The Smartphone Security Awareness Information Technology Essay
Over the past decade mobile phones have become pervasive and have evolved significantly from feature phones to smartphones to fit the increasing needs of the competitive market and to meet consumer’s wants and needs. The purpose of this research paper is to provide insight and raise security awareness into the risks posed by unsecured smart mobile devices.
Smartphones are ubiquitous devices and are comparative to the personal computer in terms of computational power, choice of operating systems, software with the same extended features and the ability to support 3rd party software.
Smartphones have enabled businesses and their workforce the freedom to collaborate and access organizational data 24 hours a day, 365 days a year.
What has been done to protect individuals and businesses from the ever increasing threat of mobile orientated attacks?
Pervasive computing (also called ubiquitous computing)
Endpoint security – antivirus/malware
enterprise information infrastructure
mobile information security perspective
security awareness training
technical topics are outside the scope of this research
The purpose of this document is to expose a business problem from a technological viewpoint. The subject of the business problem I have selected is on smartphone security awareness. This subject will be analysed and critically evaluated, then expanded upon further to reflect the range of possible solutions and create a comprehensive guide for the benefit of the reader.
The motivation for this project was mostly due to my vocational role as an IT consultant. During the course of my employment over the past decade within the IT industry, I have noticed a substantial gap within businesses for the need of greater smartphone security and awareness.
It was obvious to me that along with the evolution and improved capabilities of cellular devices, established a greater risk for organisations.
This thesis is the result of work I have personally carried out in various roles throughout my technological career between October 2004 and December 2010.
1.2 Aims and objectives
The following are my aims and objectives for this project
Create an authoritative document with recommendations to raise awareness and inform businesses for the need of greater mobile security within the business environment.
Use insight to establish a research gap.
Assess smart mobile devices currently used.
Analyse security advantages and disadvantages of smart mobile devices.
Establish what risks smart mobile devices are exposed to.
Evaluate impact of risk exposed by unsecure mobile devices to businesses.
Examine mobile security currently available.
Evaluate current business policies and procedures for mobile devices and how these are enforced.
Construct smartphone security guide with recommendations for businesses.
1.3 Problem Statement
The problem is information and financial loss due to information theft or inaccessibility from malicious software (malware), and the detrimental impact this has upon the business.
There are many types of information that can be stored on smartphones for example, personally identifiable information in the form of contact details (phone, address), email, GPS coordinatesÃ¢â‚¬Â¦
Information security has gained significant value within the business domain over the past decade however this value remains subjective. Users have been made aware of the risks posed by malicious software whilst using their personal computer on the internet, now assistive technology like smart mobile devices are becoming increasingly more powerful, functional and ubiquitous.
Where personal computers have at least some security software in place as standard, smartphones commonly have no security software installed and are susceptible to the same threats as personal computers.
Businesses, professionals and personal users now have a greater awareness for the need of personal computer security. This has been provided by media coverage, enterprise training or through personal experience. When using a personal computer or laptop for example, it is common to find a firewall and antivirus software installed showing that internet safety has now become a social normalcy.
Data loss or inaccessibility due to a virus, data theft due to
Smartphones are high specification mobile personal computers, and are subject to the same risks personal computers are open to.
“There are four to five billion mobile phones and we are approaching a billion smart phones. But remember that these devices are more powerful than supercomputers were a few years ago, and we are putting them in the hands of people who’ve never had anything like it before.” – Google CEO Eric Schmidt
Businesses need IT to function, IT adds value and to compete in today’s economic climate.
IT’s purpose is to save time, time is money.
Today’s organisations rely heavily upon information technology in order to allow their business to function (Khosrowpour, 2001). This is fundamentally due to how intricate information technology systems are embedded into organisations. Enterprise architecture (EA) is a communication tool between IT and business (Zachman, 2004).
EA is multifaceted (Wagter et al, 2005) and for the scope of the project I will be examining how the Security Architecture (SA) facet can benefit organisations to secure the Information Technology within the business against the increasing threat that unsecured mobile devices pose.
There are many different mobile operating systems for smart mobile devices requiring different security applications. I will analyse these systems and the risks associated. My intentions are to investigate what impacts smart mobile devices can have on businesses, why these problems affect the organisation, and how they are overcome.
Finally I will gather insight and make recommendations that businesses can use to foresee and prevent future unnecessary costs and risk.
2 Literature review
The subject I have proposed to use for this project is a very real-world business and information technology problem.
Because smartphone security is still in its infancy, it is currently quite a challenge to source accurate and relevant information from authoritative sources such as ‘Emerald’ without resorting to web based research. However, the more this project advances smartphone security in the media is becoming omnipresent.
The first documented computer virus was designed over 25years ago by two brothers named ‘name 1’ and ‘name 2’ in Pakistan, the virus was called the ‘brain’ virusÃ¢â‚¬Â¦
Timeline – evolution of the mobile telephone (Malware)
Mobile History / Uses
2.2 Current status/Development of theories
Information is all that needs to be secured. Malware is changing, smartphones are changing and businesses are changing.
How far up the technological ladder are mobiles/feature phones/smartphones
2.3 How this project fits in with the literature review
I had chosen the subject then chosen the literature review method, thus tailoring the literature review to fit the requirements of the project.
3 Research methods
3.1 Introduction: hypothesis
Throughout my employment, I recognised a gap and need for smartphone security within
One of the methods of analysis I will to use is the conceptual method, this has been described by Beaney as a way of breaking down or analysing concepts into their constituent parts in order to gain knowledge.
‘Conceptual analysis consists primarily in breaking down or analysing concepts into their constituent parts in order to gain knowledge or a better understanding of a particular philosophical issue in which the concept is involved’ (Beaney 2003). I have interpreted this to mean the compartmentalisation and analysis of data.
The proposed project will be delivered using an analytical in-depth research structure. I have chosen this project structure as it will primarily be research based on the current business problem as previously stated. I intend to analyse this problem, propose possible solutions, test and implement a well-documented solution with recommendations.
Critical and creative thinking skills such as Edward.De Bono six thinking hats will be used to examine the problem domain. A review will be given on how the systems work and compare them to how they should work. I will then analyse the solution domain by examining which options are available to improve the system security along with an optimal recommendation and the benefits it would provide.
Figure – research methodFor my project I will implement a triangulated, positivistic methodological approach, I have chosen this particular technique as it will provide me a balanced view of the subject area. I will incorporate both quantitative and qualitative primary research methods as recommended by Bryman (BRYMAN, 2006). However for the scope of this project I will be mostly using Quantitative based research as indicted in Fig 1 below.
Bryman advises that quantitative data can be gathered by way of a survey and qualitative research collected from journals and interviews.
Initially I will undertake primary research in the form of a survey questionnaire, and furthermore I will interview professionals in the field of smartphones and security such as police personnel, security advisors and mobile phone shop staff.
The survey will be available to respondents in paper form and electronically hosted so any user with internet access may access it. I will design the survey to be concise and simple to maximise the amount of respondents and gain quality information.
My target survey participants are business managers, IT professionals and general smartphone users. I have chosen to target these particular users as I am trying to ascertain not only the perception of smartphone security but also what policies and procedures are put in place and how aware users are of these. I have proposed to target these users by using a popular internet based technological social news website named ‘Reddit’.
‘Reddit’ has a daily turnover of over 850.000 unique users (Alexa, 2010). According to Alexa the average ‘Redditor’ is male, between the age of 18 to 44, does not have children, is well educated and browses ‘Reddit’ either from work or home, suggesting that the majority of ‘Redditors’ are working professionals and due to being a technological social news website the average user is technologically aware (Alexa, 2010). This confirms my premise and establishes that ‘Reddit’ would suit my proposed target survey participant.
There are many options available for online survey software, each option has its benefits and weaknesses, I have carefully analysed these options personally and have chosen to utilise the cloud based option ‘Survey Monkey’ to host my survey. The default limitations of ‘Survey Monkey’ are
the survey itself has been designed to be logical with closed questioning and
Qualitative data has been sourced from reliable and authoritative resources. I have chosen journals from Emerald
Primary research methods used
Interviewing mobile phone shop staff, police, business owners
I will critically analyse the results of my survey by comparing the answers given to a risk register.
4.1 Presentation and description of results
Who took part?
A survey was conducted to establish the awareness for the need of smartphone security. Users were openly invited from technological backgrounds to partake in the survey and assured of anonymity. A total of 758 people responded to the online survey from a possible 854,998 potential participants. The survey itself was open for one month during February and March 2011.
The results indicated that majority share with 82% of survey responders being male as opposed to the 18% that were female both averaging at 26 years of age, this confirms part of my original hypothesis as an average smartphone user.
When asked, 53% of respondents reported that they had used their smartphone solely for personal use as opposed to the 45% of partakers that reported they used their smartphone for both business and personal use, with just 2% reporting to use a smartphone solely for business use only as shown in Fig 2 combining a total of 47%.C:UsersLeeDesktopUniUniversity 2010_11MikeDissertationDocumentsDissertationSurveySurvey monkey charts8 FeaturesSM_Features_Line.png
Figure – Smartphone use
25% of respondents had only been using smartphones for the past six months, 17% were aware they had been using them for at least a year and a majority percentage of 59% had been using smartphones for more than one year.
Only 12% of respondents opted to use the ‘pay as you go’ payment facilities as opposed to the greater majority of 88% that have contracts.
34% of respondents used an Apple IPhone, 58% reported to use Android smartphones, 13% used Blackberries and 6% (46) of respondents had Nokia smartphones.
87% of respondents had used calendar functions, 94% of respondents used email, 86% of used games, 87% of respondents used GPS features, 74% of respondents used instant messaging, 52 % of respondents used internet banking facilities, 66% of respondents used multimedia messaging service (MMS), 94% of respondents used the short messaging service (SMS) feature and 78% of respondents admitted to using social networking sites on their smartphone. A total of 756 participants responded and 2 participators chose not to answer the question.
From a total of 758 respondents, 63% (476) valued the physical smartphone above the 37% (282) whom valued the information more.
93% of survey partakers used 3G for mobile data communication, 59% of respondents used ‘Bluetooth’ technology, only 4% of had used infrared line of sight technology, 75% of respondents admitted to connecting via universal serial bus (USB), 94% of participators had used wireless for mobile data communication. Total of 757 participators answered this question and 1 partaker chose to skip the question.
Survey respondents considered smartphone security as ‘beneficial but not essential’ as the majority answer with 64% (485), 21% (159) didn’t not consider there to be a need currently for smartphone security software as opposed to 15% (114) whom considered smartphone security software as absolutely essential. A total of 758 of 758 responded to this question.
Of participants stated that they do not use any smartphone security software.
87% of participants reported that they did not use any form of smartphone security software such as antivirus as opposed to 13% that did.
A majority of 92% (699) had not been advised of any security methods to protect them or their information from fraud, theft or malicious software. 8% (59) respondents agreed they had received adequate security advice. Everyone answered this.
95% (694) of respondents were aware of ‘Adware’, 27% had known about ‘Badware’, 25% (181) of respondents were aware of ‘Crimeware’, 69% (504) had previous knowledge of ‘Rootkits’, Trojans'(95%, 696), ‘Spyware’ (95%, 697), ‘and ‘Worm’ (90%, 656)’were the most commonly aware terms of malware from the malicious software list, the majority being ‘Virus’ (711) with 97% of respondents being aware of this type of malware. 731 respondents answered this question.
62% of survey participants reported that they did not pay attention to licence agreements and permissions when installing applications on their smartphones 34% reported they did read the licence agreements and permissions. 4% of respondents believed that this question was not applicable to them for their smartphone use.
81% of responders were aware for the need of security software for personal computers and 19% were not aware. All survey partakers responded to this question.
94% (713) participants have connected their smartphone to a personal computer (PC), 6% (46) stated they had not ever connected to a PC. All 758 respondents answered this question.
96% (728) respondents stated that they owned the smartphone, only 4% (30) of respondents had employer owned smartphones. All partakers responded to this question.
Out of the 758 respondents, 15% (115) were aware of policies within their place of business, with the majority of respondents 41% (309) unaware of any workplace policies or procedures particularly orientated toward smartphones. 44% (334) responded that the question was not applicable to them. All participants answered this question.
4.2 Discussion and interpretation of the results
Awareness and concern
Compare phones and age to security awareness
Bb were the most security aware group
Internet banking is true by smartphone antivirus is false and user is aware of computer antivirus need.
A mobile phone is a portable electronic device used to make and receive telephone calls. The mobile phone was first revealed by Dr Martin Cooper from the company Motorola in 1973, it was not until ten years after Dr Cooper’s demonstration that Motorola released its flagship mobile phone the ‘DynaTAC’, this was the world’s first commercially viable mobile phone (Motorola, 2009).
Originally these devices were commercially targeted at businesses and upper class individuals as the cost of the device was very high and the actual usage was severely restricted, due to the technology limitations at this time battery weight was 2kg (Motorola, 2009) and the battery duration would last a maximum of 30 minutes thus making the device impractical and available only to businesses and professional consumers.
‘According to Moore’s Law, the number of transistors on a chip roughly doubles every two years.’ (Intel, 2005)
As Moore stated over thirty five years ago, due to the advancement of processors, battery technologies and overall reduced power consumption, mobile phones have become lighter, smaller, more powerful and longer lasting. Due to these fundamental technological advancements mobile phones have been able to incorporate additional existing technologies such as camera units, sensors, speakers and often take advantage of JAVA based applications and features, thus coining the term ‘Feature phone’. Feature phones are more advanced technologically than mobile phones.
The term ‘smartphone’ is ambiguous and many experts fail to agree on a suitable definition. Most smartphone features are not exclusive to a particular category, this project does not intend to make that definition, however for the scope of this project I have listed combined definitions and compared current smartphone features as listed in Figure 3 below.
Most vendorsÃ¢â‚¬Â¦ type more…
Gartner, a world leading authority in information technology research define smartphones as ‘A large-screen, voice-centric handheld device designed to offer complete phone functions while simultaneously functioning as a personal digital assistant.'(Gartner, 2010)
Feature phones can have several of the characteristics as listed below in figure 3, however smartphones have the capability of providing all the capabilities. As a result, any mobile device meeting all conditions of each function in figure 3 can be considered a smartphone under this definition.
Figure Smartphone characteristics
Device is compact and easily transported.
Operating system that allows third party applications.
Device provides multiple methods (wired and wireless) of connecting to both the internet and other devices and networks.
The device contains keyboard, or touchscreen keyboard.
The device has a large and expandable storage facility.
The device provides the ability to perform basic office tasks such as email, take notes and word processing.
The device includes a digital organiser and calendar.
The device supports synchronisation of information with fixed desktop or laptop devices, or online web services.
The mobile device executes voice, text and multimedia message functions.
Acceloratormeter, light, sound and movement sensors.
A model to measure the maturity of smartphone security at softwareÃ¢â‚¬Â¦
Under this definition of smartphones or Smart Mobile Device (SMD) the following mobile platforms were included:
These mobile platforms were reported to be the top 5 mobile platforms used in 2010
Figure (?) Storage expansion cards
Smartphones currently reside in the top tier of mobile communication technology.
Third party operating system
As previously stated there are many smartphone platforms available, each platform and brand bringing different benefits and functionality. These platforms or operating systems create opportunities for both businesses and personal users. For businesses this increased functionality provides the facility for added employee productivity.
These opportunities exist not just for business and personal users as the opportunity extends to the bad guys too, I will continue to explain further in the document.
A smartphone is defined as ‘A cellular telephone with built-in applications and Internet access’ (PCMAG, 2010)
describes a ‘smartphone’ as a Ã¢â‚¬Â¦ andÃ¢â‚¬Â¦ describes it asÃ¢â‚¬Â¦I have interpreted these descriptions and define smartphones as not feature phones basically.
All smartphones have generalised functionality, such as input devices (keys, touchscreen) I will go into greater detail regarding the operating features
Botha, et al (2009) point out that early generations of cell phones and PDA’s had relatively little storage capability. Johnson (2009) indicates that today’s generation of devices can be quickly and easily upgraded by adding additional storage cards.
The Apple Iphone was the original smartphone (???), first released in June 2007.
Popular, perceived security (apple store, scans for malware?)
Limitations: NO support for flash
Open source, will be biggest
5.3 Blackberry (RIM)
Security architecture built upon military specification, perceived most secure as email encryption (tunnelled) through Canada
Banned in UAE
Owned by Finnish giant Nokia
open sourcing the software opens up the availability of the Source Code to programmers, who can then develop, modify and distribute as they see fit meaning a richer and hopefully what becomes a considerably improved OS very quickly thanks to developer input. http://blog.mobiles.co.uk/mobile-news/symbian-os-goes-open-source/
Most popular globally, acquired by Microsoft?
5.5 Windows mobile
Newest player, least perceived secure device
6 Smartphone role within business environment
7 Malware defined
Continuously evolving, changing creative
Define Malware (Family)
Malware, short forÂ malicious software – http://en.wikipedia.org/wiki/Malware Grimes (2001) defines malware as “any software program designed to move from computer to computer and network to network to intentionally modify computer systems without the consent of the owner or operator”. – Etsebeth, V. (2007)
Sensory malware – soundminer, a stealthly Trojan with innocuous permissions that can sense the context of its audible surroundings to target and extract a very small amount of HIGH-VALUE DATA.
Collecting company secrets for profit
Crimeware is malicious software that is covertly installed on computers. Most crimeware progams are in fact Trojans. There are many types of Trojans designed to do different things. For example, some are used to log every key you type (keyloggers), some capture screenshots when you are using banking websites, some download other malicious code, and others let a remote hacker access your system. What they each have in common is the ability to ‘steal’ your confidential information – such as passwords and PINs – and send it back to the criminal. Armed with this information, the cybercriminal is then able to steal your money. http://www.kaspersky.com/crimeware
iPad and smartphone rootkits demo’d by boffins http://www.theregister.co.uk/2010/02/23/smartphone_rootkits_demoed/
8 Define Risk to business or individual
8.1 Define Legal implications
Computer related crime
Dishonestly obtaining electronic communication service
‘Section 125 of the Communications Act 2003 creates an offence in relation to dishonestly obtaining use of an electronic communication service with intent to avoid payment of the charge applicable to that service. This offence reflects the continual advancement of technology, thus covering all the diverse types of services available’
Theft of information
Oxford v Moss (1979)
Unauthorised use of a computer: ‘theft of services’
Theft Act 1968, s. 13 “dishonestly uses without due authority, or dishonestly causes to be wasted or diverted, any electricityÃ¢â‚¬Â¦”
Ã¢â‚¬Â¢ Intangible (Computer Misuse Act 1990, s.3)
– unauthorised modification: ‘to impair the operation’,
‘prevent or hinder access’ or ‘reliability’
– ‘denial of service’: The Caffrey problem
Ã¢â‚¬Â¢ Case law
Ã¢â‚¬Â¢ Whitaker (1993)
Ã¢â‚¬Â¢ Lindesay (2000)
– virus writers
Ã¢â‚¬Â¢ e.g. Pile (1995), Vallor (2003)
Examine who is responsible
Effects and results of infected device on company with each malware type
Security doesn’t exist in products and verbiage alone; it requires a process, people, policies, education, and technologies working together. – http://www.informationweek.com/news/showArticle.jhtml?articleID=6502997
9.2 COBIT 5
Schedule to release in 2011, COBIT 5 will consolidate and integrate theÂ COBIT 4.1, Val IT 2.0 and Risk IT frameworks and also draw significantly from the Business Model for Information Security (BMIS) and ITAF. http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
9.3 Smartphone security solutions
10.2 Future work
Mobile wallets – customers will be able to transfer funds from their bank account/paypal using their phones via text message (http://www.cs.virginia.edu/~robins/Malware_Goes_Mobile.pdf)
http://en.wikipedia.org/wiki/NirvanaPhone future smartphone
symbiant acquisitioned by Microsoft (biggest os for pc’s) newest player to smartphone market.
As Sensor-rich smartphones become more ubiquitous, sensory malware has the potential to breach the privacy of individuals at mass scales. https://www.cs.indiana.edu/~kapadia/papers/soundminer-ndss11.pdf
PC – Personal computer
PDA – Personal digital assistant
Prosumer – Professional + consumer = advanced consumer (Cisco, 2008)