Sie sind auf Seite 1von 118

CLOUD BASED MOBILE WALLET

SYSTEM
BY

MESIGO, TOCHUKWU NKEMJIKA


+2348063994712, mesigotochukwu@yahoo.com
DEPARTMENT OF COMPUTER SCIENCE
UNIVERSITY OF PORT HARCOURT, RIVERS STATE, NIGERIA.

CHAPTER ONE
1

1.1 INTRODUCTION
This chapter provides an overview of the mobile payment system,
an

introduction

to

industry

background

and

the

problem

statement. It also looks into the research objectives and purpose


of study including the significance of the research.
1.2 OVERVIEW
The

emergence

of

mobile

phones

and

other

mobile

communication devices has caused a large significant social and


economic impact in the world today and is tipped to continue in
such trend in coming years. One area of mobile phone activity
that has generated a lot of interest is the use of mobile devices
for monetary transactions and mobile commerce.
Mobile commerce is a natural successor to electronic commerce.
Mobile payments are a natural evolution e-payment schemes that
will facilitate mobile commerce. A mobile payment or m-payment
may be defined, for our purposes, as any payment where a
mobile device is used to initiate, authorize and confirm an
exchange of financial value in return for goods and services (Au
and Kauffman, 2007). ). Mobile devices may include mobile
phones, PDAs, wireless tablets and any other device that connect
to mobile telecommunication network and make it possible for
payments to be made (Karnouskos and Fokus, 2004). . The
adoption of mobile payments globally has followed a path unlike
2

almost any other technological development, with rapid take-up


in some developing economies, while advanced economies have
been slower to follow.
Over the last few years, the mobile and wireless devices market
has been one of the fastest growing markets in the world. Mobile
devices are the most promising way to reach the masses and to
create stickiness among customers, due to their ability to provide
services anytime, anywhere, with high rate of penetration and
potential to grow. Going by the Nigerian statistics, only 30% of
Nigerians have bank accounts and over 70% who possess mobile
phones. As of 2009, 68% of the worlds population had mobile
cellular

subscriptions

(ITU,

2009).

The

growth

in

mobile

telecommunications services is expanding the reach of financial


services across wireless networks in the less developed countries,
creating the potential for significant growth in mobile commerce
and financial inclusion.
As more citizens of the developed countries become unbanked as
a result of widespread economic crisis, financial service providers
have begun to explore the potential of mobile money as a means
of enhancing financial inclusion as well as solving the challenges
of remittances. Mobile money transfer (MMT) has the potential to
catalyze the entire financial service market including mobile
payment,

banking

and

transfer

because

it

stabilizes

the

infrastructure for remote mobile transactions and the concept of


mobile wallet (GSMA, 2008).

1.3 STATEMENT OF THE PROBLEM


According to the World/UN Foundation and SanBoeuf (2006),
about 70% of the population in developing countries, particularly
in Africa, majority of the populace live in rural areas and have no
access to financial services.
Researchers have shown that majority of the populace in the
developing nations are rural dwellers that do not have access to
basic financial services and are poor. This class of people are
peasant farmers and petty traders who rely mostly on remittances
from their wards and relations in major cities and abroad to meet
their financial obligations at home. The methods of remittances
are encumbered with challenges. Mobile money is a tool that
allows individuals to make financial transactions using mobile cell
phones. Nigeria is one of the fastest growing telecoms nations of
the world and the adoption of mobile money will help a great deal
to solve the problems associated with remittances
1.4 PURPOSE OF STUDY
The purpose of this study is to develop an a mobile application
that will enable anyone that has a phone or tablet make
payments and also receive payment on their phones. This
application will solely make and receive payments using a mobile
device.

1.5 OBJECTIVES
4

This paper seeks to promote mobile phone use as a means of


expanding access to financial services through the use of cloud
computing services and near field communication technology
NFC. The core objectives which have been designated as
fundamental to this project are:
To design and evaluate a novel secure NFC transaction
authentication protocol based on our third developed model
which proposes a trusted relationship between multiple
MNOs and the merchant in order to provide a complete
transaction solution
To

consider

the

existing cloud

computing and

NFC

transaction models in order to understand the limitations


which have been raised regarding the adoption of this
technology.
To consider the existing NFC transaction models in order to
understand the limitations which have been raised regarding
the adoption of this technology.
To provide authorities and the private sector with knowledge,
tools and examples in a new service-based approach that
combines the strengths of cloud computing and NFC.
To develop a payment model based on the results and
limitations obtained from consideration of the existing
models.
5

1.6 LIMITATION OF THE STUDY


The application that will be built will only run on android operating
system. This implies that only mobile phones with android
operating system can use the application.
1.7 PROJECT MOTIVATION
The emergence of cashless economy initiative by the central bank
of Nigeria has created the need for a secured mobile payment
platform that can process financial transactions efficiently. This is
a source of motivation to me.

1.8 SCOPE OF STUDY


This Project centers on the development of a mobile application
software that can serve as an efficient alternative to the physical
wallet using mobile cloud computing concepts.
1.9 SIGNIFICANCE OF STUDY
This study is of significance in the following ways:
1. It will enable anyone to make financial transactions
using their mobile phones.
2. It will enhance the cashless policy of the Central Bank
of Nigeria.

3. It will eliminate the risks involved in handling physical


cash.
4. It

will

enhance

economic

activities

in

Nigeria

if

implemented.
5. It will help researchers in the field.
6. It will provide a common platform for everyone with a
mobile

phone

or

communication

device

to

get

connected financially.
7. It will add to existing knowledge in the field.
8. It will enhance I.T proficiency among the public since it
involves the use of a digital communication device .

1.10 ORGANIZATION OF STUDY


This study is organized in five chapters.

Chapter one is the

introduction which includes the statement of the problem, the


project motivation, significance of study, scope of study, limitation
of study, organization of study, definition of terms and table of
abbreviations.
Chapter 2 is the literature review which contains the overview and
history of cloud computing, its advantages and disadvantages,
benefits and challenges, its deployment models and the near field
communication NFC. Past Literatures on the subject were also
reviewed. Chapter three is the System analysis which describes
the methodology used in this research. Cloud computing models
7

were also reviewed and an improved model was proposed.


Chapter four is the design and implementation which contains
step by step procedures to developing the proposed application.
Chapter five is the conclusion and recommendations.
1.11 DEFINITION OF TERMS
MCP application

An application residing in a
secure environment performing
the payment functions related
to a Mobile Contactless
Payment, as specified by the
Mobile Contactless Payment
application issuer in accordance
with the payment scheme.
Personal device with mobile

Mobile device

communication capabilities
such as a telecom network
connection, Wi-Fi, Bluetooth
which offers connections to
internet.
Examples of mobile devices
include mobile phones, smart
Mobile Network Operator

phones, tablets ...


A mobile phone operator that

(MNO)

provides a range of mobile


services, potentially including
8

facilitation of NFC services. The


MNO ensures connectivity Over
the Air (OTA) between the
consumer and its PSP using its
own or leased network (the
latter are sometimes referenced
as MVNOs - Mobile Virtual
Network Operators).
Payment service made available

Mobile payment service

by software/hardware through a
Mobile payment service

mobile device.
A PSP providing the mobile

issuer

payment application (Mobile


Contactless Payment or Mobile
Remote Payment),
authentication application
and/or credentials to the
consumer/payer.
A mobile payment where the

Mobile proximity payment

communication between the


mobile device and the Point of
Interaction device takes place
through a proximity technology
Mobile Remote Payment

(e.g., NFC, QR code, etc.).


A payment initiated by a mobile

(MRP)

device whereby the transaction


is conducted over a mobile
telecommunication network
9

(e.g., GSM, mobile internet,


etc.) and which can be made
independently from the payers
location (and/or his/her
Mobile Remote Payment

equipment).
An application residing in a

(MRP) application

secure environment performing


the payment functions related
to a Mobile Remote Payment, as
specified by the Mobile Remote
Payment application issuer in
accordance with the payment

Mobile service

scheme.
Service such as identification,
payment, ticketing, loyalty, etc.,
made available through a

Mobile service issuer

mobile device.
The provider of a mobile

Mobile wallet

service.
A digital wallet accessed
through a mobile device. This
service may reside on a mobile
device owned by the consumer
(i.e. the holder of the wallet) or
may be remotely hosted on a
secured server (or a
combination thereof) or on a
merchant website. Typically, the
10

so-called mobile wallet issuer


provides the wallet
functionalities but the usage of
the mobile wallet is under the
Mobile wallet gateway

control of the consumer.


A service operated by the
mobile wallet issuer or a trusted
third party acting on its behalf,
which establishes for mobile
transactions a link between the
consumer/payer and its mobile
wallet and between the mobile
wallet and the payment
gateways.
During the payment
transaction, it allows the
payment gateway to receive
authentication data directly
from the mobile wallet.
For life cycle management, it
establishes a link between the
mobile wallet and the mobile
wallet issuer to download
credentials, payment and/or
authentication applications from

Mobile wallet issuer

the PSP.
The service provider that issues
11

mobile wallet functionalities


Mobile wallet passcode

A code entered by the


consumer/payer4 via his/her
mobile device that may be
required to activate a mobile
wallet. It is sometimes referred
to as "mobile wallet

Network operator

credentials".
The provider of data
connectivity to the consumer
and potentially other services.
MNOs and ISPs are examples of

NFC (Near Field

network operators.
A contactless protocol specified

Communication)
On-line passcode

by ISO/IEC 18092 .
Secret data known by the
consumer/payer and used for
remote financial services, such
as on-line banking, SCT
payments, etc., to verify its

Payer

identity.
A natural or legal person who
holds a payment account and
allows a payment order from
that payment account, or,
where there is no payment
account, a natural or legal
12

person who gives a payment


Payment account

order.
Means an account held in the
name of one or more payment
service users which is used for
the execution of payment

Payment component

transactions.
Either a dedicated mobile
payment/authentication
application and/or a set of

Payment component User

credentials.
Enables the consumer/payer to

Interface (UI)

manage a specific mobile


payment service through a
dedicated user interface.
Depending on the payment
component type, it may be a
mobile payment/authentication
application UI (provided by the
PSP) or a credentials manager

Payment gateway

UI.
A service operated by a
beneficiarys PSP or a trusted
third party that manages the
authorisation of payments for
merchants.
It facilitates the transfer of
information between the
13

payment portal (such as a


website or mobile device) and
Payment scheme

the beneficiarys PSP.


A single set of rules, practices,
standards and/or
implementation guidelines
agreed between PSPs for the
execution of payment
transactions and which is
separated from any
infrastructure or payment
system that supports its

Payment Service Provider

operation
The bodies referred to in Article
1 of the and legal and natural
persons benefiting from the

Payment system

waiver under Article 26 of the


A funds transfer system with
formal and standardised
arrangements and common
rules for the processing,
clearing and/or settlement of

Payment transaction

payment transactions .
An act, initiated by the payer or
by the beneficiary, of placing,
transferring or withdrawing
funds, irrespective of any
underlying obligations between
14

the payer and the beneficiary


POI device

(as defined in [9]).


Point of Interaction device;
the initial point where data is
read from a consumer device
(such as a PC or mobile phone)
or where consumer data is
entered. As an electronic
transaction-acceptance product,
a POI consists of hardware and
software and is hosted in
acceptance equipment to
enable a consumer to perform a
payment transaction. The
merchant controlled POI may be
attended or unattended.
Examples of POI devices are
Point of Sale (POS), vending
machine, Automated Teller
Machine (ATM) or merchant
website (a so-called virtual

Secure Element (SE)

POI).
A certified tamper-resistant
platform (device or component)
capable of securely hosting
applications and their
confidential and cryptographic
15

data (e.g., key management) in


accordance with the rules and
security requirements set forth
by a set of well-identified
trusted authorities. Examples
include universal integrated
circuit cards (UICC), embedded
secure elements, chip cards and
Secure environment

secure digital cards.


A system which implements the
controlled storage and use of
information. A secure
environment is used to protect
personal and/or confidential
data. It may be located in the
mobile device, such as a Secure
Element or a Trusted Execution
Environment, or located in a

Secured Server

remote Secured Server.


A web server with secure
remote access that enables the
secure storage and processing

Static authentication

of payment related data.


An authentication method that
uses always the same
authenticator (e.g., card data).

16

Strong authentication

A dynamic authentication
method which involves at least
two independent
authenticators. This means that

Trusted Execution

at least one of them is dynamic.


An execution environment that

Environment (TEE)

runs alongside, but isolated


from a main operating system.
A TEE has security capabilities
and meets certain securityrelated requirements: it
protects TEE assets from
general software attacks,
defines rigid safeguards as to
data and functions that a
program can access, and resists

Trusted Service Manager

a set of defined threats.


A trusted third party acting on

(TSM)

behalf of the secure element


issuers and/or the mobile
payment/authentication
application issuers in the case
where a secure element is
involved, or on behalf of the

Trusted Third Party (TTP)

mobile wallet issuers.


An entity which facilitates
interactions between
17

stakeholders of the ecosystem


who all trust this third party.
Examples of TTPs include TSMs
and payment gateway
providers.
Mobile wallet user interface

Umbrella UI

component managing the


portfolio of mobile payment
services accessed through the
mobile device. The umbrella UI
is located in the mobile device.
An application enabling the user

User Interface (UI)

interactions. Examples are


umbrella UI, mobile
payment/authentication
application UI and credentials
User Verification Method

manager UI.
A method for checking that a
user (consumer) is the one
claimed.

1.12 ABBREVIATIONS
Abbreviation
C2B
C2C

Term
Consumer-to-Business
Consumer-to-

CSM

Consumer
Clearing and
18

Settlement
CVM

Mechanism
Cardholder

ETSI

Verification Method
European
Telecommunications

GP
GSMA
HSM

Standards Institute
GlobalPlatform
The GSM Association
Hardware Security

IBAN

Module
International Bank

ISP

Account Number
Internet Service

MCP

Provider
Mobile Contactless

MNO

Payment
Mobile Network

MRP

Operator
Mobile Remote

MVNO

Payment
Mobile Virtual Network

NFC

Operator
Near-Field

OS
OTA
PAN

Communications
Operating System
Over the Air
Primary Account

PC
POI
PSD

Number
Personal Computer
Point of Interaction
Payment Services
19

PSP

Directive
Payment Service

QR code
SCP
SCT
SDD
SE
TEE

Provider
Quick Response code
SEPA Card Payment
SEPA Credit Transfer
SEPA Direct Debit
Secure Element
Trusted Execution

TSM

Environment
Trusted Service

TTP
UI

Manager
Trusted Third Party
User Interface

CHAPTER 2
2.1 Introduction
Money has evolved several times in human history from the days
of the barter trade, from coins to paper, then plastic and now
phones. About 15 years ago, the mobile phone was used for
making calls, playing simple games and texting friends. Today,
mobile phones can be used to access the Internet, make video
calls, take photos, find your location on a map, purchase transport
20

tickets, and even for banking, among many other applications.


The main drivers behind the success of mobile money are the
explosive growth in the number of mobile devices and the fall in
the cost of computing power, which have lowered the barriers to
new entrants in this field. Mobile money (m-money) is quite
versatile and can support a variety of services, in particular,
person to person (P2P) money transfers, which are of significant
value for emerging economies. There are three main types of
mobile financial services with some degree of overlapping among
the functionalities offered by applications in each category:
Mobile payments;
Mobile money transfer; and
Mobile banking.
Mobile payments cover many types of transactions which fall into
two categories: transactions with a remote merchant or proximity
payments at the merchant site. Mobile money transfer is also a
broad term and in this report refers mainly to the transfer of
money from one individual to another. The transfer can be
domestic or international and can also be called a peer to peer
(P2P) payment. When the transfer is international, it is referred to
as an international remittance.
Mobile banking allows users to manage their bank accounts
remotely from their mobile devices. The mobile wallet is the most
common type of mobile money service in the news. An electronic
account held on the mobile device known as a mobile wallet has
various functional features such as converging deposit accounts,
21

credit accounts, loyalty accounts, merchant accounts, gift cards


and coupons stored on the mobile device with a remote
communication facility for use anywhere, anytime. In developed
countries, the mobile wallet can also be conceived as a container
for different payment instruments, such as cash and cards. The
mobile wallet can be a menu on the phone which provides access
to

different

payment

instruments

and

payment

account

information.

2.2 Cloud Computing


Nowadays it is impossible to read a technology journal or blog
without coming across the term cloud computing. While some
might think that cloud computing is just a new buzzword,
something companies use to sell services, cloud computing is
transforming the way we deploy technology. The cloud is often
used in a very general way and labelled on products that are not
necessarily cloud computing services, but this paper provides a
perspective

on

cloud

computing

and

sheds

light

on

the

sometimes ambiguous understanding of cloud computing.


Cloud computing is not just a service being offered from a remote
data center. It is a set of approaches that can help organizations
quickly, effectively add and subtract resources in almost real
time. Cloud computing provides the means through which
resources such as computing power, computing infrastructure and
22

applications can be delivered to users as a service wherever and


whenever they need over the Internet. Cloud services include the
delivery of software, infrastructure, and storage over the Internet
based on user demand. Mell and Grance from the U.S. National
Institute Standards and Technology defined cloud computing as a
model for enabling convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or
service

provider

interaction[7].

Plummer,

Bittman,

Austin,

Clearley, and Smith (2009) explained it as a style of computing


where massively scalable IT-enabled capabilities are delivered as
a service to external customers using Internet technologies [8].
The 451 Group defined cloud computing as an IT as a service,
delivered by IT resources that are independent of location [9] and
Buyya, Yeo and Venugopal (2008) define the cloud as a type of
parallel and distributed system consisting of a collection of
interconnected and virtualized computers that are dynamically
provisioned and presented as one or more unified computing
resources based on service-level agreements established through
negotiation between the service provider and consumers.
After examining the definitions given of cloud computing it helps
us clarify the term and what it involves; briefly cloud computing is
a way of delivering computing services such as software, servers
or storage over the Internet in a self-service manner. Instead of
23

having to install, maintain and manage these resources, one only


needs to access and use them through a web browser or a
specifically designed user interface. Cloud computing can be used
to overcome the limitations of data centers. An enterprise data
center is where servers and storage are located, operated and
managed. A functional data center requires a lot of power, a lot of
space, cooling, maintenance and so on. Most of human activities
such as energy, lighting, telecommunications, Internet, transport,
urban

traffic,

banks,

security

systems,

public

health

and

entertainment are controlled by data centers. People rely on the


functioning and availability of one or multiple data centers. The
process of adding and releasing resources in the traditional data
center cannot be done in an automated or self- service manner,
but in the cloud, users can request extra resources on demand
and also release them when they are no longer needed. The fact
that the cloud can easily expand and contract is one of the main
characteristics that attracts users and businesses to the cloud.
Furthermore, as enterprises grow and there is a need for more
resources, IT departments usually add hardware to the data
center and buy new software, which makes the data center even
more large and complicated. Managing a big data center that is
still

expanding

is

stressful

for

IT

management,

thus

the

introduction of technology advancements such as virtualization.


Even though these advancements in technology have enabled
much more efficiency and cost effectiveness, companies are still
overwhelmed with a lack of ability to satisfy customers needs.
24

The public cloud enables companies to make use of external


resources to improve their ability to offer services requested by
users without investing in new infrastructure, training new
personnel, or licensing new software. With cloud computing, there
are no servers to maintain, which gives companies time to focus
on other tasks; hence improving productivity. The public cloud
involves end users that benefit from cloud services without
knowing the underlying technology and cloud service providers
that are responsible for the IT assets and maintenance.
2.2.1 Cloud Computing History
Cloud computing has been possible through development in a
variety of areas. As computer hardware evolved, so did software,
as communication networks developed so did the protocols for
how computers communicate. The communication rules and
standards in turn affected the evolution of Internet software that
made cloud computing possible. According to Carr, what is
occurring nowadays is very similar to what happened during the
industrial era. During the industrial era many industries had to
provide their own electricity by wind or water mills to power their
machines. As electricity through power lines became cheaper,
more available and more reliable, there was no need for the
industries to produce their own energy. Carr says that the
organizations of today face the same shift as the ones during the
industrial era, except today the shift is toward cloud computing.
[10]
25

Toffler states that a civilization goes through different waves of


development: the first wave was the agricultural societies, the
second one was the industrial age and what we are now facing is
the third wave; the information age [9]. Development in various
areas have led to the development of cloud computing. Some
areas have affected the growth more than others, for example
virtualization, utility computing, outsourcing and grid computing,
are areas that have had a great impact on cloud computing.
Virtualization
IBM introduced virtualization in the early 1960s. Virtualization
makes it possible to run several operating systems on one server
simultaneously, but separates them as if they were on their own
server. The difficulty comes from the fact that todays computers
are designed to run just one operating system and application at
a time. Virtualization allows multiple operating systems and
applications to share a single hardware host. Each virtual machine
is isolated from the others by the hypervisor, and uses as much of
the hosts computing resources as it requires. A hypervisor
monitors the virtual machine in a way that each operating system
appears to have the host's processor, memory, and other
resources all to itself.
The hypervisor controls the host processor and resources,
allocating what is needed to each operating system, and making
sure that the guest operating systems (virtual machines) cannot
26

disrupt each other. The difference between virtualization and


cloud computing is that virtualization is part of a physical
infrastructure, while cloud computing is a service. There is also a
difference in costs: using virtualization requires upfront costs but
with cloud computing the charges are based on how much
resources are used.
Utility Computing
Utility

computing

can

be

defined

as

the

provision

of

computational and storage resources as a metered service,


similar to those provided by a traditional public utility company
[11]. The idea of utility computing is to provide computing
resources like how electricity, telephone or water is provided. We
pay for the amount that we use and it should be available to us.
The main benefit of utility computing is better economics.
Corporate data centers are underutilized, with resources such as
servers often idle 85 percent of the time. Utility computing allows
companies to only pay for the computing resources they need,
when they need them. Utility computing differs from cloud
computing by the fact that it relates to the business model in
which application infrastructure resources are delivered, whereas
cloud computing relates to the way we design, build, deploy and
run applications that operate in a virtualized environment, and
offering the ability to dynamically grow, reduce and self-services.
Outsourcing

27

Outsourcing is the act of one company contracting with another


company to provide some services. Often the company itself
could perform the tasks that are outsourced, but in many cases
there are financial advantages that come from outsourcing. In
comparison to cloud computing there are similarities but also
some differences. Companies can outsource parts, or their whole
IT department, on companies specialized on that particular field.
For example a company that outsources the setup, maintenance
and storage of their servers so that they do not have to have
them onsite, on their company compound. This is similar to PaaS
or IaaS where cloud computing vendors take care of the platform
and/or

infrastructure.

There

are many

similarities but the

differences lie in the quickness of providing the services and


agreements from the outsourcing company or the cloud provider.
Unlike traditional outsourcing that requires lengthy contracts that
usually just carry on as long as the contracts agree on, cloud
computing offers a predefined solution that matches the need of
the customers application [6]. There is usually no initial cost, and
the customer only pays for what is being used and nothing more.
There are also some differences in the level of management,
security

and

support when comparing cloud services and

traditional outsourcing.

Grid Computing

28

The term Grid computing originated in the 1990s and refers to


the idea of making computing accessible in similar manner to how
a power grid works. Grid computing is a form of distributed
computing that implements a virtual supercomputer made up of a
cluster of networked or Internetworked computers acting in
unison to perform very large tasks. Many cloud service providers
offers services similar to grid computing by the pay-peruse model
and perceived unlimited computing resources. However, cloud
computing should be viewed as a step away from the grid utility
model [11]. The fields overlap each other on several points, but
the main difference between the two of them is how data is
processed. In grid computing the user usually makes few but very
large request. Only a few of these requests can be processed at
any given time and others might be queued. However, cloud
computing users do several small allocation requests, where
allocations happen in real time.
2.3 Cloud Computing Features
Overall, the cloud embodies the following key features:

Resource pooling and Elasticity


Self-service and automatic services
Access over the Internet
Billing in a pay-per-use model

Each of these characteristics is described in more detail in the


following sections.

29

2.3.1 Resource Pooling and Elasticity


Resource pooling is the ability to scale up and down to serve
multiple customers using a multi-tenant model with different
physical

and

virtual

resources

dynamically

assigned

and

reassigned according to demand. Often, the service provider


cannot predict how customers will use the service. Some
customers might use the service a few times during their highest
seasons, while others might use it as a primary development
platform for all of its applications. Therefore, the service needs to
be available all the time and it has to be designed to scale upward
for high periods of demand and downward for lighter ones. The
service also needs to scale when additional users are added and
when the application requirements change.

2.3.2 Self-service and Automatic Services


Cloud Computing allows customers to get cloud services easily
without going through a long process. The customer simply
requests an amount of computing, storage, software, process, or
other resources from the service provider. This is an advantage
that cloud computing offers compared with the process one has to
go through when requesting new services from a typical data
center. Before implementing a new application, the IT department
has to submit a request to the data center for additional
computing hardware, software, services, or process resources.
30

The data center evaluates all requests from various departments


and assesses the availability of existing resources versus the
need

to

purchase

new

hardware.

After

new

hardware

is

purchased, the data center is configured for the new application.


This proves to be a long and complicated process that can be
made easier by using cloud services. [12]
2.3.3 Access over the Internet
The access of services over the Internet allows convenience.
Access over the Internet means that resources hosted in the cloud
are available for access from a wide range of devices and from
several locations that offer online access [12]. Users are able to
access data and services wherever and whenever they need, from
the home computer, tablets, or smartphones. Usually, this was
done through a browser, to avoid the need to install local
software. However, cloud-based applications are now available in
order to access data anytime it is needed.
As will be discussed later , cloud computing has different
deployment models: private, public and hybrid clouds. In a private
cloud, secure data is accessed only by company employees within
a company's own firewall. The company operates its own
infrastructure, including a data center full of servers. Public cloud
computing is when companies use an outside company to host
servers or other cloud services that the company accesses for its
employees. Access over the Internet might cause some security
issues

in

private

cloud,

but,
31

as

more

employees

use

smartphones, tablets to access company resources or may want


to work from their homes, a need for a network access over the
Internet arises which may cause the company to adopt a hybrid
cloud that combines both a private and a public cloud.

2.3.4 Billing in a Pay-Per-Use Model


Pay only for the services used, and no more. Rather than paying a
100 percent for servers that are only used 20 percent of the time,
one only pays for the exact number of resources used. The ideal
cloud providers charge usage in terms that everyday people; not
just IT systems administrators, understand. A cloud environment
needs a built-in service that bills customers. Of course, to
calculate that bill, usage has to be tracked. [12] For example
measuring the storage, bandwidth, and computing resources
consumed, and charging per stored gigabytes, transferred bytes,
used computing hours, number of active user accounts per month
or performed transactions. A pay-per-use model involves different
payment mechanisms, such as subscription based payment,
reservation based payment, consumption based and so on. In
subscription based payment, the user has monthly or yearly fees
to access the service. A pay-per-reservation method is when the
user pays for the duration of the service. How much of the
infrastructure used from the moment the service started is not
necessary, the user will be charged according to the time. In
32

consumption based, the users consumption is measured and


charged according to the amount of memory, CPU cycles, disk
space, and network traffic. These examples show that there are
different approaches to the pay-per-use model, but they are all
based on the amount of resources used or the period the service
was available.
2.4

Cloud Computing Deployment Models

A cloud deployment model defines where the physical servers are


deployed and who manages them. Cloud computing deployment
models are:

Public cloud
Private cloud
Community cloud
Hybrid cloud, which combine both public and private

In the public cloud, the infrastructure is designed to make the


services available to public users on the Internet. For the private
cloud the infrastructure is configured exclusively for a private
user, meaning an enterprise or organization where the services
can

only

be

accessed

locally,

and

the

organizations

IT

department manages it. The infrastructure for the community


cloud is shared by several organizations and supports a specific
community

that

has

common

concerns

(e.g.

security

requirements). The organization or a third party may manage it.


As for the hybrid cloud the infrastructure is comprised of two or
more clouds (private, community, or public) that remain unique

33

entities but are communicating with one another by standardized


technologies that enable data and application portability [7].
2.5

Cloud Computing Service Models

The three cloud service delivery models are Infrastructure as a


Service (IaaS), Platform as a Service (PaaS), and Software as a
Service (SaaS). These services are classified into three models to
help us understand them; they are tasks that have been put
together in order to be delivered to customers whenever they
need them. The Infrastructure as a Service layer offers hardware,
storage, servers, data center space and network components that
developers and IT organizations use to build and deliver solutions.
The Platform as a Service layer offers development environments,
which software developers can use to create fully functional
products or services. [12]
The Software as a Service layer offers software over the Internet.
The customer accesses those services with defined interfaces.
These interfaces are all that the user ever comes in contact with.
For example when watching a movie via Netflix the customers
only sees the screen that enables selecting and watching the
movie, they never see the underlying infrastructure and what
happens behind the scenes to allow Netflix to deliver so many
movies to many people. In cloud computing the underlying
infrastructure that provides the service may be very complex, but
the user does not need to understand this infrastructure in order
to use it.
34

2.5.1 Infrastructure as a Service


Infrastructure as a Service (IaaS) is the delivery of computer
hardware (servers, networking technology, storage, and data
center space) as a service. It may also include the delivery of
operating systems and virtualization technology to manage the
resources. Instead of buying and installing computing resources in
their own data center, customers rent them. An IaaS provider is
responsible for operating and maintaining the equipment it
provides for a customer. Clients pay on a per-use basis. One of the
characteristics of IaaS includes dynamic scaling to ensure more
resources will be automatically given to the client in case they
need them. Also, the service involves an agreed-upon service
level in terms of availability and response to demand. For
example, it might be stated that the resources will be available
99.999 percent of the time and that more resources will be
provided dynamically if greater than 90 percent of any given
resource is being used. [12] An example of an IaaS is Amazons
Elastic Compute Cloud (Amazon EC2). It provides a web interface
that allows customers to access virtual machines. The use of the
term elastic in the naming of Amazons Infrastructure as a Service
refers to the ability that EC2 users have to easily increase or
decrease the infrastructure resources assigned to meet their
needs. The user needs to initiate a request; the service provided
is not dynamically scalable.
2.5.2 Platform as a Service
35

Platform as a Service (PaaS) is a concept that describes a


computing platform that is rented or delivered as a solution stack,
which is an integrated set of software that provides everything a
developer needs to build an application. The PaaS service delivery
model allows a customer

to

rent virtualized servers and

associated services used to run existing applications, or to design,


develop, test, deploy and host applications. Recently web-hosting
companies have been offering software stacks for developing web
sites. PaaS can be considered an advancement of web hosting
because it provides also a lifecycle management which is the
process of managing the entire lifecycle of a product. It also
involves all the software development stages from planning and
design, to building, deployment, testing and maintenance.[12]
The main advantage of PaaS is not having to worry about
managing and maintaining the infrastructure, and only focus on
developing the product. PaaS is also delivered with dynamic
scaling; it can automatically scale up or down. An example of
Platform as a Service is the Google App Engine.
2.5.3 Software as a Service
Software as a Service (SaaS) is a model for the distribution of
software where customers access software over the Internet. In
SaaS, a service provider hosts the application at its data center
and a customer accesses it via a standard web browser [7,1-3].
SaaS has its roots in Application Service Providers (ASPs), which
used to host and manage business applications. SaaS extends the
36

idea of ASPs; they require installation of software on users'


personal computers, but SaaS solutions rely on the web and only
require an Internet browser for users to access services. Also,
while

most

ASPs

maintained

separate

instance

of

the

application for each business, SaaS solutions normally utilize a


multi-tenant architecture, in which the application serves multiple
businesses and users, and partitions its data accordingly. The
price of the software is on a per-use basis and businesses are able
to reduce capital expenditures. Furthermore, before acquiring new
software, businesses can test them first on a rental basis and if
they find them appropriate, they can purchase them. Examples of
Software as a Service are Microsoft Office 365 and Google drive.
2.6 Advantages of Cloud Services
There are several benefits with cloud computing that companies
can use to reduce costs while providing a high level of service to
customers. This section will show how cloud computing can
benefit an organization.
2.6.1 Improved Business Agility
In the ever-changing market, businesses need to be able to adapt
rapidly

and

cost

efficiently

to

changes

in

the

business

environment. Cloud computing offers a way to save time and


money by providing the ability to add new infrastructure quickly
and in a self-service manner. Managing the internal information
systems is not the core competence for most companies.
37

Therefore, by using cloud services, IT management will be able to


focus on supporting the corporate business values, while the
cloud provider takes care of the IT needs.
2.6.2 Reduced Costs
With the introduction of the cloud, companies can test a new
application or develop a new application without first investing in
hardware, software, and networking, and if they like it they would
go ahead and purchase it. A need might arise to increase storage
or buy new software for various departments, but there is not
enough money to buy all those services at once. Cloud service
vendors might rent storage on a per gigabyte basis. Companies
are often confronted with the need to improve the functionality of
IT while reducing costs. By adopting the cloud computing pay-asyou-go model, where one only pays for the amount of resources
they use or respectively for the time the service is accessible,
companies are able to avoid a large initial investment and instead
pay for the functionality as an operating cost.

2.6.3 Elasticity and Scalability


Computing resources are dynamically assigned, released, and
reassigned according to consumer demand. Elasticity means that
the platform can handle sudden, unexpected, and large loads.
This could be due to an event happening that results in a vast but
short influx of users on the system. Scalability is a planned level
of capacity that is able to scale up or down in a quick and easy
38

manner when more or less resources are needed. In cloud


computing

resource

allocation

can

get

bigger

or

smaller

depending on demand. For example, an application can scale


when adding users and when application requirements change.
2.6.4 Rapid Application Development
Using cloud computing to build, test, and deploy applications,
reduces the overall development time, due to the cloud platform's
ability to simplify the development process and the ability to
quickly get the development resources online. Cloud-based
development platforms in PaaS and IaaS clouds, such as Google,
Amazon Web Services, Microsoft, and Salesforce.com offer
developers the ability to self-provision development and testing
environments without having to wait for hardware and software to
be installed in the data center. It allows them to quickly get
applications into production and to scale those applications as
required. This enables cost savings and efficiency.
2.7 Disadvantages of Cloud Services
Companies

require

an

ideal

performance,

perfect

implementation and a 100 percent uptime in order to satisfy


customers. They also want to be able to get new infrastructure
quickly, but have limited budgets. While cloud computing can
offer all that, it comes with a few flaws. This section introduces us
to cloud computing disadvantages.
2.7.1 Security

39

There is a concern in larger organizations towards turning over


their operations and data to a cloud-based service provider. A
recent study done by the International Data Corporation (IDC),
shows that almost 75 percent of Chief Information Officers and IT
executives are concerned about the security when using cloud
services. Before using cloud services, companies need the right
level of security to make sure that another company cannot
access the information or be maliciously accessed by a hacker.
2.7.2 Vendor Lock-in
When using Platform as a Service, customers may find it difficult
to move their applications to another development environment
without rewriting them. When in need to switch to another PaaS
vendor, rewriting the applications might cost companies plenty of
money. This drawback has opened up a new approach: Open
Platform as a Service. This is the same service as Platform as a
Service, but customers are able to choose through a variety of
development software, there are no limitations and it prevents
customers from being locked in.
2.7.3 Misuse of Data
There is a risk that data could be permanently lost by a cloud
computing service provider due to various reasons such as
technical errors or physical disasters like fire. Also, a crooked
employee that has access to the data might misuse it or the data
might be compromised by external parties. Even though these
issues are not likely to occur, because the providers usually have
40

back-up and proper security techniques, it is important for a


company to consider how to address data loss or misuse in its
agreement with the provider.
2.7.4 Lack of Maturity
Cloud computing is still in its new phase and users may not fully
understand how to utilize the capabilities of the concept [14].
Users might ask themselves questions like what happens to their
data when the cloud provider is no longer there. Currently, there
is no way for a cloud storage service provider to directly transfer
customer data to another provider. If a service goes down, the
hosting company must return the data to its customer, who then
must find another provider. In addition, there are no rules
regarding data removal. When a customer asks a cloud vendor to
delete some of their data, it is not done right away. Cloud service
providers use a "garbage collection" method for deleting old data.
The data to be erased is marked first, then the actual deletion or
overwrite process takes place at a later date, sometimes months
later.
2.8 Mobile Cloud Computing
The term mobile cloud computing was introduced not long after
the concept of cloud computing launched in mid-2007. It has
been attracting the attentions of entrepreneurs as a profitable
business option that reduces the development and running cost of
mobile applications, of mobile users as a new technology to
achieve rich experience of a variety of mobile services at low
41

cost, and of researchers as a promising solution for green IT.


Mobile Cloud Computing at its simplest, refers to an infrastructure
where both the data storage and the data processing happen
outside of the mobile device. Mobile cloud applications move the
computing power and data storage away from mobile phones and
into the cloud, bringing applications and mobile computing to not
just smartphone users but a much broader range of mobile
subscribers. Aepona [6] describes MCC as a new paradigm for
mobile applications whereby the data processing and storage are
moved from the mobile device to powerful and centralized
computing

platforms

located

in

clouds.

These

centralized

applications are then accessed over the wireless connection


based on a thin native client or web browser on the mobile
devices.
Mobile cloud computing is the availability of cloud computing
services in a mobile ecosystem, in other words using Cloud
Computing principles to deliver applications and services for
mobile devices. Developments in mobile hardware and software
have enabled users to perform tasks that were once only possible
on personal computers and other devices like digital cameras and
GPS navigation systems. Mobile users are now connected to the
Internet, they can capture and manage photos and videos, play
music and movies, and play complex games. However, the
increasing number of mobile applications requires more resources
in terms of storage and processing capability. Mobile devices
42

compared to desktop computers, have less computing power, less


storage capacity and battery limits. Demanding applications such
as video streaming and mobile games need more resources on
mobile devices for a better user experience. Migrating computing
and major data processing tasks to the cloud can fill the gap
between

resource

demand

and

supply

in

mobile

devices.

Definitions of mobile cloud computing can be classified into two


categories. The first one denotes carrying out data storage and
processing outside mobile devices [13].
Mobile devices tasks are reduced because the storage and
computing processes take place in the cloud. The second
category refers to mobile cloud computing as an extension of
cloud computing in which foundation hardware consists at least
partly of mobile devices. This definition acknowledges an
opportunity to harness the collective sensing, storage, and
computational capabilities of multiple networked phones to create
a distributed infrastructure that can support new applications. By
using the combined data and computational abilities of an entire
network of smartphones, useful results for clients both outside
and within the mobile network can be generated. This interface
and the underlying hardware would create a mobile-cloud upon
which certain mobile phone tasks could be performed. [13]
In figure 2, mobile devices are connected to the mobile networks
via base stations (e.g., base transceiver station (BTS), access
point, or satellite) that establish and control the connections
between the networks and mobile devices. Mobile users requests
43

and information (e.g., ID and location) are transmitted to the


central processors that are connected to servers providing mobile
network services.

Figure 2.1 Mobile Cloud Computing Architecture

As shown in figure 2.1, mobile cloud computing can be simply


divided into cloud computing and mobile computing (mobile
devices,

mobile

applications,

the

infrastructure

of

mobile

networks and protocols). Those mobile devices connect to a base


44

station by 3G, 4G, WIFI, or GPRS. Mobile network operators


provide

the

necessary

services

to

mobile

users

such

as

provisioning, billing and AAA (Authentication, Authorization, and


Accounting) based on the home agent (HA) and subscribers data
stored in databases. After that, the subscribers requests are
delivered to a cloud through the Internet. In the cloud, cloud
controllers process the requests to provide mobile users with the
corresponding cloud services.
2.8.1

Challenges

Resource Limitations
The main issue with the mobile cloud is the resource limitations of
mobile devices. Compared to desktop computers, they have less
memory, less compute power, and battery capacity limits. The
mobile cloud is often viewed as SaaS, meaning that computation
and

data

handling

are

usually

performed

in

the

cloud.

Smartphones often access the cloud through web browsers or thin


clients. [23] Reduced battery lifetime is a fundamental challenge
for mobile devices. Mobile devices are less powerful and use a
battery, whose capacity is limiting and prevent users from
completely relying on their mobile device. It is therefore
important to maximize battery life through the careful partitioning
of application functions across servers and devices.
Latency and Bandwidth
Latency and bandwidth affect the mobile cloud as well. Wi-Fi
improves latency but may decrease bandwidth when many mobile
45

devices are present. Wireless connectivity is characterized by


variable data rates and intermittent connectivity due to gaps in
coverage.

The

dynamic

nature

of

application

throughput

demands, subscriber mobility and uncontrollable factors such as


weather, can cause bandwidth capacity and coverage to vary.
Bandwidth for 3G cellular may further be limited by cell tower
bandwidth in some areas. Similarly, connectivity may be irregular.
Internet service providers are implementing 4G networks to help
them meet the growing end-user demand for more bandwidth,
higher security and faster connectivity on the move.
Security Issues
Security issues increase with mobile devices. It is easier to lose a
mobile device and in case that device contains sensitive data just
downloaded from the cloud, it could lead to an information
leakage and data loss. Cloud computing users prove their
identities with digital credentials, typically passwords and digital
certificates. If an attacker could fake or steal these credentials,
the cloud computing system will suffer from spoofing attacks.
Mobile

devices

sophisticated

have

less

security

computing

algorithms;

power

therefore

to

execute

mobile

cloud

computing is more prone to attacks from hackers. In addition, it is


difficult

to

enforce

standardized

credential

mechanism due to the variety of mobile devices.


2.8.2

Solutions

46

protection

Various solutions have been proposed to challenges often faced


by mobile cloud computing. In this section, some of the solutions
are reviewed.
Offloading Mobile Applications
Offloading mobile applications to the cloud is a way to save on
device energy consumption because it reduces the amount of
local processing. However, it is not possible to completely
delegate the execution of all applications in the cloud. Application
architects

need

to

think

about

partitioning

application

functionality that can be offloaded on cloud versus executed on


the mobile device. For example some non-display applications like
virus scanning are more suited for being offloaded to the cloud. To
achieve seamless and transparent migration and offloading, the
application should be partitioned, meaning dividing the complex
workload

into

lighter

components

that

can

be

processed

simultaneously.
4G Technology
One of the biggest enablers for network reliability in mobile cloud
computing will be the full implementation of 4G Technology, which
will help with issues of latency and bandwidth. HTML5 also allows
specification of offline support, which makes local storage
possible, helping with connectivity interruptions. One example of
an HTML5 benefit is the ability to watch a video without a plug-in
like

Adobe

Flash

improvements

in

or

Microsoft

forms

Silverlight.

specifications

applications.
47

that

HTML5
benefit

features
mobile

Embedded Hypervisor
An embedded hypervisor will enable cross-platform applications.
The hypervisor allows a web application to run on any smart
phone without being aware of the underlying architecture. Mobile
platforms require the hypervisor to be built in. For example, the
Motorola Atrix has an embedded hypervisor that allows it to run a
wider range of applications, not just those developed specifically
for it.
Security
As mentioned earlier, mobile phones get lost easily. Therefore,
there should be a way to prevent data misuse from lost or stolen
devices. One way is the ability to wipe off mobile devices
remotely. Some mobile manufacturers and wireless carriers
provide this feature. The risk of privacy exposure and identity
theft can be reduced by implementing improved protection
measures

for

sharing

data

in

interconnected

systems,

implementing monitoring capabilities and protocols, and by


educating users about proper social media safe-surfing. One
added security feature is lightweight virus and using firewall
clients on mobile devices.
2.9

Cloud-based Mobile Applications

With the rapid adoption of smartphones and tablets, companies


need to add mobile applications to their service portfolios in order
to reach more customers and provide services anywhere,
anytime. Apps are actual applications that are downloaded and
48

installed on mobile devices, rather than being accessed within a


browser. In order to download apps, users visit mobile application
stores like Apples App Store, Android Market, or Blackberry App
World depending on the devices operating system. The app may
pull content and data from the Internet, in a similar way to a
website, or it may download the content so that it can be
accessed without an Internet connection.
Mobile apps allow content to be available offline and provide
access to the phones camera or phone resources to store
information or process complex data. Functions can also be
performed without an Internet connection. Examples of mobile
apps are Angry Birds, Facebook and Gmail. Mobile apps enable
interactive games, and when developing productive apps like
EverNote or SportsTracker that involve users personal and daily
usage, apps are a useful way to satisfy users needs. In addition,
apps allow users to access their banking systems, which would
not be safe to do through a usual web browser because of the
lack

of

security

systems

in

mobile

phones.

Mobile

cloud

computing provides many advantages for application developers


as well as their end-users. With cloud-based applications, mobile
users do not need high-end hardware and infrastructure to run or
maintain mobile apps. Mobile app development requires hardware
and software resources, and for organizations that do not have
enough funds to get started, cloud computing comes in to provide
needed resources in a pay-as-you go model. Cloud computing
services are easy to use, they are scalable, efficient and offer a
49

pay-per-use pricing. On-demand services and the availability of


limitless processing power and storage provided by the cloud
allow developers to reach high levels of mobile app functionality.
When using cloud computing services, developers do not need to
be concerned about deployment or the operational maintenance
of the infrastructure to power their applications, they can focus on
developing the main task at hand, while other functionalities are
being taken care of. Cloud computing offers the performance and
flexibility

that

mobile

app

developers

require.

With

the

introduction of cloud computing, the smartphone and app


markets began to grow at a notable rate with more innovative and
useful apps developed more quickly and cost effectively. This
chapter discusses the benefits of cloud-based applications for
developers.
2.9.1

Cost Advantages

Developers do not need to invest heavily in building infrastructure


and resources.
Cloud computing provides instant access to scalable mobile
application tools for building mobile and tablet apps. Crossplatform app development also helps reduce costs. Developers
can now build an app once, test it and deploy it across multiple
platforms.

Building

once

and

deploying

to

many

devices

considerably decreases the cost of developing apps. In addition,


deploying apps to app stores and web sites is much easier. For
example, developers can avoid device manufacturers or carrier

50

app stores to distribute their apps, and publish them on their own
private channels.
2.9.2

Increased Developer Productivity

Developers can implement their ideas without being concerned


about the infrastructure or the capacity of the surrounding
services. In a usual on-premise infrastructure, developers need to
acquire the virtual machine (VM) capacity for computing tasks,
and database capacity for persistence, and they must build a
target infrastructure environment even before implementing
simple programs.

Cloud allows developers to acquire compute,

storage, network infrastructure, and managed services easily and


quickly. Therefore, developers will be motivated to try new ideas
that may drive organizations into new market places.
2.9.3

Secure Applications with Pre-defined Security

Frameworks
Developers do not have to create their own code to allow
industry-standard authentication and authorization techniques in
their web applications. For instance, if an application needs to
make use of several OpenID providers (Microsoft Live, Google ID,
Facebook, or Twitter to name a few) on the Internet, the developer
must manually write forking code to understand multiple tokens,
parse them to a canonical structure, and apply authorization rules
before the user is able to access an application functionality.
Some service providers simplify this whole process through simple
settings. All the required implementation is already configured
51

into a format that the application understands. Such services also


free the developer from understanding the complicated details of
OpenID protocols, and the token technicalities of each OpenID
provider implementation.
2.9.4

New Platform Capabilities

Cloud vendors usually bring new capabilities to market constantly


at an increased rate compared to that of upgrades to on-premise
software packages and operating systems. This is due to the fact
that cloud services run on a standardized hardware and software
platform inside the providers own data centers. This allows the
deployment of features in a controlled manner with predictable
impact to the deployed customer applications. This accelerated
feature delivery allows a developer to take full advantage of the
vendors investments that help their enterprises develop new
solutions.
2.9.5

Up-to-date Application Platforms

Cloud providers easily deliver new releases of technologies. As


soon as there are updated versions, developers can start working
with latest versions. They do not have to be slowed down by onpremise IT deployment latencies anymore. In addition, they are
able to prevent the problems of being slowed down by outdated
infrastructure and maintenance delays. A developer can integrate
the latest development trends into the application as the recent
frameworks and services usually perform with increasingly
52

smaller amounts of code. This is a benefit to the companies they


work for, as well as for the developer himself as this increases his
skills sets.

2.9.6

Improved Reusability of Services

Because of financial restrictions and delivery plans, developers


usually focus on meeting the needs of the current project when
they create and deploy services. Therefore, scalability issues may
occur once consumers are using the services across the
enterprise. With a cloud-based service, the developer does not
need to worry about scalability; the required service will scale up
or down depending on the demand.
2.9.7

Use of Existing skills for Cloud Applications

In many cases, existing core skill sets transfer directly to cloud


technologies. The need for design skills remains. The critical
success factor of the broader adoption of a cloud platform is the
developer ecosystem. Most cloud platforms allow the reuse of the
existing skills either in the Java or .NET space. The cloud platforms
are highly compatible with their on-premise alternatives, making
applications highly portable across deployments. Most of the
server-based web applications and web services can be ported
with minimal or no changes.
Briefly, cloud computing enables developers to build highly
scalable,

available,

reliable,

and
53

high-performance

platform

independent applications, with a shorter time to the market.


Cloud-based mobile application market is expanding at an
exponential rate and it is a market changer and a new industrial
revolution.
2.10 Advantages of Mobile Cloud Computing
Cloud computing is known to be a promising solution for mobile
computing due to many reasons (e.g., mobility, communication,
and portability. In the following, we describe how the cloud can be
used to overcome obstacles in mobile computing, thereby
pointing out advantages of MCC.
1) Extending battery lifetime: Battery is one of the main
concerns for mobile devices. Several solutions have been
proposed to enhance the CPU performance and to manage the
disk and screen in an intelligent manner, to reduce power
consumption. However, these solutions require changes in the
structure of mobile devices, or they require a new hardware that
results in an increase of cost and may not be feasible for all
mobile devices. Computation offloading technique is proposed
with the objective to migrate the large computations and complex
processing from resource-limited devices (i.e., mobile devices) to
resourceful machines (i.e., servers in clouds). This avoids taking a
long application execution time on mobile devices which results in
large amount of power consumption.

54

Many mobile applications take advantages from task migration


and remote processing. For example, offloading a compiler
optimization for image processing [20] can reduce 41% for energy
consumption of a mobile device. Also, using memory arithmetic
unit and interface (MAUI) to migrate mobile game components to
servers in the cloud can save 27% of energy consumption for
computer games and 45% for the chess game.
2) Improving data storage capacity and processing power:
Storage capacity is also a constraint for mobile devices. MCC is
developed to enable mobile users to store/access the large data
on the cloud through wireless networks. First example is the
Amazon Simple Storage Service (Amazon S3) which supports file
storage service. Another example is Image Exchange which
utilizes the large storage space
in clouds for mobile users. This mobile photo sharing service
enables mobile users to upload images to the clouds immediately
after capturing. Users may access all images from any devices.
With cloud, the users can save considerable amount of energy
and storage space on their mobile devices since all images are
sent and processed on the clouds. Flickr and ShoZu are also the
successful mobile photo sharing applications based on MCC.
Facebook is the most successful social network application today,
and it is also a typical example of using cloud in sharing images.
MCC also helps reducing the running cost for compute-intensive
applications that take long time and large amount of energy when
performed on the limited-resource devices. Cloud computing can
55

efficiently support various tasks for data warehousing, managing


and synchronizing multiple documents online. For example,
clouds can be used for transcoding, playing chess or broadcasting
multimedia services to mobile devices. In these cases, all the
complex calculations for transcoding or offering an optimal chess
move that take a long time when perform on mobile devices will
be processed quickly on the cloud. Mobile applications also are
not constrained by storage capacity on the devices because their
data now is stored on the cloud.
3) Improving reliability: Storing data or running applications on
clouds is an effective way to improve the reliability since the data
and application are stored and backed up on a number of
computers. This reduces the chance of data and application lost
on the mobile devices. In addition, MCC can be designed as a
comprehensive data security model for both service providers and
users. For example, the cloud can be used to protect copyrighted
digital contents (e.g., video, clip, and music) from being abused
and unauthorized distribution. Also, the cloud can remotely
provide to mobile users with security services such as virus
scanning, malicious code detection, and authentication. Also,
such cloud-based security services can make efficient use of the
collected record from different users to improve the effectiveness
of the services.
In addition, MCC also inherits some advantages of clouds for
mobile services as follows:

56

_ Dynamic provisioning: Dynamic on-demand provisioning of


resources on a fine-grained, self-service basis is a flexible way for
service providers and mobile users to run their applications
without advanced reservation of resources.
_ Scalability: The deployment of mobile applications can be
performed and scaled to meet the unpredictable user demands
due to flexible resource provisioning. Service providers can easily
add and expand an application and service without or with little
constraint on the resource usage.
_ Multi-tenancy: Service providers (e.g., network operator and
data center owner) can share the resources and costs to support
a variety of applications and large number of users.
_ Ease of Integration: Multiple services from different service
providers can be integrated easily through the cloud and the
Internet to meet the users demands.
2.11

More

Benefits

of

cloud-based

mobile

payment

solutions
From the merchants perspective, cloud-based mobile payment
services may be more flexible by avoiding some POS constraints.
For example, the cloud wallet decouples a purchase from the
payment and can support traditional electronic and alternative
payment methods that may offer less expensive payment options
to the merchant. Implementation of the mobile payment solution
may be easier since new POS hardware is not always required.
From the consumers perspective there are several benefits:
57

Consumer familiarity. Consumer experience with use of other


mobile apps may help them transition more quickly to a cloudbased mobile payment solution than an NFC mobile solution
Ease of use at check-out. The consumer typically inputs an
account number and password, which are authenticated against
his payment credentials stored in the cloud. In the push cloud
model, a customer uses a token23 stored on his mobile phone,
which represents his account credentials, to initiate and complete
a payment transaction
Portability. Because the cloud model is hardware agnostic, a
consumer does not need to move his data if he switches mobile
devices or mobile carriers, or upgrades his phone
Improved security. The cloud solution provides alternative
security for payment credentials by not storing them on the
mobile phone, unless they are stored for back-up.
Tokenization replaces the primary account number (PAN) with a
substitute value called a token to prevent unauthorized access to
the true account number. De-tokenization reverses the process
and redeems the token to access the associated PAN value. The
true PAN value is protected because it can only be determined if
the substitute or token value is known.
Broader availability. Cloud apps are web or browser-based (vs.
native mobile apps which are developed to perform on specific
mobile phone operating systems) and accessible across different

58

device/OS platforms, enabling the apps to run on many different


mobile phones.
2.12 Challenges of Cloud-based mobile payment
Use of cloud-based mobile payment services requires both the
merchant and the consumer to subscribe. While merchants do not
need to implement NFC hardware and software on their terminals,
merchants must work with the mobile payments providers to
implement additional infrastructure to accept cloud payments at
the POS, and the customer must register with each individual
merchant before making a payment. Merchants should also be
aware that some cloud-based transactions may be treated as
card-not-present (CNP), resulting in higher transaction fees.
Cloud payments require Internet connectivity. A transaction may
not work or be interrupted due to connectivity issues, particularly
if access to the cloud fails and there are no back-up payment
credentials stored on the mobile phone. However, the most
notable problem is the lack of quick mobile Internet access.
Transactions may be slow depending on how the wallet is
accessed, what the connection speed is, and how much data must
be entered. A payment transaction may require more time
because transmission to the cloud is slower than NFC to POS. In
the U.S., for example, current 3G coverage is spotty outside urban
areas, leading to intermittent connectivity issues and slow
speeds. Connectivity to the cloud is required at the moment a
59

transaction is made, even more so for transit payments than retail


purchases, so speed is critical. Contingency payment options,
such as NFC, Wi-Fi, plastic card, or a hybrid solution using the
push cloud model to store a token on the mobile phone for offline
transactions, need to be established for cloud payments.
Storing payment credentials in the cloud for a digital wallet is new
and relatively untested with scale. There are still many unknowns
to be addressed. Because payments data can be compromised in
the cloud, it is essential that:
(1) payments data is not transmitted via SMS or e-mail because
these platforms are not encrypted;
(2) payments to the cloud are transmitted between secure,
encrypted endpoints handled either by mobile carrier data
networks or merchant-provided secure Wi-Fi hotspots, and are not
transmitted unencrypted over any network.
Data privacy remains a key concern for payments data stored in
the cloud. Cloud providers control consumer data, so they have
both a legal and ethical responsibility to protect it. They need to
comply with privacy laws and make sure they obtain explicit
consumer

permission

(opt-in)

before

sharing

consumer

information with other businesses, or mining data to companies


interested in monitoring consumer spending behaviors. They need
to make sure their underlying payment services are secure and
resilient. Collaboration between banks and merchants will help to
ensure consistent support for protecting the privacy and security
of the consumer data.
60

2.13

APPLICATIONS OF MOBILE CLOUD COMPUTING

Mobile applications gain increasing share in a global mobile


market. Various mobile applications have taken the advantages of
MCC.

In

this

section,

some

typical

MCC

applications

are

introduced.
A. Mobile Commerce
Mobile

commerce

(m-commerce)

is

business

model

for

commerce using mobile devices. The m-commerce applications


generally fulfill some tasks that require mobility (e.g., mobile
transactions and payments, mobile messaging, and mobile
ticketing). The m-commerce applications can be classified into a
few classes including finance, advertising and shopping. The mcommerce applications have to face various challenges (e.g., low
network

bandwidth,

configurations,

and

high

complexity

security).

of

Therefore,

mobile

device

m-commerce

applications are integrated into cloud computing environment to


address these issues. X. Yang et al [14] proposes a 3G Ecommerce platform based on cloud computing. This paradigm
combines the advantages of both 3G network and cloud
computing to increase data processing speed and security level
based on PKI (public key infrastructure). The PKI mechanism uses
an encryption-based access control and an over-encryption to
ensure privacy of users access to the outsourced data.
B. Mobile Learning

61

Mobile learning (m-learning) is designed based on electronic


learning (e-learning) and mobility. However, traditional m-learning
applications have limitations in terms of high cost of devices and
network, low network transmission rate, and limited educational
resources. Cloud-based m-learning applications are introduced to
solve these limitations. For example, utilizing a cloud with the
large storage capacity and powerful processing ability, the
applications provide learners with much richer services in terms of
data (information) size, faster processing speed, and longer
battery life. W. Zhao [15] presents benefits of combining mlearning and cloud computing to enhance the communication
quality

between

students

and

teachers.

In

this

case,

smartphone software based on the open source JavaME UI


framework and Jaber for clients is used. Through a web site built
on Google Apps Engine, students communicate with their
teachers at anytime. Also, the teachers can obtain the information
about students knowledge level of the course and can answer
students questions in a timely manner. In addition, a contextual
m-learning system based on IMERA platform shows that a cloudbased m-learning system helps learners access learning resources
remotely.
Another example of MCC applications in learning is Cornucopia
implemented for researches of undergraduate genetics students
and Plantations Pathfinder designed to supply information and
provide a collaboration space for visitors when they visit the
gardens. The purpose of the deployment of these applications is
62

to help the students enhance their understanding about the


appropriate design of mobile cloud computing in supporting field
experiences.
C. Mobile Healthcare
The purpose of applying MCC in medical applications is to
minimize the limitations of traditional medical treatment (e.g.,
small physical storage, security and privacy, and medical errors).
Mobile healthcare (m-healthcare) provides mobile users with
convenient helps to access resources (e.g., patient health records)
easily and quickly. Besides, m-healthcare offers hospitals and
healthcare organizations a variety of on-demand services on
clouds rather than owning standalone applications on local
servers. There are a few schemes of MCC applications in
healthcare.
U.

Varshney

[16]

presents

five

main

mobile

healthcare

applications in the pervasive environment.


Comprehensive health monitoring services enable patients
to

be

monitored

at

anytime

and

anywhere

through

broadband wireless communications.


Intelligent emergency management system can manage and
coordinate the fleet of emergency vehicles effectively and in
time when receiving calls from accidents or incidents.
Health-aware mobile devices detect pulse-rate,

blood

pressure, and level of alcohol to alert healthcare emergency


system.

63

Pervasive access to healthcare information allows patients or


healthcare providers to access the current and past medical
information.
Pervasive lifestyle incentive management can be used to pay
healthcare expenses and manage other related charges
automatically .
Similarly, C. Doukas et al

proposes @HealthCloud, a prototype

implementation of m-healthcare information management system


based on cloud computing and a mobile client running Android
operating system (OS). This prototype presents three services
utilizing the Amazons S3 Cloud Storage Service to manage
patient health records and medical images.
Seamless connection to cloud storage allows users to
retrieve, modify, and upload medical contents (e.g., medical
images, patient health records and bio signals) utilizing web
services and a set of available APIs called REST.
Patient health record management system displays the
information regarding patients status, related bio signals
and image contents through applications interface.
Image viewing support allows the mobile users to decode the
large image files at different resolution levels given different
network availability and quality.
For practical system, a telemedicine homecare management
system is implemented in Taiwan to monitor participants,
especially for patients with hypertension and diabetes. The
system monitors 300 participants and stores more than 4736
records of blood pressure and sugar measurement data on the
64

cloud. When a participant performs blood glucose/pressure


measurement via specialized equipment, the equipment can send
the measured parameters to the system automatically, or the
participant can send parameters by SMS via their mobile devices.
After that, the cloud will gather and analyze the information about
the participant and return results. The development of mobile
healthcare clearly provides tremendous helps for the participants.
D. Mobile Gaming
Mobile game (m-game) is a potential market generating revenues
for service providers. M-game can completely offload game
engine

requiring

large

computing

resource

(e.g.,

graphic

rendering) to the server in the cloud, and gamers only interact


with the screen interface on their devices. Offloading (multimedia
code) can save energy for mobile devices, thereby increasing
game playing time on mobile devices. E. Cuervo, proposes MAUI
(memory arithmetic unit and interface), a system that enables
fine-grained energy-aware offloading of mobile codes to a cloud.
Also, a number of experiments are conducted to evaluate the
energy used for game applications with 3G network and WiFi
network. It is found that instead of offloading all codes to the
cloud for processing, MAUI partitions the application codes at a
runtime based on the costs of network communication and CPU
on the mobile device to maximize energy savings given network
connectivity. The results demonstrate that MAUI not only helps
energy reduction significantly for mobile devices (i.e., MAUI saves
27% of energy usage for the video game and 45% for chess), but
65

also improves the performance of mobile applications (i.e., the


games refresh rate increases from 6 to 13 frames per second).
E. Other Practical Applications
A cloud becomes a useful tool to help mobile users share photos
and video clips efficiently and tag their friends in popular social
networks as Twitter and Facebook. MeLog is an MCC application
that enables mobile users to share real-time experience (e.g.,
travel, shopping, and event) over clouds through an automatic
blogging. The mobile users (e.g., travelers) are supported by
several cloud services such as guiding their trip, showing maps,
recording itinerary, and storing images and video.
2.14 OTHER MOBILE PAYMENT TECHNOLOGIES
QR code for mobile payments at POS
Today, mobile phones with cameras can be used with barcodes to
perform various functions, including mobile payments and loyalty
programs. QR code use has expanded in the past year, providing
incentive for consumers to use their smartphone cameras and
related mobile apps to scan barcodes to access sites on the
Internet, download products, find reviews and information, or pay
for purchases.26
To initiate a POS mobile barcode payment, the customer opens a
previously loaded mobile app for the selected merchant. The
mobile app generates a dynamic QR code, which the customer
scans at the POS terminal scanner, (which may be another mobile
device enabled with a downloaded reader).
66

The merchants POS system uses the consumers account


information obtained from the barcode to retrieve his payment
credentials from the cloud and process the payment over the card
network. The consumers real payment credentials are not stored
on the mobile phone or merchant terminal. Barcodes can be
susceptible to a number of security risks. Malicious QR codes can
contain URLs with hidden malware, or redirect to a fake websites
to commit fraud, download malware, or phish for credentials.
Because of their small screens, smartphones are more prone to
phishing scams which try to trick victims into entering sensitive
details to a fraudulent website that looks legitimate. If the
barcode implementation is not for a proprietary system, the risk
of fraud increases.
There are several tools that could help minimize security risks
associated with barcodes, including anti-virus and anti-malware
on smartphones. For some barcode payments apps, such as the
Starbucks app, customers can add passcode protection to prevent
use of the app if the phone is lost or stolen. Also, a customer must
enter an ID and password to reload the Starbucks account.
Direct Carrier Billing (DCB)
Direct carrier billing is not accepted at physical retail locations in
the United States, but can be used to purchase digital content
such a ringtones and wallpapers from online stores or make
charitable donations, e.g., to the Red Cross for the Haiti
earthquake, and most recently for Hurricane Sandy. AT&T,
Verizon, T-Mobile and Sprint have all launched DCB services in the
67

last several years. And acceptance of DCB payments by several


large online companies, such as Google and Facebook, may
increase adoption.
To make a DCB payment, the customer enters his mobile phone
number during the online checkout process. The DCB service
provider sends an SMS message containing a PIN code to the
customers mobile phone. The customer either enters the PIN on
the checkout screen or responds to the SMS message from his
mobile phone. The charge is then applied to the customers
monthly mobile phone bill.
DCB offers a simple and convenient method for consumers to pay
for low value digital goods and services. Since customers already
have existing relationships with their mobile carriers, they do not
have to share their payment credentials with third party
providers. There is also a reduced risk that the purchaser is not
the account holder. To manage carrier risk, DCBs set different
transaction value limits depending on the carrier. Initially set at
$25, limits have increased to $100-200 based on increased
consumer use.
There are risks associated with using DCB; cramming being one of
the most serious. While all mobile payment methods are
susceptible to fraud, cramming is unique to DCB. According to the
FCC,

cramming

is

the

practice

of

placing

unauthorized,

misleading or deceptive charges on a customers telephone bill.


Crammers rely on confusing telephone bills to trick consumers
into paying for services they did not authorize or receive, or that
68

cost more than the consumer was led to believe. A crammer


charges a customers account without the customers full
knowledge or full understanding of the transaction. The charges
go through undetected because they are labeled as phone-related
services (e.g., voicemail, collect calls) or they are generic
recurring charges (e.g., membership, subscriptions). Consumers
must proactively check their bills carefully to make sure they are
not victims of cramming. The FCC recently introduced the Truthin-Billing rule in order to prevent cramming. It requires MNOs to
organize bills with a clear, specific layout accompanied by
understandable descriptive language for describing services for
which a customer is being billed.
Compared to other mobile payment methods that are cleared and
settled over traditional payment networks (e.g. credit, debit, and
ACH) and governed by bank regulations that limit consumer
liability, DCB mobile payments do not provide the same clarity of
coverage and consumer protection. Carrier-offered protections are
inconsistent. Examples of differences in protections include
charges related to lost or stolen devices, late fees, reporting of
disputed charges, and requesting refunds. Unless mobile carriers
offer protections which are on par with credit or debit card, there
is a financial risk to the consumer that differs from other financial
instruments covered by Reg. E or Reg. Z.
2.15 What is new about cloud computing?

69

The computer pioneer John McCarthey has already predicted back


in 1961 that computation may someday be organized as a public
utility(in Foster et al. 2008). This statement and the reflections
on computing history show that cloud computing is no entirely
new idea. Critics may even say that cloud computing is simply
another name for grid computing. However, although cloud
computing and grid computing have a lot in common, there are
also some differences. According to Foster (2002), grid computing
describes a system that coordinates resources which are not
subject to centralized control, using standard, open, generalpurpose protocols and interfaces to deliver nontrivial qualities of
service. Foster et al. (2008) identified the main differences
regarding security aspects, programming, compute and data
model, abstractions, applications and the business model. Todays
clouds usually do not focus on the coordination of distributed
infrastructure resources that are under the control of various
parties. Instead, cloud computing providers commonly manage
their own infrastructure that is probably more homogeneous than
that of a typical grid. The reason for this lies in the different
objectives of the two concepts. While cloud computing addresses
Internet-scale computing problems, utilizing a large pool of
computing and storing resources, grid computing aimed at largescale computing
problems by harnessing a network of resource-sharing commodity
computers, dedicating resources to a single computing problem
(Foster et al. 2008). Computing grids were designed upon the
70

assumption that resources are heterogeneous and dynamic, being


owned by different parties who want to remain their own
administration domain and operating autonomy. This is the
reason, why security is a fundamental aspect of the grid
computing architecture. According to Foster et al. (2008) this is
another important distinguishing factor between these two
concepts.
Another difference can be found regarding the computation
model.

While

cloud

computing

harnesses

the

power

of

virtualization to allow users to share resources simultaneously,


most computing grids use a batch-scheduled computing model.
Meaning that dedicated resources are governed by a queuing
system, potentially long queuing times might occur in grid
computing. Thus, most grids are not supporting interactive
applications natively. Also the business models of both concepts
differ significantly. The business model of grid computing is
typically project oriented, where users are assigned a certain
number of service units (i.e. CPU hours), which they can spend. In
contrast, cloud computing is based on a consumption basis,
where users can utilize as many resources as they need and only
pay for what they have consumed (Foster et al. 2008).
Concluding, Foster et al. (2008) claim that both grid and cloud
computing share the same vision, to reduce the cost of
computing,

increase

reliability,

and

increase

flexibility

by

transforming computers from something that we buy and operate


ourselves to something that is operated by a third party.
71

However, they predict that in future local systems and large-scale


infrastructure providers will coexist, distributing load dynamically.
As Figure 6 shows, Foster et al. see an overlap of grid and cloud
computing, where the first one is more application oriented and
the latter one more service oriented. Computing grids may be
used as infrastructure basis for cloud computing, maybe they
even

become

more

service

oriented.

Nevertheless,

grid

computing will probably remain a domain of scientific computing,


ensuring dedicated resources and high security standards.

Figure 2.2:

An overview of grid and cloud computing (Foster

et al. 2008)
72

Another concept that is often mentioned in conjunction with cloud


computing is Software-as-a-Service (SaaS). SaaS can be regarded
as the top layer in the presented cloud computing model.
Nevertheless, traditional SaaS models, occurring around the year
2000, are based on a regular (e.g. monthly) fee for service
provision, independent of whether the service was used or not
(Buxmann

et

al.

2008).

Thus,

traditional

SaaS

can

be

differentiated from cloud computing, which is grounded in


consumption based pricing, where users only pay for what they
have consumed.
Concluding, we see cloud computing as a set of preexisting
technologies that offers some new features. Probably the most
evident

feature

is

the

elasticity

cloud

computing

offers.

Computing resources as well as higher level services such as


software can be utilized on-demand. In conjunction with this one
must also mention the pay-per-use pricing model, which does not
require any long term commitment and only charges for what has
been consumed. In addition cloud computing is not restricted to
certain users or institutions, but open for everybody, offering
large computing resources to everyone with a credit card.
Compared to grid computing, the cloud computing concept offers
a higher level of abstraction. Development platforms increase the
user friendliness by for example offering graphical user interfaces,
application

programming

interfaces

(API)

and

automatic

scalability. Thus, cloud computing is accessible for a larger group


of people, both developers and end-users. However, in our
73

opinion, the really new about cloud computing is not the


technology behind, but the IT service ecosystem it shapes. The
innovation of cloud computing is the way of how IT resources are
deployed, allowing different actors to provide, consume and
aggregate services on different levels. This simple deployment
model reduces the entry barriers and builds the basis for a fast
growing services landscape, where different actors provide
various services to solve individual problems.

2.16 NEAR FIELD COMMUNICATION


NFC is a standards-based wireless communication technology that
allows data to be exchanged between devices that are a few
centimeters apart. NFC-enabled mobile phones incorporate a
smart chip (called a secure element) that allows the phone to
store the payment application and consumer account information
securely and use the information as a virtual payment card. NFC
payment transactions between a mobile phone and a POS
terminal use the standard ISO/IEC 14443 communication protocol
currently used by EMV and U.S. contactless credit and debit cards
that allows the mobile phone to simulate a physical contactless
card. There are three NFC approaches for processing and storing
sensitive consumer data in the mobile phone. Mobile payment
stakeholders, including mobile network operators (MNO), financial
institutions, card issuers, merchants, and payment processors,
decide which option(s) to implement. Each approach is hardware74

based and differs primarily on the placement of the secure


element in the mobile phone.
The secure element is essentially the component within the
mobile device that provides the application, the network and the
user

with

the

appropriate

level

of

security

and

identity

management to assure the safe delivery of a particular service. It


is an encrypted smart card chip6 that contains a dedicated
microprocessor with an operating system, memory, an application
environment, and security protocols, built to exacting standards
and

developed

and

delivered

in

controlled

white

room

manufacturing environments. The secure element is used to


safely store and execute sensitive applications, such as payment
applications, on a mobile device, and store associated payment
credentials and financial data.
Encryption is an important component of the secure element,
and plays a critical role in mitigating fraud during a mobile
payment transaction by converting payment data into a form
unintelligible

to

cryptographic
determine

everyone

key.

the

except

Cryptographic

output

of

an

holders
keys

encryption

of

are

unique

values

algorithm

that
when

transforming plain text to encrypted text. The longer the key, the
more difficult it is to decrypt the text in a given message. Key
rotation7 is the process of decrypting data with the old
encryption key and re-keying the data with the new encryption
key.

Encryption

protects

consumer

and

transaction-level

information against unauthorized access or disclosure, from the


75

initial encryption step to the decryption step. Encryption can


protect data during transmission and while at rest.
2.17 Secure Element Placement Options
The most common secure element implementations include: a)
embedded (or hard-wired) in the mobile phone, b) loaded on a
SIM8 card, and c) loaded on a microSD card. This section will
examine each approach and compare the benefits and security
features.
a) Embedded Secure Element
In the embedded NFC model, the secure element is soldered onto
hardware

in

the

mobile

phone.

The

original

equipment

manufacturer (OEM) procures space on the secure element for


issuing banks or other mobile payment providers, and is
responsible for safely distributing the secure elements in the
mobile handsets to consumers, who purchase embedded NFC
mobile phones at various mobile retailers. MNOs coordinate with
the handset manufacturers to ensure that authorized operating
systems/applications (e.g., iOS, Android) work with the secure
element.

76

Fig 2.3

Embedded secure element

An embedded secure element provides a common architecture for


application

developers,

independent

of

the

mobile

phone

technologyGSM or CDMA. A larger antenna built into the


handset also offers a stronger communication signal between the
mobile phone and merchant terminal. And, because secure
elements are built into mobile devices during the manufacturing
process, they are relatively tamper-proof and less costly to
produce relative to SIM and microSD options.9
9

Industry

analysts

report

that

major

manufacturers

are

increasing the number of shipments of embedded secure


elements. Edgar, Dunn & Company, Advanced Payments Report
2012, March 2012.
One disadvantage of an embedded secure element is that it is not
portable,

making

it

difficult

to

transfer

mobile

payment

applications and credentials between handsets. This may be


77

inconvenient

for

consumers

when

they

need

to

transfer

credentials and applications from an old phone to a new one.


However, some mobile services and operating systems enable
data on the embedded chip to be transferred over-the-air (OTA) to
the new phone. OTA technology transmits data using a wireless
network and protects the information exchange by using a secure
end-to-end communication link to the secure element. It also
provides strong security by using double encryption, in which the
OTA messages are encrypted with two sets of unique keys the
MNO key and the service provider key. Once the secure element is
activated on the new mobile phone, a customers payment
credentials must be wiped from the old device. However this
process is not a standard requirement when provisioning the
mobile phone and should be addressed by the mobile payments
providers.

(For

example,

Googles

mobile

wallet

payments

strategy is built around the OTA option.)


b) Secure Element in the SIM Card
A SIM (Subscriber Identity Module) is a removable smart card
used in many mobile phones. Each SIM card can hold multiple
applications. GSM phones use the SIM card, while CDMA phones
use their own version called CSIM (CDMA2000 SIM). For mobile
payments, the SIM card performs the secure element function.
The SIM card communicates with the NFC controller in the mobile
handset through a Single Wire Protocol (SWP). Using the SIM card
as a secure element is considered safe because it is personalized,
78

remotely manageable over-the-air, and uses standard transport


protocols developed by global telecom standards bodies. The
MNO owns the SIM card11 and creates secure partitions or
domains in the SIM for third parties (e.g., banks, retailers, and
transit authorities) to rent for their mobile applications. The MNO
provides each third party with a unique security key to access its
domain. The keys are also known to the SIM.
One advantage to using the SIM approach is that the secure
element can use information contained on the SIM (such as its
unique serial number (ICCID) and the international mobile
subscriber identity (IMSI)) to link to an individual consumer. This
provides an additional layer of security and also simplifies the
changeover process when a consumer upgrades his mobile
phone,

as

the

SIM

is

easily

removable.

MNOs

can

also

communicate with, download applications to, and manage a SIM


card/secure element remotely over-the-air. If a handset is lost or
stolen, it can be locked or remotely wiped to prevent any
unauthorized account access.
There are some drawbacks to this approach. Because the MNO
owns and controls the SIM, a mobile operating system has
restricted access to the secure element in the mobile device.
Furthermore, the MNO also controls which third parties or financial
institutions can add payment applications or wallets, and what
fees they pay to use the SIM as the secure element.

79

Fig 2.4

Embedded secure element in sim card

c) Secure Element in microSD card


The third option is to put the secure element in a microSD card,
which is a memory card used to store data. It is designed to
integrate with the mobile phone by fitting into a specially
designed slot on the device. Like embedded and SIM NFC phones,
NFC-enabled microSD cards communicate with apps to enable
mobile payments. The full NFC microSD card model employed in
the U.S. contains the secure element, security domain, NFC chip,
and antenna.
In the third option, payment card data is also encrypted and
stored in the secure element, but the secure element resides in
the microSD card.
80

Fig 2.5

Embedded secure element in Micro SD card

Unlike the SIM and embedded secure element options, there are
three ways to issue, provision and distribute an NFC-enabled
microSD card to the consumer:
(1) Card-issuing financial institution provides the microSD card.
(2) Retailer provides a blank microSD card to the end consumer,
similar to a prepaid card.
(3)

MNO bundles

the microSD

with

phone

or

sells

it

independently of a phone.
Implementing an NFC-enabled microSD card solution can speed
deployment of mobile contactless payment services by allowing a

81

consumer to insert the microSD card into his existing mobile


smartphone to begin making mobile payments.
Over the past few years, several U.S. banks, card networks, and
transit authorities have piloted mobile payments using microSD
cards to test several concepts: easier implementation, ability to
enable contactless payments in consumers mobile phones more
quickly, ability to test the NFC technology without needing SIM or
embedded NFC chips, and consumer interest. The pilots were
relatively limited in scale, providing useful information on
consumer experiences using a mobile phone for POS purchases,
but also identified a number of technical problems, such as:
1. Weak radio signal and interference caused by:
Size and location of the antenna. If the antenna is too
small, it may result in a weaker radio signal and be subject
to interference.
Physical location of the microSD card slot on the mobile
phone.
Material of a mobile phones casing. Metal casing tends
to cause signal interference and weaker reception.
Protective and decorative external covers. Additional
covers on a mobile device can cause signal issues and
become a barrier to the radio signals.
Embedded

antennae.

Communication

conflicts

and

unexpected radio interference may occur when both the

82

mobile device and the microSD card have embedded


antennae.
2. Compatibility issues with mobile phones that are not
equipped with microSD slots.
3. MicroSD cards are typically mono-band, meaning that they
can support only a single application or payment account. If
consumers have multiple mobile payment and/or loyalty
accounts from different sources, they may need a microSD
card for each applicationone from each bank, carrier, or
other provider with which the customer has accounts. In
contrast, a SIM card or embedded NFC chip can be
segmented into multiple secure compartments to support
multiple applications. While the microSD approach may be
more suitable for an issuer of a single closed mobile
payment application, it can be more complicated and much
less convenient for the consumer.
Other consumer risks associated with a microSD card make its
long-term survival doubtful.
While consumers can transfer microSD cards from one
mobile phone to another, the cards are tiny and fragile, and
frequent removal and insertion into a mobile device increase
the risk of loss or damage.
Portability provides opportunity for an unauthorized person
to easily gain access to the payment information on the
83

microSD card because there is no lock or PIN to prevent


anyone from opening the phone and removing it.
Issuers must handle and protect microSD cards in the same
manner as they handle plastic cards when distributed and
mailed to consumers.
Finally, it is unclear whether specific standards for microSD cards
exist today in the U.S., particularly to manage how microSD card
slots securely communicate with user interfaces and support
communication between the microSD secure element and the
NFC controller on a mobile device.

2.18 BENEFITS OF NFC-TYPE MOBILE PAYMENTS


NFC-based

contactless

payments

are

considered

extremely

secure; there is no empirical evidence to the contrary. Whether or


not empirical evidence exists, using NFC technology for mobile
payments offers many security benefits.
(1) Payment credentials are stored in the secure element in the
mobile wallet. Different passwords can be set-up to log on to the
mobile device, and to activate the payment application that
accesses the payment credentials in the secure element.
(2) When not in use, the NFC antenna can be disabled until
needed so that unauthorized users cannot access the wallet.
(3) NFC is an extension of EMV15 chip technology, with the radio
interface added. When a mobile payment begins, EMV secures the
84

payment transaction with dynamic data authentication (DDA),


which uses an encryption key to generate unique, dynamic data
values to authenticate the transaction when it is authorized by
the

card

network.

These

values

are

only

valid

for

one

authentication. If a thief tries to re-use the payment account data,


it will be out of sync with the number stored by the card issuer
and rejected, making it harder to skim usable data and clone for
counterfeiting. (In contrast, the signature used for static data
authentication is the same every time.) EMV provides end-to-end
security with chip+ PIN credit cards in most developed
countries today.
Other benefits of NFC payments include eliminating the cost of
plastic

card

provisioning,

using

the

existing

clearing

and

settlement channels, and providing the possibility for the


transaction to be card present vs. card not present (CNP),
which reduces risks associated with CNP and lowers interchange
fees.
2.19 CHALLENGES OF NFC-TYPE MOBILE PAYMENTS
For NFC mobile payments to succeed, several challenges related
to technology, implementation, and consumer adoption must be
resolved. Few mobile phones are currently enabled for use with
either SIM or embedded NFC secure element chips, although more
handset manufacturers are beginning to embed NFC chips in their
mobile phones or on SIM cards as a basic component. More
merchants must invest in upgrading their POS terminals to enable
85

two-way NFC, a long-standing barrier to adoption. Work still needs


to be done to develop an agreed upon set of technology
standards for mobile phones, chips, and secure elements, and
standards for provisioning and maintaining mobile payment
credentials.

Yet

the

number

of

cross-industry

participants

engaged in the mobile payment process/value chain continues to


grow, further complicating business models and customerownership. Finally, we need to remember that many consumers
are still unfamiliar with NFC technology and require not only
incentives, but also education regarding its safety and security
when used for mobile payments, particularly with a mobile wallet.
The Role of Cloud Computing within NFC Ecosystem
Having several parties involved in the NFC ecosystem with a lack
of

standards

components

to
and

define

their

applications,

roles

and

means

accesses

that

to

NFC

companies

are

increasingly considering using the cloud environment as a single


entity to make things easier (Alliance, 2011). Moreover, cloudbased payment solution can help the adaption of NFC as they only
require

downloadable

applications

for

both

retailers

and

customers. However, it might bring more openness towards the


security of customers credentials (e.g. bank account details), but
in terms of flexibility and manageability, it makes the whole
process much clearer and easier to handle (Losup et al., 2011).
Cloud computing introduces a new method of storing payment
credentials which improves the manageability of the NFC
86

ecosystem. Rather than having all the sensitive information in the


NFC handset, the cloud can store this information and transmit it
when required. When a client scans his NFC phone on the
merchants POS terminal, encrypted payment credentials are
taken out from a virtual SE that is stored in the cloud and
transfers to the SE that is stored in the NFC handset. The purpose
of having a SE in an NFC handset is to provide temporary storage
in order to store authentication assets. Once payment credentials
reached the NFC phone, they are again pulled out to get
transmitted to the merchants terminal in order to perform the
transaction.

In

this

scenario,

the

communication

between

merchants terminal and NFC phone is established through an


NFC link. The cloud solution enables the client to manage
transaction data by using a cloud-based payment application that
is subscribed by both client and merchant. The payment
application is accessible via a mobile phone using either email or
a mobile browser and the transaction report can be in the form of
a Short Message Service (SMS), email or just a sound. Examples
of this approach include PayPal and PayCloud Mobile Wallet
(PayPal, 2013; Alliance, 2011). Although in this approach, most of
the focus has been towards vendor gift cards, the cloud-based
approach is also feasible in open payment systems.
Development of this approach can be easy for vendors as they
are not required to install new POS terminals. Thus, this approach
gives the opportunity to vendors to better differentiate and
customize applications. Another advantage that this solution
87

offers to vendors is that, in the case of operating a different


payment type, the solution might be lower costs for the vendor.
Moreover, clients are already familiar with this type of payment
methods (i.e. PayPal).
As cloud-based NFC payments might be treated as card-notpresent in some cases, it is more likely that the transaction fees
will be higher than the normal card payments. Furthermore, in
order to execute a transaction, a connection is required to the
cloud. Executing a transaction may not be possible if this
connectivity is somehow interrupted. In addition, some security
issues may arise from using email and SMS that can be the sign of
a transaction notification. As the current payment infrastructure is
not leveraged, there might be a possibility that a vendor should
install a non-standard application in order to process a payment.
Replacement of current POS terminals with NFC terminals may be
required, as the POS has to be capable of communicating with an
NFC enabled phone. The transaction execution performance
depends on the network connection speed, data capacity and the
way that wallets data are accessed. Last but not least, both client
and vendor have to sign up with the cloud service provider to use
its services (Kounelis et al, 2012; Alliance, 2011; Ko et al., 2011).
2.20 REVIEW OF PAST LITERATURES
2.20.1

A SURVEY OF MOBILE CLOUD COMPUTING:

ARCHITECTURE, APPLICATIONS, AND APPROACHES,


Hoang T. Dinh, Chonho Lee, Dusit Niyato, and Ping Wang
88

By

This paper gives a survey of Mobile Cloud Computing, which helps


general readers have an overview of the Mobile Cloud Computing
including the definition, architecture, and applications. The issues,
existing solutions and approaches are presented. In addition, the
future research directions of Mobile Cloud Computing are
discussed. The paper presents a comprehensive survey on mobile
cloud computing providing a brief overview of MCC including
definition, architecture, and its advantages. It also presented
several issues that arise in Mobile Cloud Computing and
approaches to address the issues. Some of the open issues
discussed are outlined below.
A. Low Bandwidth
Although many researchers propose the optimal and efficient way
of bandwidth allocation, the bandwidth limitation is still a big
concern because the number of mobile and cloud users is
dramatically increasing. We consider that 4G network and
Femtocell are emerging as promising technologies that overcome
the limitation and bring a revolution in improving bandwidth.
B. Network Access Management
An efficient network access management not only improves link
performance for mobile users but also optimizes bandwidth
usage. Cognitive radio can be expected as a solution to achieve
the wireless access management in mobile communication
environment. Cognitive radio increases the efficiency of the
89

spectrum utilization significantly, by allowing unlicensed users to


access the spectrum allocated to the licensed users. When this
technique is integrated into MCC, the spectrum can be utilized
more efficiently, the spectrum scarcity can be solved and thus
millions of dollars for network providers can be saved. However,
cognitive radio is defined as wireless communication technology
in which each node communicates via an optimal wireless system
based

on

recognition

of

radio

resource

availability

in

heterogeneous wireless communication environment. Therefore,


mobile users in MCC must be able to detect this radio resource
availability (through spectrum sensing) while ensuring that the
traditional services will not be interfered.
C. Quality of Service
In MCC, mobile users need to access to servers located in a cloud
when requesting services and resources in the cloud. However,
the mobile users may face some problems such as congestion
due

to

the

limitation

of

wireless

bandwidths,

network

disconnection, and the signal attenuation caused by mobile


users

mobility.

They

cause

delays

when

users

want

to

communicate with the cloud, so QoS is reduced significantly. Two


new research directions are CloneCloud and Cloudlets that are
expected to reduce the network delay.
D. Pricing
Using services in MCC involves with both mobile service provider
(MSP) and cloud service provider (CSP). However, MSPs and CSPs
have different services management, customers management,
90

methods of payment and prices. Therefore, this will lead to many


issues, i.e., how to set price, how the price will be divided among
different entities, and how the customers pay. For example, when
a mobile user runs mobile gaming application on the cloud, this
involves the game service provider (providing a game license),
mobile service provider (accessing the data through base station),
and cloud service provider (running game engine on data center).
The price paid by the game player has to be divided among these
three entities such that all of them are satisfied with the division.
It is clear that the business model including pricing and revenue
sharing has to be carefully developed for MCC.
E. Standard Interface
Interoperability becomes an important issue when mobile users
need to interact and communicate with the cloud. The current
interface between mobile users and cloud are mostly based on
the web interfaces. However, using web interfaces may not be the
best option. First, web interface is not specifically designed for
mobile devices.

Therefore,

web interface may

have more

overhead. Also, compatibility among devices for web interface


could be an issue.
F. Service Convergence
The development and competition of cloud service providers can
lead to the fact that in the near future these services will be
differentiated according to the types, cost, availability and quality.
Moreover, in some cases, a single cloud is not enough to meet
mobile users demands. Therefore, the new scheme is needed in
91

which the mobile users can utilize multiple cloud in a unified


fashion. In this case, the scheme should be able to automatically
discover and compose services for user. One of the potential
solution of this issue is the sky computing, which will be the next
step of cloud computing. Sky computing is a computing model
where resources from multiple clouds providers are leveraged to
create a large scale distributed infrastructure. Similarly, the
mobile sky computing, will enable providers to support a crosscloud communication and enable users to implement mobile
services and applications. However, to offer a service to mobile
user in a unified way, the service integration (i.e., convergence)
would need to be explored.

2.20.2

A PROPOSED NFC PAYMENT APPLICATION by

Pardis Pourghomi,
Ghinea(2013)

Muhammad Qasim Saeed,

(IJACSA)

International

Journal

Gheorghita
of

Advanced

Computer Science and Applications, Vol. 4, No. 8, 2013


Near Field Communication (NFC) technology is based on a short
range radio communication channel which enables users to
exchange data between devices. With NFC technology, mobile
services establish a contactless transaction system to make the
payment methods easier for people. Although NFC mobile
services have great potential for growth, they have raised several
issues which have concerned the researches and prevented the
92

adoption of this technology within societies. Reorganizing and


describing what is required for the success of this technology
have motivated the researchers to extend the current NFC
ecosystem models to accelerate the development of this business
area. In this paper, they introduce a new NFC payment
application, which is based on their previous NFC Cloud Wallet
model to demonstrate a reliable structure of NFC ecosystem. They
also described the step by step execution of the proposed
protocol in order to carefully analyze the payment application and
the main focus will be on Mobile Network Operator (MNO) as the
main player within the ecosystem.
The execution of the model is described in what follows:
1) Customer waves the NFC enabled phone on the POS terminal
to make the payment
2) The payment application is downloaded into customers mobile
phone SE.
3) The reader communicates with the cloud provider to check
whether the customer has enough credit or not.
4) Cloud provider transfers the required information to the reader.
5) Based on the information which was transferred to the reader,
the reader either authorizes the transaction or rejects customers
request.
6) Reader communicates with the cloud to update customers
balance - if customers request was authorised, the amount of
purchase

will

be

withdrawn

from

his

account

customers account will remain with the same balance.


93

otherwise

PROPOSED MODEL
The authors proposed an extension to previously proposed NFC
Cloud Wallet model. Since there are multiple options applicable to
this model, they designed the model based on the following
assumptions:
SE is part of SIM
Cloud is part of MNO
MNO is managing SE/SIM
Banks, etc. are linked with MNO
These assumptions are appropriate regarding the NFC execution
process and its ecosystem. As mentioned in Section IIIpreviously,
SE is in the format of UICC therefore SE is part of the SIM. MNO
manages the cloud infrastructure and it is the only party that has
full access and permission to manage confidential data which are
stored in the cloud. As MNO is the owner of the cloud, it fully
manages the SIM in terms of monitoring the GSM network and
controlling clouds data. From the financial institutions point of
view, they only deal with MNO as MNO is the single party that has
full control over the SIM as well as the cloud.
The Proposed Protocol
This proposal is based on cloud architecture where the cloud is
being managed by the Mobile Network Operator MNO. The cloud
and the banking sector are the subsystems of MNO, in addition to
the existing subsystems of an MNO. Assumption is made that the
94

communication is secure between various subsystems of the


MNO. The shop POS terminal, registered with one or more MNO,
shares an MNO specific secret key Kp with the corresponding
MNO. This key is issued once a shop is registered with the MNO.
The bank detail of the shopkeeper is also registered with the MNO
for monetary transactions. The communication between the shop
POS terminal and the mobile device is wireless using NFC
technology. The mobile device has a valid SIM. We used the
existing feature of GSM network for mutual authentication. We
tailored their model according to our requirement in our proposed
architecture.
The proposed protocol executes in three different phases:
Authentication, Keys generation and Transaction. The protocol
initiates when the customer places his cell phone for the payment
after agreeing to the total price displayed on the shop POS
terminal. The details of these phases are described in what
follows:
Phase 1. Authentication
Step 1: As soon as the user places his mobile device, NFC link
between the mobile device and the shop POS terminal is
established. The shop POS terminal sends an ID Request message
to the mobile device.
Step 2-3: The mobile device sends TMSI, LAI as itsID. On receipt
of the information from the mobile device, the shop POS terminal
determines the user's mobile network. The network code is
available in LAI in the form of Mobile Country Code (MCC) and
95

Mobile Network Code (MNC). An MNC is used in combination with


MCC (also known as a MCC/MNC tuple) to uniquely identify a
mobile phone operator/carrier.
Step 4-5: The shop POS terminal sends TMSI, LAI, and Shop ID to
respective

MNO

for

customer

authentication

and

shop

identification.
Step 5.1: In case of incorrect TMSI, a declined message is sent.
Step 6: In case of correct identification, the MNO generates one
set of authentication triplet (R, S, Kc) and sends R to mobile
device through shop POS terminal.
Step 7-8: SIM computes Kc from R as explained in Section V. SIM
generates a random number Rs and concatenates with R,
encrypts with key Kc and sends it to the MNO through shop POS
terminal.
Step 9-10: The MNO checks the validity of the SIM (or mobile
device). It receives EKc(R||Rs) from the mobile device and
decrypts the message by Kc, the key it already has in
authentication triplet. The MNO compares R in the authentication
triplet with the R in the response. In case they do not match, a
Stop message is sent to the mobile device and the protocol
execution is stopped. If both R are same, then the mobile is
authenticated for a valid SIM. In this case, the MNO swaps R and
Rs, encrypts with Kc and sends it to mobile device.
Step 11-12: This step authenticates the MNO to the mobile
device. The mobile device receives the response EKc (Rs||R) and
96

decrypts it with the key Kc already computed in Step 7. The


mobile device compares both R and Rs. If both are same, then the
MNO is authenticated and a successful authentication message
is sent to the MNO.
C. Phase 2. Key Generation and PIN Verification
Step 13-14:Kp is a shared secret between the MNO and the shop
POS terminal. Kc is the shared secret between the MNO and the
customer's mobile device (computed in step 7). There is no
shared secret between the POS terminal and the mobile device till
this stage. MNO and mobile device compute one-way hash
function of Kc to generate Kc1, the key that will be used for MAC
calculation. The MNO computes Kc2 from Kc1 using one-way hash
function and sends it to shop POS terminal by encrypting it with
Kp. Mobile device also computes Kc2 as it already has Kc1 . Kc2 is
the encryption key between MNO, shop POS terminal and the
customer's mobile device.

97

Fig 2.6

The proposed protocol


98

Step 15-17: The shop POS terminal sends the Total Price (TP) and
the Receipt Number encrypted with Kc2. The user's mobile device
decrypts the information and displays to the user. If he agrees, he
enters the PIN. The PIN is an additional layer of security and adds
trust between the user and the shopkeeper. A PIN binds a user
with his mobile device, so the shopkeeper is to believe that the
user is the legitimate owner of the mobile device. Moreover, the
user feels more secure as no one else can use his mobile device
for transaction without his consent. PIN is stored in a secure
location in the SIM. The SIM compares both PINs and if both are
same, the user is authenticated as the legitimate user of the
mobile device. Otherwise, the protocol is stopped.
D. Phase 3. Transaction
Step 18: The customer's cell phone generates two messages, PI
and TRM, such that;
PI= Receipt No, Total Price, Time Stamp (TSU)
TRM=PI, Rs, Transaction Counter
Step 19:TSU represents the exact time and date the transaction
has been committed by the user. TC is a counter that is
incremented after each transaction and is used to prevent replay
attack. PI is encrypted with Kc2 so that it can be verified by the
shop POS terminal. The user encrypts the TRM with Kc so that it
cannot be modified by the shop terminal. The user computes MAC
with Kc1 over the TRM using Encrypt-then-MAC approach for
integrity protection.
99

Step 20-21: The POS terminal can decrypt only the PI encrypted
with by Kc2 to check its correctness. The POS terminal does not
need to verify the MAC (and it cannot do so), as it already knows
the main contents of PI. The Shop POS terminal also verifies the
TSU to be in a defined time window. If PI is correct, the POS
terminal relays the encrypted TRM with corresponding MAC along
with the TSU to the MNO.
Step 22: On receipt of the message, the MNO checks the
integrity of the message by verifying the MAC with Kc1. If the MAC
is invalid, the transaction execution is stopped. In case of a valid
MAC, the MNO decrypts the message. The MNO compares the Rs
in the TRM with the Rs received earlier in the authentication
phase. A correct match confirms that the user is the same who
was earlier authenticated.It also verifies the TC and TSU. In case
of successful verification, the MNO communicates with the
concerned subsections for monetary transaction. The concerned
subsections of the MNO checks the credit limitations of the user,
and if satisfied, executes the transaction. Once the transaction is
executed,

the

MNO

generates

Transaction

Information

(TI)

message as:
TI = Transaction Serial Number, Amount, TSTr
Step 23-25: The MNO encrypts TI with Kc2, digitally signs the
message and sends it to the shop POS terminal. The POS terminal
verifies the signature. A valid signature indicates correct TI. The
POS also verifies the TI for the amount mentioned in the TI. In
case of successful verification, the POS terminal appends the
100

message it received from the MNO with the Shopping Details (SD)
and corresponding digital signature.
Step 26: The user verifies both signatures. It verifies the
contents of TI and SD.

2.20.3
AND

EPAYMENT SYSTEMS DATABASE TRENDS


ANALYSIS

OBSERVATORY

ELECTRONIC

(EPSO)

MARCH

PAYMENT

2002

by

SYSTEMS

Grard

Carat.

Institute for Prospective Technological Studies, Directorate


General Joint Research Centre, European Commission
This study analyses the evolution of Internet-based payment
solutions offered to consumers in Europe. It is based on the
observation of 100 electronic payment schemes taken from the ePayment Systems Inventory, which is one of the deliverables of
the electronic Payment Systems Observatory (ePSO) project.
The main topics monitored by the report are:
the role of non-banks within the payment systems providers;
the positioning of telecommunications operators against
banks;
the main trends of payment solutions according to their level
of deployment;
the increasing importance of mobile networks and virtual
wallets as payment platforms;
101

the comparison between e-purses and pre-paid dedicated


accounts;
the reaction of banks with respect to virtual wallets;
the main platforms that allow micro-payments;
how credit cards remain the main Internet payment
instrument;
the emerging alternatives to credit cards for cross-border
payments;
the role played by consumer costs in the failure of a
payment system.

2.20.4

Modelling, Design, and Analysis of Secure

Mobile Payment Systems


By Supakorn Kungpisdan Faculty of Information Technology,
Monash University(2005)

Mobile payment allows users to perform payment transactions


through their mobile devices. However, it brings up many
emerging issues regarding security and performance of mobile
payment systems that can be classified into at least two main
problems. The first problem comes from the limitations of wireless
environments that are primarily from mobile devices which have
limited system resources and from wireless networks which have
high connection cost, low bandwidth, and low reliability. In
particular, a mobile user may not be able to efficiently perform
102

highly secure transactions, which require high computational


cryptographic operations, over the wireless network with the
above characteristics. The second problem is the lack of sufficient
security of existing mobile payment systems, mainly due to
improper protocol design and the deployment of lightweight
cryptographic operations which lead to the lack of important
transaction security properties. Such problems have motivated
the research conducted in this paper.
The main purpose of this paper is to propose methods to enable
practical and secure mobile payment. The results obtained from it
may serve as a basis for protocol designers and system
implementers to design and implement secure mobile payment
systems and to analyze their existing mobile payment systems.
The research conducted here focuses on three different levels of
reasoning

and

securing

mobile

payment:

formal

model,

framework, and protocol.


A formal model for a practical and secure mobile payment system
was proposed. In this model, the interactions among engaging
parties and properties to be satisfied by the system including
goals and requirements for payment transactions, transaction
security properties, and trust relationships among parties is
formalized. The proposed model can be seen as a guideline for
designing and implementing practical and secure mobile payment
frameworks and protocols for both account-based and tokenbased payment.

103

At the framework level, the problems of existing mobile payment


frameworks was investigated. Then a framework that not only
overcomes the limitations of wireless environments, but also
solves the problems of the existing frameworks was introduced.
Particularly, a traditional fixed-network payment protocol is well
operated in this framework, even more efficiently if a payment
protocol

specifically

designed

for

wireless

environments

is

applied. In addition, we show that the proposed framework can be


captured by the proposed formal model.
At the protocol level, a lightweight, yet secure cryptographic
technique was proposed. This technique not only reduces the
computation at engaging parties, especially at mobile users, but
also satisfies the transaction security properties including the
trust relationships among engaging parties stated in the proposed
formal model. Two account-based mobile payment protocols
which deploy the proposed technique was also introduced. We
develop a prototype of one of the proposed protocols to
demonstrate its practicability as a real world application. The
results from the implementation show that the implemented
protocol itself operates well in wireless environments, yet has
better transaction performance if the proposed mobile payment
framework is applied to it. They also demonstrated that both of
the proposed protocols have better transaction performance than
existing protocols.
To show that the proposed framework and protocols satisfy the
formal model, they developed a formal logic for analyzing them
104

and

successfully

prove

that

they

satisfy

the

goals

and

requirements for payment transactions and the transaction


security properties, stated in the formal model. Combining with
the analysis results, it can be concluded that either a payment
system based on the proposed framework deploying an existing
payment protocol or a payment system based on the proposed
protocol operating on an existing framework is considered as a
practical and secure mobile payment system because it satisfies
all the required properties stated in the model. In addition, they
show that the proposed logic is general in that it is able to analyze
any kinds of electronic commerce protocols including mobile
payment protocols.
To

enhance

introduced

the security
a

limited-use

of the
key

proposed

generation

protocols,
technique

they
which

eliminates the need of long-term shared key distribution among


engaging parties prior to each transaction. And then applied the
proposed key generation technique to the proposed protocols and
discuss its potential applications to other kinds of Internet
applications.
Finally, to emphasize the generality of the mobile payment model,
they propose a (token-based) micropayment protocol for wireless
environments that satisfies the proposed model. The protocol
deploys the proposed lightweight cryptographic technique to
enhance its transaction security. The proposed protocol is prepaidbased, yet extensible to postpaid-based micropayment. This
results in a general framework for wireless micropayment. The
105

authors then demonstrated that their micropayment protocol is


more secure and has better transaction performance compared to
existing micropayment protocols.
2.20.5

ROBUST

CLIENT

VERIFICATION

IN

CLOUD

ENABLED M-COMMERCE USING GAINING PROTOCOL by


Chitra Kiran N., Dr. G. Narendra Kumar, IJCSI International Journal
of Computer Science Issues, Vol. 8, Issue 6, No 2, November 2011
The proposed system highlights a novel approach of exclusive
verification process using gain protocol for ensuring security
among both the parties (client-service provider) in m-commerce
application with cloud enabled service. The proposed system in
this paper is based on the potential to verify the clients with
trusted hand held device depending on the set of frequent events
and actions to be carried out. The framework of the proposed
work is design after collecting a real time data sets from an
android enabled hand set, which when subjected to gain protocol,
will result in detection of malicious behavior of illegal clients in
the network.
THE PROPOSED SYSTEM
The proposed system assumed the attacker or intruder which has
an access to the confidential physical information to the trusted
hand held device which the user normally use for mobile banking
or performing very confidential transaction. In the current 3G
enabled cell phone, normally all the phone comes with an inbuilt
106

application of Facebook, Twitter, or some other application like


mCheck of Airtel. Therefore, the intruder might also be interested
in other alternative resource which is connected with the trusted
hand held device like accessing the account details from phone
book or message archives etc. Not only this, the presence of an
type of malicious applications could also pose a huge threat
towards the device and the premium services associated with the
device. Example of such attack could be cloning attack where the
malicious program will attempt to send information on the victim
trusted handheld device to the colluding user available in the
network and then slowly poison the network sending certain
information of services which by default is supposed to create an
event after it. Such types of lethal threat can be prevented by
considering the message packets being digitally signed by the
subscriber identity module card which will be most difficult to be
duplicated. The consistent malicious programs on the mobile
phones will able to have more lethal effect as the complete
control structure will be robustly created by the attacker for which
every event performed from the device can be monitored by the
intruder. It also raises possibility of duplication of the action
performed by the genuine user by the fraudulent user. Not only
this various availability of spy softwares will increase the threat
exponentially.
The proposed solution against such types of issues is highlighted
in this paper as a system knowledge acquiring algorithm. The

107

proposed system initially acquires knowledge from a clients


system from their previous actions.

Previous Actions

Knowledge
Acquiring
protocol

Current Actions

Gaining
Algorithm

Client
Framework

Gain value

Fig 2.7

Proposed Architecture

. In order to design a robust verification assessment in real-time


scenario, the proposed system uses a gaining protocol which
assess the client system and their recent actions performed in
previous history of transactions or any other activities over the
device and then it yields a gain value identifying the probability
that the genuine client is utilizing the trusted hand held device.
108

The gain value is considered to design a verification decision


which characteristically uses a threshold factor in order to choose
whether to accept or to decline the genuine user. Not only this,
the threshold factor can also deflect from diverse application,
which is dependent on if the system is responsive to optimal
security measure. The gain value could also be considered for a
dual aspect gauge to supplement conventional secret word based
authentication system, which we use currently.
The actions of the genuine client are characterized by the client
system framework. An immature framework can be discussed
where it can be considered about the liberty among the various
diversified sections of user actions. Representing alternatively, it
can also be considered that the clients trusted hand held device
is free from their location, usage of the service, as well as any
other activities. The framework assumed the clients actions
performed is completely dependent on the instant of the time in
day as well as week, probably can be month too. To cite an
example, it can be said that one client might use both incoming
as well as outgoing calls very frequent in morning but might not
work out in outgoing calls in afternoon. He might get only
frequent

calls

in

afternoon.

Let

F 1,

F2,.,

Fk

represents

independent arbitrary feature variable. Let is assume F 1 is time


elapsed since the previous good calls, F 2 is inter arrival time
between bad calls, F3 represents location coordinates etc. The
good call represents the incoming or outgoing calls done from the
109

genuine user phone book and bad calls represents any incoming
or outgoing calls which are not listed in the memory of the phone
or a SIM card. The clients framework is a multiplication of R
probability function trained on the variable T as instance of time.
Therefore clients framework is,
[P(F1/T),P(F2/T),. . . P(FR/T]
The knowledge acquiring protocol fundamentally computes such
functions structuring clients model.
THE GAINING PROTOCOL
With a facilitated clients framework and previously known set of
actions of the client, the gaining protocol yields a gain value
representing the probability that the trusted handheld device is
under the control of genuine user. This can also be described as
gaining independent charecteristics. The gaining function is
developed

in

very

secure

and

robust

way

under

the

independent characteristic framework. The client current actions


can be represented as tuple (T, F 1, F2, .., FR) where current time
is shown as T and F1, F2, .FR represents the values of variables
(F1, . . . , FR) at instant of time t. The significant perception for
this logic is to evaluate a discreet gain for each feature and then
utilize it a function in order to gather such distinctive gain values
into a final evaluation. Fundamentally, we will have R gaining
functions represented as G
G1(f1)=1-H(f1|T=t) (1)

110

The gain function for the client position might be allocated to a


position visited at a specific time of day a gain which is inversely
proportional to the Euclidean distance to the nearest position
group which is connected with that specific instant of the day. A
client who specifically is at office group during office hours and
at a resident group at night can receive the maximum gain for
being positioned at an expected group at the expected time.
Position near expected group would receive incomplete credit
which reduces to 0 as the distance to the group increments.
The next phase will be knowledge acquiring with gaining protocol.
With the facilitated distinctive gain values for the R different
characteristics, the system calls f(G1(f1), . . GR(vR)) to evaluate
the final value of gain. Citing an example, let us say that each
gain Gi(f1) (1<i<R) is the feasibility of the fi, which means
Gi(fi)=Pr[Vi=vi] as in equation (1). Exactly after this step, a
common process to combine the gain values is to estimate the
combined feasibility of (f1, . . , fR). The final gain value will be the
multiplication of these feasibilities: f(g1, . . , gR)=g1.g2.. . gR. Or
else alternative feasible structure for function is a weighted
addition: f(g1, . . , gR):= w1.g1+w2.g2+ . . .+wR.gR. The weights
w1, . . , wR has to be estimated through a potential training
procedure. In order to acquire knowledge using gaining protocol,
we need to consider that the system gather set of actions from
the individual clients. This collection of information will be
categorized into evaluation set and training set. The training set
will comprise of utility as positive samples in the training
111

procedure. The system in hybrid method generates attack


information for training process. In specific, the system will deploy
wedging procedure for creating negative samples. That will mean
if a client P and client Q come into view in the proximity of each
other at instant of time t, than the system wedge the information
for P before t and the information for Q after time t. The proposed
framework represents a hybrid process of initiating an attack
model where Q picks up or intrude Ps trusted hand held device
and initiates using it maliciously. In practicality, Q could be any
associated relation or may be completely outsider (stranger).
Training the weights w1, . . , wR can be represented as a issue of
minimization which will mean that if the system fixes the rate of
false negative e.g. it can be said that a genuine legal client is
declined the permission of access and has to feed the password
frequently in day. Therefore the proposed system aims at
minimize the rate of false positive which is failure to identify an
attack and the time till the detection in the presence of an attack.
2.21 Related Applications
In this section we describe the most popular and recent cloudbased mobile payments which have been developed by wellknown companies.
A. Google Wallet
One of the major companies which operates the concept of
mobile wallet is Google. They named this service as "Google
Wallet" (Google, 2013; Ronald et al., 2013). The communication
112

between the mobile phone and the POS is carried out through NFC
technology that transmits the payment details to merchant's POS.
Customer credentials are not stored in the mobile phone; rather,
they are stored online. Google Wallet takes the form of an
application stored on the customer's mobile phone. The customer
will have an account with Google Wallet which includes the
relevant registered credit/debit cards. Accordingly, the Google
Wallet device has a chip /SE which stores encrypted payment card
information. Linked credit or debit card credentials are not stored
on the SE; rather, the virtual prepaid credit/debit card which is
created during the setup is stored on the SE. The transaction then
operates through the virtual prepaid credit/debit card that
transfers funds from the Google Wallet into the merchant's POS
when the customer taps his phone on the POS.
B. MasterPass
"MasterPass" (Mastercard, 2013; Bodhani, 2013) is a service
which has been developed by MasterCard as an extended version
of PayPass Wallet Services (NFC World, 2013) and provides a
digital wallet service for secure and convenient online shopping.
In MasterPass, delivery information and transaction data are
stored in a central and secure location. The latest MasterPass
provides the following services (NFC World, 2013):
MasterPass checkout services: This service enables the
vendors payment acceptance in a consistent way irrespective of
the clients location. This means vendors have the ability to
accept a payment without having to know where the client is. For
113

instance, when the client is in store, he can use this service since
it supports NFC, Quick Response (QR) codes, tags, and mobile
devices to pay for products at a vendors POS. Thus, in online
shopping scenarios, the client can use this service to pay for a
product without having to enter the card and delivery details
every time he intends to make a purchase.
MasterPass-connected wallets: Vendors, financial institutions,
and partners are able to provide their own wallets using this
service. The clients card information, address books, etc. can be
saved in a secure cloud provided by a party they trust. Thus,
clients can use other credit and debit cards in addition to their
MasterCards cards.
MasterPass value added services: The purpose of this service is
to improve the clients shopping experience before, during and
after checkout. Value added services include account balances,
offers, loyalty programs, and real-time alerts.

114

REFERENCES
1. European Payments Council .(White paper on mobile
payments)
2. Mobile phone as a wallet by Alcatel lucent (2010)
3. http://www.gsma.com/digitalcommerce/digital-mobilewallets
4. Cloud Computing

and

Computing

Evolution

MARKUS

BHM, STEFANIE LEIMEISTER, CHRISTOPH RIEDL, HELMUT


KRCMAR, Technische Universitt Mnchen (TUM), Germany
5. The Mobile Money Revolution (May 2013) by ITU-T
Technology watch report
6. White Paper, Mobile Cloud Computing Solution Brief,
AEPONA, (November 2010).
7. Mell P, Grance T. The NIST Definition of Cloud ComputingRecommendations of the National Institute of Standards
and Technology [online]. Gaithersburg, MD 20899- 8930:
National Institute of Standards and Technology; September
2011

URL:

http://csrc.nist.gov/publications/nistpubs/800-

145/SP800-145.pdf. Accessed 25 January 2013.


8. Plummer DC, Bittman TJ, Austin T, Clearley D, Smith DM.
Cloud computing: Defining and describing and emerging
phenomenon. Stamford, CT 06902-7700 U.S.A: Gartner
Inc.; (2008).
9. The 451 group. Market monitor : Cloud Computing. New
York: 451 Research. URL: https://451research.com/marketmonitor-cloud-computing [online]. Accessed 4 February
2013.
115

10.

Carr N.The Big Switch - Rewiring the World from Edison

to Google.New York:WW Norton & Company, Inc.; (2009).


11. Rittinghouse WJ, Ransome FJ. Cloud Computing
Implementation, Management, and Security. Boca Raton,
FL: CRC Press; (2010)
12. Hurwitz J, Bloor R, Kaufman M, Halper F. Cloud
computing

for

dummies.

Indianapolis,

Indiana:

Wiley

Publishing, Inc.; (2010).


13. Fan X, Cao J, Mao H. A Survey of Mobile Cloud
Computing [online]. ShenZhen, P.R.China: ZTE Corporation;
(2011).

URL:

http://wwwen.zte.com.cn/endata/magazine/ztecommunicat
ions/2011Year/no1/articles/2
01103/t20110318_224532.html. Accessed 07 December
2012.
14.
X. Yang, T. Pan, and J. Shen, On 3G Mobile Ecommerce Platform Based on Cloud Computing, in
Proceedings of the 3rd IEEE International Conference on
Ubi-Media Computing (U-Media), pp. 198 - 201, (August
2010).
15. W. Zhao, Y. Sun, and L. Dai, Improving computer basis
teaching through mobile communication and cloud
computing technology, in Proceedings of the 3rd
International Conference on Advanced Computer Theory
and Engineering (ICACTE), vol. 1, pp. 452 - 454,
(September 2010).

116

16.

U. Varshney, Pervasive healthcare and wireless health

monitoring, Journal on Mobile Networks and Applications,


vol. 12, no. 2-3, pp. 113 - 127, (March 2007).
17. C. Doukas, T. Pliakas, and I. Maglogiannis, Mobile
Healthcare Information Management unitizing Cloud
Computing and Android OS, in Annual International
Conference of the IEEE on Engineering in Medicine and
Biology Society (EMBC), pp. 1037 - 1040, (October 2010).
18. E. Cuervo, A. Balasubramanian, Dae-ki Cho, A. Wolman,
S. Saroiu, R. Chandra, and P. Bahl, MAUI: Making
Smartphones Last Longer with Code offload, in
Proceedings of the 8th International Conference on Mobile
systems, applications, and services, pp. 49-62,( June
2010).
19. Z. Ye, X. Chen, and Z. Li, Video based mobile location
search with large set of SIFT points in cloud, in
Proceedings of the 2010 ACM multimedia workshop on
Mobile cloud media computing (MCMC), pp. 25-30, (2010).
20. Alliance, S. C. (2011) The Mobile Payments and NFC
Landscape: A US Perspective, Smart Card Alliance.
21. Iosup, A., Yigitbasi, N., & Epema, D. (2011) On the
performance variability of production cloud services In
proceedings of the 11th International Symposium on
Cluster, Cloud and Grid Computing (CCGrid),IEEE. pp. 104113. ISO/IEC 18092 (2004) Near Field Communication - Interface and
Protocol (NFCIP-1), International Organization for Standardization (ISO)
Std.

117

22.

Kounelis, I., Loschner, J., Shaw, D., & Scheer, S. (2012)

Security of service requests for cloud based m-commerce


in proceedings of the 35th International Convention. IEEE.
pp. 1479-1483.
23. Ko, R. K., Lee, B. S., & Pearson, S. (2011) Towards
achieving accountability, auditability and trust in cloud
computing

in

Advances

in

Computing

and

Communications. Springer Berlin Heidelberg. pp. 432-444.


24. Google
(2013).
Goole
Wallet.
Available
at:
http://www.google.co.uk/wallet/faq.html. [Accessed 3 April
2014].
25. MasterCard

(2013).

MasterPass.

Available

at:

https://masterpass.com/online/Wallet/Help?cid=127568.
[Accessed May 12, 2014].
26. Bodhani, A. (2013) New ways to pay [Communications
Near Field], Engineering & Technology, 8(7), pp. 32-35.

118