The Risks of Using Mobile Devices in

Business 1

Stephen Perelson ∗ , Reinhardt Botha

Nelson Mandela Metropolitan University, Dept. of ..., Port Elizabeth South Africa,

6000

Abstract

Still working on this...

Employees are adopting mobile devices, such as Personal Digital Assistants and

smartphones, for use within their businesses. As such there is a need to reduce the

risk to business information when used with these mobile devices. It is therefore

necessary to understand the types of risks involved with mobile devices to under-

stand the business’ security requirements with respect to the secure use of these

mobile devices.

Key words: Risk, Security, Mobile Devices

Preprint submitted to Computers & Security

1 Introduction

Business is a driving force behind the adoption of many technologies that

improve productivity and work efficiencies. The advent of the microcomputer,

or desktop computer allowed employees who adopted them to simplify complex

work processes. Useful software, such as the ubiquitous spreadsheet (Bricklin,

2005), became a driving force behind this adoption of the microcomputer by

the business world.

Employees now had a means to crunch numbers and save data electronically

without having to book time on the business’s mainframe. This meant that the

business no longer had control over all of its data. Data that was once stored

in a central and secure location now resided on desktop computers through-

out their organisation. Also, when the technology permitted, employees were

taking business data on the road with them.

Being able to transport the data and computer was an important develop-

ment in mobility and this gave rise to the notebook computer. The notebook

computer allows the user to have the power and functionality of their desktop

computer to be carried with them wherever they may go. However, other types

of mobile computers became available that include the mobile phone and the

Personal Digital Assistant (PDA).

The mobile phone is primarily a communications device that handles voice

and data communication. The current trend with mobile phones, however, is
∗ Stephen Perelson
Email addresses: stephen@nmmu.ac.za (Stephen Perelson),

reinhard@nmmu.ac.za (Reinhardt Botha).

1 Supported by the National Research Foundation

2
convergence. This can be seen by the current trend in manufacturing camera

phones and music playing phones (Dow Jones Newswires, 2005). These mobile

phones can, for example, also run small Java based programs using specially

designed Java runtime environments for micro devices (Sun Microsystems,

2005). Manufacturers are creating these devices in order to gain a bigger mar-

ket share and to improve the income potential for the various players in the

mobile phone value chain. Consumers benefit with these mobile phones and

other lifestyle devices and the advanced value added services that are becoming

available.

The PDA caters for the need to have computing power on hand wherever and

whenever. PDAs, like the Apple Newton and the PalmPilot, were essentially

created to replace paper (Wikipedia, 2005). They were used to organize con-

tacts, schedules, to-do items, notes, and other paper based tasks. However,

a PDA can be extended with installable programs that can take advantage

of the features present in the device. Early PDAs were beset with problems

such as poor screen technology, low battery life, and faulty software. However,

modern PDAs are capable computing devices, which are fast becoming bet-

ter with reasonable usability in terms of battery life, screen technology, and

software.

The functionalities of the mobile phone and the PDA are merging. It is com-

mon to find mobile phones that are being designed with PDA type function-

ality (smartphones) and PDAs that are being created with voice and data

capabilities. This trend is enabling an even greater uptake of these mobile

devices for business use and allows for greater workforce mobility.

Mobile devices are typically owned by the users of the devices. Just as there

3
is value in the adoption of microcomputers for business use, there is business

value for the adoption of mobile devices. These devices are usually introduced

and owned by employees. However businesses have also identified the need for

mobile devices to enable their workforce to be more productive and to reduce

costs. Either way the business is a stakeholder in the secure use and operation

of the mobile device, as is the user of the device (Covey, Redman, and Tkacik,

2005).

With the above as a backdrop, the reality is that businesses have to contend

with an extremely mobile workforce who may be using mobile devices that

are not designed for secure business use (Perry et al., 2001; Halpert, 2004).

Mobile devices are changing how people are conducting business and perform-

ing business processes. Koop and Mosges (2002), for example, demonstrate

how PDAs can be used to capture patient information with improvements in

efficiency and accuracy. However, these same devices may also be the cause of

security breaches (Halpert, 2004).

Security threats are not unique to mobile devices. However, mobile devices

introduce additional security risks, partly due to the nature of the mobile

device. Parker (1995) provides a structured way of thinking about the various

security risks with respect to business data. His model of security represents

a utopian view of secure data that provides a useful starting point for us to

identify the possible risks that mobile device usage may introduce. This section

will be followed by various cases and scenarios that map to these security risks,

which will be followed by the conclusion.

4
2 Elements of Security

There are three well known properties of secure information, namely Confiden-

tiality, Integrity, and Availability (ISO, 2004). Information can be described as

confidential when it maintains its secrecy from those that are not authorised.

Similarly, information has integrity when it maintains its accuracy and com-

pleteness. Information is further considered available when it is accessible and

usable when needed. Parker (1995), however, argues that these three proper-

ties are not enough for the security requirements of business. Subsequently,

he expounded upon these three properties of security with the addition of

Authenticity, Utility, and Possession.

Authenticity relates to the validity of the information, which means that the

users of the information can trust that the information is authentic. Utility

denotes the usefulness of the information to the user. Possession indicates the

physical custody of information so that it is physically in someone’s control.

The properties of secure information are used to evaluate the impact of the

various vulnerabilities that could befall information within the domain of mo-

bile devices. Vulnerabilities are the weaknesses that could be exploited by a

security threat (ISO, 2004). For a mobile device, one such weakness would be

its small size that makes it easier for the device to be stolen. Theft, in this

context, is known as a security threat.

Security threats are the potential incidents that could occur to a vulnerability,

which may impact upon any of the security properties (ISO, 2004). The risk

of any one of the possible threats occurring is typically measured in terms

of the probability of a threat occurring combined with the consequences that

5
result if it does occur, which can be visualized with the following mathematical

representation: Risk = P robability × V alue (ISO, 2004).

Risk can be reduced by minimizing either the probability of the threat occur-

ring or the consequences, or value, of the loss. The reduction in probability and

value of loss can be brought about with the proper implementation and use

of safeguards, also known as countermeasures or controls (Sarker and Wells,

2003). A safeguard is a method or tool that helps reduce either the probability

of a threat occurring or the value that could be lost (ISO, 2004).

By their very nature, mobile devices have a higher probability of certain secu-

rity threats occurring. The fact that these devices are mobile increases the risk

of loss through damage, user forgetfulness, theft, and other security threats.

In order to reduce the risks involved with mobile device use, it is necessary to

identify and understand these vulnerabilities, particularly those that are more

prevalent because of mobility.

3 Vulnerabilities

It is necessary to identify the security threats and to categorise these threats

in order to identify the vulnerabilities of mobile devices. Parker (1995) clas-

sifies threats by grouping them in four broad categories, namely threats to

availability and usefulness; threats to integrity and authenticity; threats to

confidentiality and possession; and exposure to threats.

The security threats to availability and usefulness include destroying, damag-

ing, and contaminating the data, as well as the risk of denying, prolonging, or

delaying the use of, or access to, the data.

6
The security threats to integrity and authenticity include the risks of obtaining

and using false data through entry, production, or modification and the risks of

misrepresentation, repudiation, and misuse or failure to use the data correctly.

The security threats to confidentiality and possession include access, disclo-

sure, observation or monitoring, copying, and stealing.

Another, fairly ubiquitous risk is that users may fail to protect data when

they are exposed to any one of the aforementioned threats. The user may fail

to perform as required, may be negligent, or may be committing a crime.

Security threats exploit vulnerabilities that will be inherent anywhere infor-

mation is stored, transferred, and used. The focus of this paper is on those

vulnerabilities that are symptomatic of the mobile nature of mobile devices.

This mobile nature is evidenced in the mobility of the device, the size of, and,

the hardware used for these devices, the software used with these devices, and

the data communication mechanisms.

A mobile device is, by definition, mobile and can be used in different geo-

graphical locations and while travelling between these locations (Perry et al.,

2001). Mobility brings about many security threats that include damage, loss,

and interrupted communications. In order to be mobile, the mobile device is

typically very size constrained.

The small size of mobile devices brings about vulnerabilities that include

reduced battery life, limited screen size, limited data storage, limited input

mechanisms, and limited processing power. The security threats that could

be allowed by these vulnerabilities include data input errors, loss of data due

to failing battery, unavailability of data as a consequence of running out of

7
memory, and allowing access controls to be bypassed. These vulnerabilities of

size also affects the software that can run on the mobile device.

The software on the mobile device is crucial to the integrity and utility of the

information accessed and stored on the mobile device. Badly designed software

could cause many problems and could ultimately result in information loss.

Security threats that could befall the mobile device due to the software include

loss of information, reduction in battery life, allowing unauthorised access, and

damaging data integrity.

It is therefore necessary to identify the vulnerabilities to information when

used with a mobile device and to examine the security threats that could

befall these vulnerabilities.

4 Threat Scenarios

The following scenarios attempt to provide an information security case that

clearly identifies a vulnerability and the associated security threats. The risk

potential for each scenario is also discussed with suggestions for safeguards

that could be implemented in order to reduce the risk.

Proposed layout of each subsection: Outline of

Scenario/story (only one story) ; Identify Vul-
nerability ; Identify Security Threats ; Iden-
tify/Evaluate Risk ; Provide Safeguards

Maybe define how I should evaluate the risk for

each of these scenarios.

8
4.1 Threats to Availability

John, a salesman, stores all of his customer’s details on a PDA along with

itineraries of his trips. He also makes notes of customer orders onto his PDA for

sending through to the main office at the end of the work day. John was careless

and dropped his PDA into the pool at one of the motels during one of his sales

trips resulting in a non-functional PDA. John has lost all of the information

stored on the PDA and, as such, no longer has any of his information available.

Hence, availability is the vulnerability that was exploited by a security threat.

Availability refers to the inability to access the information stored on the

mobile device. This vulnerability can be exploited by many security threats

that include device failure, accidental deletion of data, and software failure.

In this scenario, the security threat can be considered to be device failure

through water damage.

In this scenario, John should be blamed for his information availability crisis

as it was not a design fault of the PDA that caused the information loss. It can

be assumed that this particular security threat is not likely to occur and, as

such, the risk of this threat is low. However, there are three ways of reducing

the risk for this scenario.

The first method is to reduce the likelihood of the PDA from getting wet by

educating the user in how and where to carry the mobile device. This method

focusses on user education as a safeguard to prevent information loss and is

the cheapest option. However, John may not apply this knowledge in order to

prevent this threat from occurring.

9
The second method to prevent information loss would be to waterproof the

PDA so as to minimize the threat of exposure to water. This method would

not rely on the user being able to prevent exposing the PDA to water as the

PDA is itself capable of surviving the threat. However, this method could be

highly expensive and, therefore, infeasible.

The third safeguard that could be implemented to reduce the risk of infor-

mation loss for this scenario would be information backup. If John could re-

trieve his contacts, itineraries, and orders from another source then the loss

of availability would not be as detrimental. He could backup this information

to a back-end server at regular intervals or synchronize it with a notebook

computer at the end of each day. He could also store the information on a

removable memory medium that would probably survive a certain amount of

abuse. John may still lose information as all data that was captured since the

last backup would be lost, but the amount of information lost would be minor

and could be retrieved by contacting each affected customer.

Backup, or synchronization, is a commonly employed safeguard to prevent

information loss and is clearly a function built into most mobile devices. Mobile

phones, that support it, can make use of the OMA’s SyncML (OMA, 2005),

and PDA’s and smartphones all include synchronization software. In the event

of a catastrophic device failure, such as John taking his PDA for a swim, the

availability of the information may be lost in the short term, but will be

retrievable by the user in the long term.

Current work ends here. Must finalize the following

sections into the decided upon format.

10
4.2 Threats to Utility

Utility refers to the usefulness of the information in the mobile device. A

mobile device has a generally lower utility than a desktop computer due to

its form factor. Mobile devices typically have small screens and a restricted

form of input due to the size constraints (Hart and Hannan, 2004). Other

utility issues include methods employed to increase the battery life (Hart and

Hannan, 2004) and badly designed user interfaces (Sarker and Wells, 2003).

The duration a mobile device can run a particular task is dependant upon

the battery used and the level of drain upon that battery. Fast and powerful

processors draw more current than slow, energy efficient ones. Special low-

power components have to be employed to allow the mobile device to run for

a reasonable duration while relying on its battery. If the mobile device cannot

run long enough for a user to accomplish their task at hand then the data on

the device is useless.

A badly designed user interface also affects the utility of the data stored on

the mobile device as it may inadvertently obscure certain tasks from being

discovered or allow the user to accidently perform other, unwelcome, tasks.

Such tasks may include altering the stored data in a way which affects the

data’s usefulness.

Another issue that affects utility is that of forgotten or illegally changed pass-

words. A user could forget a password if the mobile device is not used often

and, if this occurs, some mobile devices enter a very secure, locked mode when

the password is entered too many times. This is the typical behaviour with

mobile phones that will then require the Phone Unlock Key to be entered.

11
Also, another person, or program, may change the password unbeknownst to

the user. This is also applicable to encrypted data where the decryption key

is forgotten or lost. The information is available, but not in a useful or mean-

ingful way. If the mobile device or the data stored thereon cannot be accessed,

then the utility of the data on the mobile device is diminished.

4.3 Threats to Integrity

Parker (1995) defines integrity as ‘completeness’ and, as such, could be taken

to mean the correctness of data or the proper functioning of software.

An example of improper functioning of software would be certain types of

instant messaging software. Due to a design decision of one particular type

of instant messaging system, the software quite often loses messages and does

not provide a way to retrieve those lost messages. This same design flaw is

probably part of other similar instant messaging solutions, but has not been

tested. The error occurs when you exit from the system and receive a message

as you are busy exiting or when you experience an unsuccessful login from

the client’s perspective due to system failure or network issues. Either method

results in the server thinking the client is successfully connected and logged

on and, as such, delivers messages. The system is not well enough designed to

allow for the recovery of these lost messages.

Unfortunately, this example affects availability and possession. The informa-

tion is no longer available nor does anyone have possession of the information.

A better example would be the one that Parker (1995) defined, which is a

software product that is unintentionally crippled. This would then be an ap-

12
plication designed for a mobile device for this scenario. The application may

perform as intended, but may cause data errors due to the omitted code and,

as such, will lack integrity.

The reduced display capacity of mobile devices may also cause integrity issues

due to the fact that certain applications may trim some of the data for bet-

ter display purposes. For example, an image viewing application may resize

pictures to fit onto the display of the mobile device, but may be reducing the

quality of the image to a point where it is no longer useful. In such a case,

the capabilities of the device hardware and software is the cause for the loss

of data integrity.

4.4 Threats to Authenticity

A digital media object, such as a game or a music file, could be distributed

by someone claiming that the media object was created by a more popular

publisher when the actual publisher was a relatively unknown one to garner

more sales. This scenario parallels the one defined by Parker (1995) where a

book distributor alters the publisher details of the book for sale in another

country. The digital media object’s integrity is maintained, as is the availability

of the item while the authenticity of the object is diminished.

This scenario is aided in part by being able to access the Internet from a mobile

device. Besides misrepresented digital media objects, the Internet also provides

other possibilities to the risk of authenticity. There is very little guarantee that

any information or service found on the Internet is authentic.

A web service could claim to provide a particular service and then deliver

13
something else. Also, thieves could set up so-called ‘phishing’ sites that mimic

a bank’s website in order to harvest username and passwords to gain user

account information (APWG, 2005), which may be a bigger problem on mobile

devices due to the form factor of the device.

I probably need a reference for the following, but

I’m not having much luck finding something

The screen of a mobile device is typically a low resolution screen that does

not offer much screen real estate for applications to display information. As

such, web browsers on the mobile device may not display all of the pertinent

information and will, therefore, exacerbate certain problems. Also, the user

interface heuristics are not always the same as the equivalent desktop computer

user interfaces as there are generally different design paradigms in use to make

best use of limited resources.

4.5 Threats to Confidentiality

Any means that an attacker can gain access to the information on the mobile

device falls into this category. The information that is retrieved may reside

in more than one place, the mobile device and a server. The hacker who

stole Paris Hilton’s address book did not hack into her phone, but rather

attacked the server, hosted by the network operator, that stored a backup of

her information (Hayes, 2005). An unauthorised person can also simply use

the device to view the data thereon and so violate confidentiality.

Data can also be copied using external memory or the various networking

protocols that are available. One such scenario is that of the Bluetooth vul-

nerabilities, which can be used to copy data from a mobile device or to initiate

14
communication sessions (Laurie and Laurie, 2003). However, if the data is only

copied then possession is not lost. Only if the original data on the phone is

removed will possession be in the hands of the perpetrator.

4.6 Threats to Possession

Possession generally does not include violating confidentiality. It is generally

assumed that a person who steals a mobile device usually does so to gain the

device itself and not the data upon that device. While Parker (Parker, 1995)

assumes that possession means the total loss of the data, this is not usually the

case with mobile devices. Mobile devices are typically used as an extension to

the user’s desktop and not as repositories of unique data. As such, if the mobile

device is stolen, the data is usually still in the possession of the data owner.

When this is not true is when data, such as tasks, appointments, and business

cards, has been added onto the mobile device after the last synchronisation.

However, with future network services, it will become possible to synchronise

Over the Air (OTA). Using standards, such as the Open Mobile Alliance’s

SyncML and Device Management (OMA, 2005), it is currently possible to

backup some of the data on some mobile phones. Similar mechanisms are

available for mobile devices such as Microsoft’s Pocket PC (Microsoft, 2005)

and the BlackBerry (Johnston, 2005).

With the future services that will be offered it is the business’ aim to manage

the risk by evaluating the cost benefits of the services and their associated

risks.

15
5 Conclusion

Conclusion will change to reflect the changes to sec-

tions 2, 3, and 4

Reducing the risk of a security threat is not an easy task. security mechanisms

must be implemented in order to prevent against any of the security threats

from occurring or to reduce the level of damage if they do occur. At the same

time, the business must weigh the cost of the particular loss into account

in order to gauge the amount of money to spend on reducing the risk of a

particular threat.

Coupled with this evaluation is the availability of various security packages and

mechanisms for mobile devices that may or may not reduce the risk of various

security threats. Only a comprehensive evaluation of all of the security threats

to mobile devices and the realising of the cost implications of each security

threat occurring can a business implement the correct level of security for their

needs.

6 Acknowledgements

All trademarks and copyrights are the property of their respective owners. The

financial assistance of the National Research Foundation (NRF) towards this

research is hereby acknowledged. Opinion expressed and conclusions arrived

at, are those of the authors and are not necessarily to be attributed to the

National Research Foundation.

16
References

APWG, 2005. Anti-Phishing Working Group. [Cited 22 September 2005].

Available online at http://www.antiphishing.org/.

Bricklin, D., 2005. VisiCalc: Information from its creators, Dan Bricklin and

Bob Frankston. [Cited 21 September 2005]. Available online at http://www.

bricklin.com/visicalc.htm.

Covey, C., Redman, M., Tkacik, T., 2005. An advanced trusted platform for

mobile phone devices. Information Security Technical Report 10 (2), 96–104.

Dow Jones Newswires, 2005. Mobile phone maker nokia moves away from talk

to tv,music. [Cited 22 September 2005]. Available online at http://www.

cellular-news.com/story/14050.php.

Halpert, B., 2004. Mobile device security. In: InfoSecCD ’04: Proceedings of

the 1st annual conference on Information security curriculum development.

ACM Press, New York, NY, USA, pp. 99–101.

Hart, J., Hannan, M., 2004. The future of mobile technology and mobile wire-

less computing. Campus-Wide Information Systems 25 (5), 201–204.

Hayes, F., 2005. Paris hilton & you. [Cited 20 September 2005]. Available

online at http://www.computerworld.com/securitytopics/security/story/0,

10801,100032,00.html.

ISO, 2004. Iso13335-1 information technology – security techniques – man-

agement of information and communications technology security – part 1:

Concepts and models for information and communications technology secu-

rity management.

Johnston, C., 2005. Professional BlackBerry. Wrox Press.

Koop, A., Mosges, R., October 2002. The use of handheld computers in clini-

cal trials. Controlled Clinical Trials 23, 469–480.

17
 URL http://www.sciencedirect.com/science/article/B6T5R-470G763-1/2/

ef213e97079bcb8eb121b859f80d70cc

Laurie, A., Laurie, B., 2003. Serious flaws in bluetooth security lead to dis-

closure of personal data. [Cited 22 September 2005]. Available online at

http://www.thebunker.net/security/bluetooth.htm.

Microsoft, 2005. Windows Mobile 5.0 Messaging & Security Feature Pack.

[Cited 05 September 2005]. Available online at http://www.microsoft.com/

windowsmobile/business/5/default.mspx.

OMA, 2005. Overview of OMA Release Program. [Cited 09 September 2005].

Available online at http://www.openmobilealliance.org/release program/

index.html.

Parker, D., 1995. A new framework for information security to avoid informa-

tion anarchy. In: Proceedings of IFIP TC11 Eleventh International Confer-

ence on Information Security. Cape Town, South Africa, pp. 155–164.

Perry, M., O’Hara, K., Sellen, A., Brown, B., Harper, R., 2001. Dealing with

mobility: Understanding access anytime, anywhere. ACM Transactions on

Computer-Human Interaction 8 (4), 323–347.

Sarker, S., Wells, J. D., 2003. Understanding mobile handheld device use and

adoption. Commun. ACM 46 (12), 35–40.

Sun Microsystems, 2005. Java 2 Platform, Micro Edition (J2ME). [Cited 21

September 2005]. Available online at http://java.sun.com/j2me.

Wikipedia, 2005. Personal digital assistant. [Cited 09 September 2005]. Avail-

able online at http://en.wikipedia.org/wiki/Personal Digital Assistant.

18