extremely important. While there are many similarities between
smartphone security and regular security, distinct differences
exist between these two. The unique characteristics of smart-
phones make securing them very challenging. In this paper, we
summarize smartphone threats and attacks, reveal the unique
characteristics of smartphones, evaluate their impact on smart-
phone security, and explore the countermeasures to overcome
these challenges. Many enterprises have started to look into
security issues in smartphones. However, these solutions must
correspond with the unique characteristics in smartphones. New
business models are highly desired to solve security issues in
smartphones.
Index TermsSmartphone, security, threats, attacks.
I. INTRODUCTION
S
MARTPHONES overtook PCs in the global market in Q4
2010 [1]. They surpassed feature phones in shipments in
Western Europe in Q2 2011 [2]. According to Nielsens survey
in May 2011, smartphone purchases outsold feature phones
in the U.S. in the same time frame as Western Europe [3].
Compared to 5.9 billion worldwide mobile phone subscribers,
smartphone usage (835 million) still has signicant upside [4].
IDC predicts smartphone shipments will approach one billion
in 2015 [5].
Many functions have been integrated into smartphones
far surpassing the original functions of a traditional phone.
Compared to feature phones, a smartphone usually includes
the following elements:
Pre-installed with a modern mobile operating system,
such as iOS, Android, or Windows Mobile.
Support a carriers networks (2G/3G/4G), WiFi connec-
tivity, and Bluetooth. These networks work independently
and serve different purposes for voice and data services.
Access the Internet. A smartphone provides Internet ac-
cessibility through either a carriers network or a local
WiFi hotspot.
Capable of running third party applications. These ap-
plications can be downloaded from application stores
through the Internet.
Support MMS messages. A smartphone supports Multi-
media Message Service (MMS). A smartphone user can
interact with another mobile phone subscriber through
these messaging systems.
Embedded sensors inside smartphones. Smartphone sen-
sors usually include GPS, gyroscopic sensors, and ac-
celerometer sensors.
Equipped with camera(s) and microphone. A smartphone
is often equipped with a high-resolution camera, a micro-
phone, and a speaker.
Among all the characteristics, Internet accessibility is the
most important feature of smartphones. Internet accessibility
is usually provided through a carrier network via a data plan.
Feature phones usually do not have data plans or have limited
Internet access.
As smartphones become more popular for personal and
business use, it raises many security concerns [6], [7], [8],
[9]. The central data management of a smartphone is very
attractive to hackers and it makes smartphones easy targets.
Viruses emerged in smartphones as early as 2004. Since then,
many incidents have been reported of spam, viruses, spyware,
and other malicious software. As smartphones continue their
rapid growth in the next few years, it is critical to assure
smartphone subscribers that these services are reliable, secure
and can be trusted.
However, due to unique characteristics of smartphones,
security is very challenging. In this paper, we summarize
smartphone threats and attacks, reveal the unique character-
istics of smartphones, evaluate their impacts on smartphone
security, and explore the countermeasures to overcome these
challenges. Practical ways to secure smartphones are also
discussed in the paper. To the best of our knowledge, this
is the rst paper focusing on the uniqueness of smartphones
and their impacts on smartphone security.
II. SMARTPHONE THREATS AND ATTACKS
Mobile phone virus emerged as early as 2004. Since then,
signicant amounts of malware have been reported in smart-
phones. In the last seven months of 2011, malware targeting
the Android platform rose 3,325 percent [10].
A. Smartphone Threat Model
Figure 1 shows a threat model in a smartphone. The model
consists of four parts, a malicious user, malware, a smartphone,
and premium accounts/malicious websites.
1) A malicious user publishes malware through application
stores or websites.
2) Malware carries threats and attacks while it waits to be
downloaded to a smartphone.
3) A smartphone is the target of malware. It carries large
amounts of sensitive data which is very attractive to
malicious users.
Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE
This article has been accepted for publication in Computer but has not yet been fully edited.
Some content may change prior to final publication.
2

Fig. 1. Smartphone Threat Model

4) Premium accounts/Malicious websites are an escape
destination of malware. After inltrating smartphones,
malware targets to control smartphone resources, collect
data, or redirect smartphones to a premium account or
a malicious website.
A smartphone is divided into three layers in this model:
Application layer, Communication layer, and Resource layer.
1) Application (App) layer includes all the applications in
a smartphone such as social networking software, email,
text message, synchronization software and etc. Malware
is usually disguised as a normal application and attracts
smartphone subscribers to download.
2) Communication (COMM) layer includes communica-
tion channels to a smartphone. Smartphone communica-
tion channels include carrier networks, WiFi connectiv-
ity, Bluetooth network, Micro USB port, and MicroSD
slot. Malware might spread through any of these com-
munication channels.
3) Resource (RSC) layer includes the ash memory, cam-
era, microphone, and sensors within a smartphone. Since
smartphone resources contain sensitive data, malware
targets to control these resources and manipulate data
from them.
An attack on a smartphone forms a loop from malicious
users, through malware, smartphone (App layer, Comm layer,
RSC layer), premium accounts/malicious websites, back to
malicious users. Figure 1 shows such an attack. Malware
was downloaded to a smartphone through social networking
software via a carriers network. It hijacked the smartphones
resources and sent MMS messages to a premium account.
B. Services affected
Based on the malware impact to smartphone subscribers,
smartphone subscribers may endure low impact issues such
as performance degrade, spam messages and slow operation,
to higher impact challenges, such as not being able to receive
and make phone calls, nancial loss and so on. Figure 2 shows
a general malware impact severity to smartphone subscribers.
The impact to a specic smartphone subscriber may be com-
pletely different from other smartphone subscribers.
Spam message
low
Plgh llnanclal loss
lnvaslon of prlvacy
CannoL load apps
lu LhefL
8unnlng slow
8aLLery dralnlng fasL
8lock calls
uaLa leakage
Fig. 2. Smartphone Malware Impact Severity
C. Resources in jeopardy
There are certain resources which contain sensitive data and
are very attractive to hackers. Once malware nds a way into
the smartphone, it will try to gain privileges in order to access
and control these resources.
Flash memory Flash memory can be reprogrammed. With
some simple setup, it does not take long to reprogram
the ash memory. Malware can be programmed in the
ash memory and it cannot be removed until the user
reprograms the ash memory again.
MicroSD memory card Smartphones may also support
MicroSD memory cards. With a data cable or a card
reader, a malicious user can easily disclose the content
in the memory card.
Sensors such as GPS, gyroscopic sensor, accelerometers
GPS reports location information of a smartphone sub-
scriber and smartphone owners may not want to disclose
their location information.
Camera and microphone Cameras and microphones can
be turned on and off without users notice. If malware
has full control of the smartphone, the smartphone can
be transformed into a tapping device.
WiFi and Bluetooth A user does not need to physically
connect a smartphone to a computer to transfer data. Data
can be transferred through WiFi or Bluetooth networks.
Data leakage may happen without notice.
Battery A smartphone depends on battery to power it
on. Battery exhaustive attacks can dissipate battery power
Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE
This article has been accepted for publication in Computer but has not yet been fully edited.
Some content may change prior to final publication.
3
faster than normal and disable the functions of a smart-
phone.
D. Malware
Smartphone malware falls in three main categories, virus,
trojan, and spyware. Trojan and spyware are the dominant
malware in smartphones [10].
Virus emerged in mobile phones as early as 2004. They are
typically disguised as a game, a security patch, or other desir-
able applications and are then downloaded to a smartphone.
Viruses can spread not only through internet downloads or
memory cards, but they can also spread through Bluetooth.
Two Bluetooth viruses have been reported in smartphones:
Bluejacking and Bluesnarng. Bluejacking sends unsolicited
messages over Bluetooth to Bluetooth-enabled device (limited
range, usually around 33 feet). Bluesnarng accesses unau-
thorized information in a smartphone through a Bluetooth
connection.
Trojan is another type of malware in smartphones. Most
trojans in smartphones are related to activities such as record-
ing calls, instant messages, locating via GPS, forwarding call
logs and other vital data. SMS trojans are one of the largest
categories of mobile malware. It runs in the background of
an application and sends SMS messages to a premium rate
account owned by an attacker. Malware belonging to this
category is the HippoSMS. It increases the phone billing
charges of users by sending SMS to premium mobiles and
also blocks messages from service providers to users alerting
them of additional charges.
Spywares collect information about users without their
knowledge. Spyware has given rise to many concerns about
invasion of users privacy. According to Junipers 2011 mal-
ware report [10], spyware was the dominate of malware which
affects Android phones. It accounted for 63 percent of the
samples identied in 2011. A concern of Carrier IQ was re-
cently raised. A Carrier IQ application is usually pre-installed
in a smartphone device and it collects usage data to help
carriers to make network and service improvements. Mobile
operators, device manufacturers, and application vendors may
need this usage information to deliver high quality products
and services, however, smartphone subscribers have to be
assured what data is being collected and how said data is
processed and stored. Smartphone subscribers privacy needs
to be preserved when data is transmitted, processed, and
stored.
E. Threats and attacks
Smartphones are under numerous threats and attacks. These
threats and attacks are summarized below.
1) Snifng: There are various ways to sniff or tap a
smartphone. In 2010, Karsten showed that GSMs encryption
function for call and SMS privacy, A5/1, could be broken
in seconds [11]. All GSM subscribers are at the risk of
snifng attacks. Further, as eavesdropping software continues
to become available and installed in smartphones, smartphone
subscribers with 3G or 4G networks are at risk too.
2) Spam: Spam can be carried through emails or MMS
messages. Spam messages may include URLs which direct
users to phishing or pharming websites. MMS spam can also
be used for starting denial of service attacks. The number of
U.S. spam text messages rose 45 percent last year to 4.5 billion
messages, according to Richi Jennings, an industry analyst.
3) Spoong: An attacker may spoof the Caller ID and
pretend to be a trusted party. Researchers also demonstrated
how to spoof MMS messages that appeared to be messages
coming from 611, the number the carriers use to send out
alerts or update notications [12]. Further, base stations could
be spoofed too.
4) Phishing: Phishing attack is a way to steal personal
information, such as user name, password, credit card account,
and etc., by masquerading as a trusted party. Many phishing
attacks have been recognized in social networking, emails,
and MMS messages. For example, many mobile applications
include social sharing and payment buttons. A malicious
application can similarly include a Share on Facebook button
and redirect the users to a spoofed target application. The
target application can then request the users secret credentials
and steal the data.
5) Pharming: In pharming attacks, attackers can redirect
web trafc in a smartphone to a malicious or bogus website.
By collecting the subscribers smartphone information, specic
attacks may follow after pharming attacks. For example, when
a user browses a web site in a smartphone, the HTTP header
usually includes the smartphones operating system, browser
information, and version number. With this information, an
attacker may learn the security leaks of the smartphone and is
then able to start specic attacks on the smartphone.
6) Vishing: Vishing is a short term for voice and phish-
ing. It is an attack which malicious users try to gain access
to private and nancial information from a smartphone user.
By spoong the Caller ID, the attacker may look like from
a trusted party and spoof the smartphone users to release their
personal credentials.
7) Data leakage: Data leakage is the unauthorized trans-
mission of personal information or corporate data. It includes
both intentional or unintentional data leakage. Malicious soft-
ware may steal persons information such as contact list,
location information, bank information and send this data to a
remote website. A smartphone owner may be at risk of identity
theft due to the data leakage in the phone. Business owners or
classied users such as government and military users have
even more concerns about data leakage. ZitMo, a mobile
version of Zeus, has been found in Symbian, BlackBerry and
Android and could be used to steal one-time passwords sent
by banks to authenticate mobile transactions.
8) Vulnerabilities of Webkit engine: A vulnerability on web
browsers in smartphones is another usual scenario of attacks.
The Webkit engine used by almost all mobile platforms
has a certain vulnerability which allows attackers to crash
user applications and execute malicious code. In a recent
vulnerability revealed by CrowdStrike, the attackers could use
the Webkit vulnerability to install a remote access tool to
eavesdrop on smartphone conversations and monitor the user
locations. The vulnerability has been found in BlackBerry, iOS
Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE
This article has been accepted for publication in Computer but has not yet been fully edited.
Some content may change prior to final publication.
4
TABLE I
SMARTPHONE SECURITY: THREATS AND ATTACKS
Threats and Attacks Description
Snifng Tapping or eavesdropping, e.g., GSM A5/1 cracked
Spam Email spam and MMS message spam, e.g., unsolicited MMS
Spoong Spoof Caller ID or MMS Sender ID, e.g., spoofed MMS messages from 611
Phishing Steal personal information using a spoofed target mobile application
Pharming Redirect web trafc to a malicious website and followed by more specic attacks
Vishing Voice phishing by utilizing VoIP technique
Data leakage Unauthorized transmission of data, e.g., mobile virus ZitMo
Vulnerabilities of Webkit engine Vulnerability allowing attackers to crash user applications and execute code, e.g., the
Webkit vulnerability revealed by CrowdStrike
DoS
Jamming Jamming radio channel
Flooding MMS message ooding attacks and incoming phone call ooding attacks
Exhausting Battery exhaustion attack
Blocking Use smartphone blocking functions to disable smartphone
and Android.
9) Denial of Service (DoS) attacks: Smartphone users also
suffer from various DoS attacks.
Jamming attacks Smartphones are based on radio commu-
nication technology and they are vulnerable to jamming
attacks. The communication between smartphones and
base stations could be disrupted using jamming devices.
Flooding attacks Flooding attacks can be carried out
using both text messages or incoming calls. A smartphone
could be disabled if it received hundreds of text messages
or incoming calls.
Exhaustion attacks Battery exhaustion attack is another
DoS attack on a smartphone which causes more battery
discharge than is typically necessary.
Blocking attacks Blocking features in a smartphone can
be used too to start DoS attacks. If a malicious user keeps
calling a smartphone user using a blocked phone number,
the smartphone subscriber cannot do anything else.
Many attacks could be turned on in a stealth mode. Users
may not observe and realize these attacks for days and months.
A malicious user can always plant malware in a smartphone
rst and use it when in need. Table I summarizes these threats
and attacks.
III. SECURITY CHALLENGES AND IMPACTS
Many techniques used to secure desktop and laptop com-
puters can be used for smartphone security, such as, anti-virus
software and anti-malware software. However, smartphones
also have some unique characteristics which make smartphone
security extremely challenging. This section reveals these
unique characteristics of smartphones, evaluates their impacts
on smartphone security, and discusses some countermeasures
to overcome the challenges.
A. Smartphones are a consumer product
A smartphone is not perceived as an accessory that people
expect to keep for great lengths of time. People view them as
devices that are going to get scratched and damaged and will
need to be replaced in a limited time span. Smartphones are
consumer products. Different groups of people have different
preferences. The wide range of smartphone subscribers also
indicates the wide variety usage of smartphones. Smartphones
can be used for communication, information, social network-
ing, gaming, entertainment, business enterprise, etc. People
have different perspectives on smartphones and thus their
needs for smartphone security are also different.
Since a smartphone is a consumer product and it has a wide
range of users, there is no single security tool which can be
applied to all groups of subscribers. A smartphone business
user typically has more concerns about smartphone security
than a smartphone gamer and thus is willing to spend more
money to ensure smartphone security. Smartphone security
tools should meet these needs of smartphone subscribers. It
is also desirable for a smartphone security tool to be exible
and congurable to meet different groups various needs.
B. Smartphones are platform-oriented
A smartphone is pre-installed with a mobile operating sys-
tem. Unlike desktop operating systems, which are dominated
by Microsoft Windows, the majority smartphone mobile op-
erating system market is shared by Android, iOS, BlackBerry
OS, Symbian, and Windows Mobile [5] (Figure 3).
Fig. 3. Desktop OS and Smartphone OS
Each mobile operating system provides different applica-
tions, features, and interfaces. It is great for consumers to se-
lect personalized devices. However, it also means more efforts
for hardware vendors and smartphone application developers
to support these mobile operating systems. Further, for each
mobile operating system, multiple versions of the operating
system may exist, especially for the Android OS.
The difference between these operating systems dictates the
security software as the smartphones must also be platform
oriented. Operating systems have different security breaches
and security software must address each of these breaches
Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE
This article has been accepted for publication in Computer but has not yet been fully edited.
Some content may change prior to final publication.
5
specically. Since multiple versions of mobile operating sys-
tems exist, it is also important for mobile security software
developers to be aware of the version issue and proceed with
cautiousness. Security software must be customized for each
mobile platform to deal with multiple operating system issues
and multiple version issues.
C. Smartphones are a multiple entrance open system
A smartphone is a multiple entrance open system. Each
entrance might be a potential back door for malware. As
shown in Figure 1, malware might disguise in either one of
the smartphone applications and each communication channel
might be a potential spread path for malware.
Each attack on a smartphone forms a loop as discussed in
Section II-A. Due to the multiple entrances of the smartphone,
in practice, there are many combinations to form an attack
loop. To secure a smartphone, the attack loop must be broken.
Many approaches can be used to break the loop. For example,
a loop cannot be formed if malware is detected, prevented,
and removed from smartphones. Alternatively, resource control
could also be used to break the attack loop since the purpose
of the malware is eventually to gain access of smartphone
resources or manipulate smartphone data.
D. Smartphones are easy targets because of their central
data management
Smartphones have been widely used for social networking,
web surng, calendaring, and contact management. Many
applications in smartphones cache users secret credentials and
store this information within each smartphone. People also
use smartphones for banking, business, and various purposes.
The sensitive data in smartphones that may include, but is not
limited to,
Personal information such as home address, phone num-
ber, pictures, contact lists, etc.
Correspondence information such as emails, text mes-
sages, MMS messages, call logs
Credit card information, secret credentials such as user
names and passwords
Files on ash memory or memory card
Geographic location
Corporate data
Smartphones carry sensitive data and all of it is located
within storage units in smartphones. Disclosing this data
may end in data leakage, nancial loss, or invasion of the
privacy of smartphone owners. To protect data in smartphones,
encryption techniques could be used. Migrating data from
smartphones to cloud might also be an option to secure data
and reduce risk of data theft in smartphones.
E. Smartphones are resource-constrained devices and are
easy to physically tamper
A smartphone is a resource-constrained device. It is powered
on battery and has limited battery life. It needs to be recharged
after the battery is drained. Further, a smartphone has limited
computational power and memory, and thus cannot be used
for extensive computational applications. Since a smartphone
is a resource-constrained device, any security solutions for
smartphones need to consider their computational complexity
and battery consumption. The enhancement of security in
smartphones cannot sacrice their battery life.
It is also easy to physically tamper with a smartphone.
Among all threats and attacks in smartphones, theft and loss
are two main concerns. According to a report by Lookout,
there were 9 million lost smartphones in US in 2011 which
equals one phone every 3.5 seconds [13]. The results of losing
control of smartphones, even if it is just temporary such as
lending your phone to another, might be catastrophic. With
some simple setup, it is easy to reprogram rmware and ash
memory in a smartphone, physically clone the memory card,
or install spyware in a smartphone.
Some simple techniques may help to protect smartphone
theft and loss. For example, add password or enable auto-
lock in smartphones. Anti-theft technology, such as remotely
wiping sensitive data when a smartphone leaves a secure zone,
is also available through third-party applications [14].
F. Smartphones are at high risks with embedded sensors
inside
A smartphone is often embedded with many sensors inside.
These sensors greatly enrich the functions of a smartphone.
However, the smartphone is also at high risks due to these
sensors. For example, researchers found a way to use ac-
celerometers to decipher computer keystrokes. With a 58,000
words dictionary, it can achieved 80% accuracy [15]. As more
sensors are planned for installation in smartphones, new threats
and attacks might be explored and discovered using these
sensors.
Many smartphones provide settings to allow applications
to use GPS data and turn on/off cameras. However, it is not
enough to protect smartphone owners against the abuse of
using smartphone sensor data. For example,
smartphone applications abuse their right to use the data
and disclose the data to a third party.
malware may be disguised as a normal application and
request access of GPS data. Smartphone owners may
authorize its request.
malware may jailbreak a smartphone and gain control of
the smartphone sensors.
To reduce the risks of abuse of using the embedded sensors
in smartphones, a real time resource monitoring is desirable.
Further, it is also helpful for the smartphones to have certain
intelligence to detect and block illegal access of the embedded
sensors by utilizing real time monitoring.
G. Smartphone jeopardizes business operations
Smartphones are now extensively used for both personal and
professional use. As companies adopt smartphones for their
business, Bring Your Own Devices (BYODs) have recently
raised many security concerns for business administrators and
IT professionals [16]. BYODs have the benets to allow em-
ployees to easily access corporate applications and resources.
Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE
This article has been accepted for publication in Computer but has not yet been fully edited.
Some content may change prior to final publication.
6
However, it is also difcult to audit and enforce security policy
in a personal device.
Challenges faced by enterprises with smartphone security
include unwillingness to backup, restricting to company issued
phones, and lack of encryption on critical data. Further,
although many companies have security policies for smart-
phones that are used for business, many employees lack
awareness of these policies and it is also hard for companies
to enforce and audit these policies [9].
It is inevitable that a smartphone includes both personal
data and business data. However, there is lack of separation
between personal data and business data in smartphones. One
approach is to isolate personal data and business data and
enforce a higher security level on corporate data. Moreover,
security policy enforcement in smartphones is also desirable
for enterprise administrators and IT professionals.
H. There is lack of security awareness among smartphone
subscribers and enterprise administrators
With Android reaching 10 billion downloads, as of Jan
2012 there were about 400,000 applications available for
download at android market, however, there are only few
applications providing security features to android smartphone
users. Unlike desktop and laptop computers, anti-virus soft-
ware and anti-spyware are still not popular among smartphone
subscribers.
The lack of security awareness reects a reluctance to
update rmware and apply security patches. Using packet
sniffer software, it is easy for a malicious user to detect a
smartphones operating system and browser information. An
attacker can then use known security leaks in a browser or
an operating system to start specic attacks. Further, many
enterprises allow employees to use smartphones for business.
However, many employees do not know the companys secu-
rity policies or are not aware of the existence of such security
policies.
Education of smartphone subscribers is helpful in promoting
smartphone security awareness. Smartphone security policy
should also be enforced and regular auditing of smartphones
can be conducted to ensure the security of smartphones.
Table II summarizes these challenges, their impacts, and
possible countermeasures to smartphone securities.
IV. DESIRED SECURITY FEATURES
A smartphone carries sensitive information and because of
this information, greater security is desired for smartphones.
Condentiality, integrity, and authentication are three of the
most desired security services.
1) Condentiality: Most smartphones provide synchroniza-
tion between smartphones and computers. In another words,
it is possible for another user to access the smartphone le
system. Thus, sensitive information should not be stored in
a smartphone in plaintext. Encryption techniques should be
used.
2) Integrity: Integrity includes two aspects: data integrity
and system integrity. For applications in application stores,
software integration should be veried to avoid malicious
modications. Further, smartphones should also provide mech-
anisms to protect system integrity. The unauthorized data
access request from an application should be blocked too.
3) Authentication: Authentication is another desired service
in smartphones. As discussed, Caller ID, and MMS mes-
sage Sender ID could be spoofed. Smartphone authentica-
tion service will be able to protect smartphone users against
those attacks. As femtocells are used to improve both coverage
and capacity, authentication becomes important to validate the
identity of a carrier.
Smartphone security is challenging due to the unique char-
acteristics of smartphones. There are a couple of security
features which are highly desired in smartphones.
A. A smartphone needs the ability to separate sensitive data
from nonsensitive data
A smartphone needs to separate sensitive data from non-
sensitive data and grant users the exibility to assign data
to sensitive data. Allowing this capability of separation in
smartphones brings many benets.
Sensitive data might be an easy target for hackers. How-
ever, it is also advantageous to have a clear target to
protect instead of taking extra computational power and
battery to protect the entire ash or memory card.
It is easy to use security techniques, such as encryption
and steganography, to protect sensitive data.
Isolation of sensitive data is good for business too.
Smartphone users can assign corporate data as sensitive
data and enforce a higher security level on corporate data.
B. Sensitive data should be encrypted in smartphones
Sensitive data cannot be stored in smartphones in plaintext.
Encryption techniques must be used. Memory cards should be
encrypted as well. Without proper decryption key, the contents
of the memory card should not be disclosed. Migrating data
from smartphones to cloud is another option to protect sen-
sitive data. Cloud-based intrusion detection techniques could
also be used to detect misbehavior and protect sensitive data
[17]. However, the option is at cost to add cloud service and
more data usage in smartphone service plans.
C. The enhancement of smartphone security cannot sacrice
battery life
Smartphone security is highly desired. However, any en-
hancement of smartphone security cannot sacrice battery
life. Smartphones are resource-constrained devices. Public-key
cryptography, such as RSA, usually requires more computa-
tional power and should be used with caution.
D. Further exploration is necessary regarding smartphone
security for business
Many enterprises allow smartphones used for business. Em-
ployees can either use company-assigned smartphones or use
Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE
This article has been accepted for publication in Computer but has not yet been fully edited.
Some content may change prior to final publication.
7
TABLE II
SMARTPHONE SECURITY CHALLENGES, IMPACTS, AND COUNTERMEASURES
Challenges Impacts and Countermeasures
Smartphones are a consumer product Different groups have different perspective and security needs.
Smartphone security tools should be exible and congurable.
Smartphones are platform-oriented Multiple operating systems, e.g., Android and iOS, exist.
Security software must be customized for each operating system and each version.
Smartphones are a multiple entrance open system Each entrance (Bluetooth or Internet) might be a potential back door for malware.
Need to break the attack loop, e.g., malware detection, prevention, and removal.
Smartphones are easy targets because of their A smartphone carry sensitive data, personal and banking information, in a central place.
central data management Encryption techniques and migrate data to cloud.
Smartphones are resource-constrained devices and Security solutions must consider computational complexity and battery consumption.
are easy to physically tamper Add password or enable auto-lock, anti-theft technology.
Smartphones are at high risks with embedded Smartphone sensitive data might be stolen and abused.
sensors inside Resource monitoring and intelligence to block illegal sensor access.
Smartphone jeopardizes business operations It is difcult to audit and enforce security policy in a personal device.
Isolate and enforce security policy at a higher security level on corporate data.
There is lack of security awareness among Reluctant to update rmware and apply security patches.
smartphone subscribers Education, smartphone security policy enforcement, and audit
their own devices. In either case, enterprises should provide
tools to secure these smartphones. The communication of these
smartphones needs to be audited too. Smartphone security for
business needs to be further explored.
E. New business models are desired to achieve smartphone
security
Many enterprises have started to look into security issues in
smartphones [9], [10]. However, solutions must be designed
in consideration of the unique characteristics in smartphones.
It is currently left to the smartphone subscribers to install
and ensure the security of smartphone applications. However,
Security should not be the sole responsibility of smartphone
owners. It requires collaboration among mobile users, service
providers, and industry partners. New business models for
smartphone security are highly desired.
F. Easy ways to help secure smartphones
Smartphone security is challenging and complicated. How-
ever, there are also some easy ways to help to secure smart-
phones.
1) Increase security awareness A smartphone is the same
as your desktop or laptop computers. It can be hacked,
infected or phished. Smartphone subscribers should be
aware of those smartphone threats and attacks when
installing a software [18] or authorizing a software the
privileges to access ash or smartphone sensors.
2) Apply password and auto-lock after a period of time
Most smartphones support password and auto-lock func-
tions and enable these features to protect your smart-
phones.
3) Do not store data you cannot afford to lose in
smartphones It is easy for a smartphone to be lost or
stolen.
4) Backup smartphone data regularly. Sync your smart-
phone with a computer on a regular basis. Always keep
a backup of your smartphone data.
5) Turn off Bluetooth Virus can spread through Bluetooth
in your smartphone. Turn off Bluetooth when you are
not using it.
6) Do not use unsecure WiFi hotspots to connect to the
Internet. Packet sniffer software like Wireshark may
disclose useful information from smartphone data trafc.
7) Use a smartphone security tool Secure your phone using
a reliable and trusted smartphone security tool.
8) Install anti-theft technology Check your smartphone or
service providers and nd out if they provide anti-theft
technology such as erase data or default smartphone
remotely.
There are some subtle signs which may indicate that a
smartphone is under attack. For example, the cell phone
battery is warm even when the phone has not been used, cell
phone lights up at unexpected times, including occasions when
phone is not in use, unexpected beeps or clicks during phone
conversations and so on. When these happen, be alert and have
a security professional check your smartphone.
V. CONCLUSION
Securing smartphone is challenging task due to their unique
characteristics. These unique characteristics include: smart-
phones are consumer products, they are resource-constrained
devices, they have embedded sensors inside, etc. This unique-
ness has many impacts on smartphone security and it must
be considered when a security solution is proposed. There
are certain security features which are highly desired in
smartphones. For example, the ability to separate sensitive
data from nonsensitive data, encrypt sensitive data, preserve a
smartphone battery, and so on.
A smartphone has functions far beyond making or receiving
a call. A smartphone is a mobile platform and it is capable of
running many applications like a desktop or a laptop computer.
A smartphone is certainly a phone. However, it can also be
a wallet, a credit card, or a mobile bank. Be aware of those
threats to your smartphone and treat the device like a real
credit card or wallet. As more functions and services emerge
in smartphones, smartphone security becomes critical. A new
business model is highly desired to solve the complex and
numerous smartphone security issues.
REFERENCES
[1] IDC, Mobile phone market grows 17.9% in fourth quarater, Jan 2011.
Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE
This article has been accepted for publication in Computer but has not yet been fully edited.
Some content may change prior to final publication.
8
[2] , Smartphones outstrip feature phones for rst time in western
europe as android sees strong growth in 2011, Jun 2011.
[3] Nielsen, In US, smartphones now majority of new cellphone pur-
chases, Jun 2011.
[4] ITU, Key global telecom indicators for the world telecommunication
service sector, Nov 2011.
[5] IDC, Worldwide smartphone market expected to grow 55% in 2011
and approach shipments of one billion in 2015, Jun 2011.
[6] N. Leavitt, Mobile security: Finally a serious problem? Computer,
vol. 44, no. 6, pp. 11 14, june 2011.
[7] W. Jeon, J. Kim, Y. Lee, and D. Won, A practical analysis of smart-
phone security, in Proceedings of the 2011 international conference on
Human interface and the management of information - Volume Part I,
ser. HI11. Berlin, Heidelberg: Springer-Verlag, 2011, pp. 311320.
[8] N. Husted, H. Sadi, and A. Gehani, Smartphone security limitations:
conicting traditions, in Proceedings of the 2011 Workshop on Gover-
nance of Technology, Information, and Policies, ser. GTIP 11. New
York, NY, USA: ACM, 2011, pp. 512.
[9] Mobility and security: Dazzling opportunities, profound challenges,
McAfee, Tech. Rep., May 2011.
[10] 2011 mobile threats report, Juniper Networks, Tech. Rep., February
2012.
[11] K. Nohl, Attacking phone privacy, in BlackHat 2010 Lecture Notes,
July 2010.
[12] Z. Lackey and L. Miras, Attacking SMS, in BlackHat 2009, July 2009.
[13] Lookout, Lookout projects lost and stolen phones could cost u.s.
consumers over $30 billion in 2012, Mar 2012.
[14] Virginia Tech cybersecurity breakthrough keeps sensitive data conned
in physical space, engineering team says, BLACKSBURG, Va., October
2011.
[15] P. Marquardt, A. Verma, H. Carter, and P. Traynor, (sp)iphone: decoding
vibrations from nearby keyboards using mobile phone accelerometers,
in Proceedings of the 18th ACM conference on Computer and commu-
nications security, ser. CCS 11. New York, NY, USA: ACM, 2011,
pp. 551562.
[16] J. Burt, BYOD trend pressures corporate networks, eWeek, vol. 28,
no. 14, pp. 3031, Sep 2011.
[17] A. Houmansadr, S. Zonouz, and R. Berthier, A cloud-based intrusion
detection and response system for mobile phones, in Dependable
Systems and Networks Workshops (DSN-W), 2011 IEEE/IFIP 41st
International Conference on, june 2011, pp. 31 32.
[18] D. Barrera and P. Van Oorschot, Secure software installation on
smartphones, IEEE Security and Privacy, vol. 9, no. 3, pp. 4248,
May 2011.
Yong Wang is an Assistant Professor in the National Center for the Protection
of the Financial Infrastructure at Dakota State University. His research
interests include wireless networks, optical networks, smartphones, and related
security and privacy issues. He is a member of IEEE and IEEE ComSoc.
Contact him at yong.wang@dsu.edu.
Kevin Streff is the Director of the National Center for the Protection of
the Financial Infrastructure. His has over 15 years of signicant I.T. and
information security experience and has extensive experience in the nancial
services/banking industry. He is also the founder of Secure banking Solutions,
a security consulting rm focused on improving security in community banks
across the country. Contact him at kevin.streff@dsu.edu.
Sonell Raman is a second year graduate student at Dakota State University
majoring in Database Management. He received his Bachelors degree in
Computer Science and Engineering at JNTU from Hyderabad, India. His
research interest as a Graduate Assistant at DSU includes Smartphone Security
with respect to mobile applications.
Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE
This article has been accepted for publication in Computer but has not yet been fully edited.
Some content may change prior to final publication.