0 calificaciones0% encontró este documento útil (0 votos)
40 vistas8 páginas
A smartphone carries a substantial amount of sensitive data and thus is very attractive to hackers, making it an easy target. In this paper, we summarize smartphone threats and attacks, reveal the unique characteristics of smartphones, and explore the countermeasures to overcome these challenges.
A smartphone carries a substantial amount of sensitive data and thus is very attractive to hackers, making it an easy target. In this paper, we summarize smartphone threats and attacks, reveal the unique characteristics of smartphones, and explore the countermeasures to overcome these challenges.
Copyright:
Attribution Non-Commercial (BY-NC)
Formatos disponibles
Descargue como PDF, TXT o lea en línea desde Scribd
A smartphone carries a substantial amount of sensitive data and thus is very attractive to hackers, making it an easy target. In this paper, we summarize smartphone threats and attacks, reveal the unique characteristics of smartphones, and explore the countermeasures to overcome these challenges.
Copyright:
Attribution Non-Commercial (BY-NC)
Formatos disponibles
Descargue como PDF, TXT o lea en línea desde Scribd
Challenges in Smartphones Yong Wang, Kevin Streff and Sonell Raman Dakota State University AbstractA smartphone carries a substantial amount of sen- sitive data and thus is very attractive to hackers, making it an easy target. For these reasons, ensuring smartphone security is extremely important. While there are many similarities between smartphone security and regular security, distinct differences exist between these two. The unique characteristics of smart- phones make securing them very challenging. In this paper, we summarize smartphone threats and attacks, reveal the unique characteristics of smartphones, evaluate their impact on smart- phone security, and explore the countermeasures to overcome these challenges. Many enterprises have started to look into security issues in smartphones. However, these solutions must correspond with the unique characteristics in smartphones. New business models are highly desired to solve security issues in smartphones. Index TermsSmartphone, security, threats, attacks. I. INTRODUCTION S MARTPHONES overtook PCs in the global market in Q4 2010 [1]. They surpassed feature phones in shipments in Western Europe in Q2 2011 [2]. According to Nielsens survey in May 2011, smartphone purchases outsold feature phones in the U.S. in the same time frame as Western Europe [3]. Compared to 5.9 billion worldwide mobile phone subscribers, smartphone usage (835 million) still has signicant upside [4]. IDC predicts smartphone shipments will approach one billion in 2015 [5]. Many functions have been integrated into smartphones far surpassing the original functions of a traditional phone. Compared to feature phones, a smartphone usually includes the following elements: Pre-installed with a modern mobile operating system, such as iOS, Android, or Windows Mobile. Support a carriers networks (2G/3G/4G), WiFi connec- tivity, and Bluetooth. These networks work independently and serve different purposes for voice and data services. Access the Internet. A smartphone provides Internet ac- cessibility through either a carriers network or a local WiFi hotspot. Capable of running third party applications. These ap- plications can be downloaded from application stores through the Internet. Support MMS messages. A smartphone supports Multi- media Message Service (MMS). A smartphone user can interact with another mobile phone subscriber through these messaging systems. Embedded sensors inside smartphones. Smartphone sen- sors usually include GPS, gyroscopic sensors, and ac- celerometer sensors. Equipped with camera(s) and microphone. A smartphone is often equipped with a high-resolution camera, a micro- phone, and a speaker. Among all the characteristics, Internet accessibility is the most important feature of smartphones. Internet accessibility is usually provided through a carrier network via a data plan. Feature phones usually do not have data plans or have limited Internet access. As smartphones become more popular for personal and business use, it raises many security concerns [6], [7], [8], [9]. The central data management of a smartphone is very attractive to hackers and it makes smartphones easy targets. Viruses emerged in smartphones as early as 2004. Since then, many incidents have been reported of spam, viruses, spyware, and other malicious software. As smartphones continue their rapid growth in the next few years, it is critical to assure smartphone subscribers that these services are reliable, secure and can be trusted. However, due to unique characteristics of smartphones, security is very challenging. In this paper, we summarize smartphone threats and attacks, reveal the unique character- istics of smartphones, evaluate their impacts on smartphone security, and explore the countermeasures to overcome these challenges. Practical ways to secure smartphones are also discussed in the paper. To the best of our knowledge, this is the rst paper focusing on the uniqueness of smartphones and their impacts on smartphone security. II. SMARTPHONE THREATS AND ATTACKS Mobile phone virus emerged as early as 2004. Since then, signicant amounts of malware have been reported in smart- phones. In the last seven months of 2011, malware targeting the Android platform rose 3,325 percent [10]. A. Smartphone Threat Model Figure 1 shows a threat model in a smartphone. The model consists of four parts, a malicious user, malware, a smartphone, and premium accounts/malicious websites. 1) A malicious user publishes malware through application stores or websites. 2) Malware carries threats and attacks while it waits to be downloaded to a smartphone. 3) A smartphone is the target of malware. It carries large amounts of sensitive data which is very attractive to malicious users. Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE This article has been accepted for publication in Computer but has not yet been fully edited. Some content may change prior to final publication. 2
Fig. 1. Smartphone Threat Model
4) Premium accounts/Malicious websites are an escape destination of malware. After inltrating smartphones, malware targets to control smartphone resources, collect data, or redirect smartphones to a premium account or a malicious website. A smartphone is divided into three layers in this model: Application layer, Communication layer, and Resource layer. 1) Application (App) layer includes all the applications in a smartphone such as social networking software, email, text message, synchronization software and etc. Malware is usually disguised as a normal application and attracts smartphone subscribers to download. 2) Communication (COMM) layer includes communica- tion channels to a smartphone. Smartphone communica- tion channels include carrier networks, WiFi connectiv- ity, Bluetooth network, Micro USB port, and MicroSD slot. Malware might spread through any of these com- munication channels. 3) Resource (RSC) layer includes the ash memory, cam- era, microphone, and sensors within a smartphone. Since smartphone resources contain sensitive data, malware targets to control these resources and manipulate data from them. An attack on a smartphone forms a loop from malicious users, through malware, smartphone (App layer, Comm layer, RSC layer), premium accounts/malicious websites, back to malicious users. Figure 1 shows such an attack. Malware was downloaded to a smartphone through social networking software via a carriers network. It hijacked the smartphones resources and sent MMS messages to a premium account. B. Services affected Based on the malware impact to smartphone subscribers, smartphone subscribers may endure low impact issues such as performance degrade, spam messages and slow operation, to higher impact challenges, such as not being able to receive and make phone calls, nancial loss and so on. Figure 2 shows a general malware impact severity to smartphone subscribers. The impact to a specic smartphone subscriber may be com- pletely different from other smartphone subscribers. Spam message low Plgh llnanclal loss lnvaslon of prlvacy CannoL load apps lu LhefL 8unnlng slow 8aLLery dralnlng fasL 8lock calls uaLa leakage Fig. 2. Smartphone Malware Impact Severity C. Resources in jeopardy There are certain resources which contain sensitive data and are very attractive to hackers. Once malware nds a way into the smartphone, it will try to gain privileges in order to access and control these resources. Flash memory Flash memory can be reprogrammed. With some simple setup, it does not take long to reprogram the ash memory. Malware can be programmed in the ash memory and it cannot be removed until the user reprograms the ash memory again. MicroSD memory card Smartphones may also support MicroSD memory cards. With a data cable or a card reader, a malicious user can easily disclose the content in the memory card. Sensors such as GPS, gyroscopic sensor, accelerometers GPS reports location information of a smartphone sub- scriber and smartphone owners may not want to disclose their location information. Camera and microphone Cameras and microphones can be turned on and off without users notice. If malware has full control of the smartphone, the smartphone can be transformed into a tapping device. WiFi and Bluetooth A user does not need to physically connect a smartphone to a computer to transfer data. Data can be transferred through WiFi or Bluetooth networks. Data leakage may happen without notice. Battery A smartphone depends on battery to power it on. Battery exhaustive attacks can dissipate battery power Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE This article has been accepted for publication in Computer but has not yet been fully edited. Some content may change prior to final publication. 3 faster than normal and disable the functions of a smart- phone. D. Malware Smartphone malware falls in three main categories, virus, trojan, and spyware. Trojan and spyware are the dominant malware in smartphones [10]. Virus emerged in mobile phones as early as 2004. They are typically disguised as a game, a security patch, or other desir- able applications and are then downloaded to a smartphone. Viruses can spread not only through internet downloads or memory cards, but they can also spread through Bluetooth. Two Bluetooth viruses have been reported in smartphones: Bluejacking and Bluesnarng. Bluejacking sends unsolicited messages over Bluetooth to Bluetooth-enabled device (limited range, usually around 33 feet). Bluesnarng accesses unau- thorized information in a smartphone through a Bluetooth connection. Trojan is another type of malware in smartphones. Most trojans in smartphones are related to activities such as record- ing calls, instant messages, locating via GPS, forwarding call logs and other vital data. SMS trojans are one of the largest categories of mobile malware. It runs in the background of an application and sends SMS messages to a premium rate account owned by an attacker. Malware belonging to this category is the HippoSMS. It increases the phone billing charges of users by sending SMS to premium mobiles and also blocks messages from service providers to users alerting them of additional charges. Spywares collect information about users without their knowledge. Spyware has given rise to many concerns about invasion of users privacy. According to Junipers 2011 mal- ware report [10], spyware was the dominate of malware which affects Android phones. It accounted for 63 percent of the samples identied in 2011. A concern of Carrier IQ was re- cently raised. A Carrier IQ application is usually pre-installed in a smartphone device and it collects usage data to help carriers to make network and service improvements. Mobile operators, device manufacturers, and application vendors may need this usage information to deliver high quality products and services, however, smartphone subscribers have to be assured what data is being collected and how said data is processed and stored. Smartphone subscribers privacy needs to be preserved when data is transmitted, processed, and stored. E. Threats and attacks Smartphones are under numerous threats and attacks. These threats and attacks are summarized below. 1) Snifng: There are various ways to sniff or tap a smartphone. In 2010, Karsten showed that GSMs encryption function for call and SMS privacy, A5/1, could be broken in seconds [11]. All GSM subscribers are at the risk of snifng attacks. Further, as eavesdropping software continues to become available and installed in smartphones, smartphone subscribers with 3G or 4G networks are at risk too. 2) Spam: Spam can be carried through emails or MMS messages. Spam messages may include URLs which direct users to phishing or pharming websites. MMS spam can also be used for starting denial of service attacks. The number of U.S. spam text messages rose 45 percent last year to 4.5 billion messages, according to Richi Jennings, an industry analyst. 3) Spoong: An attacker may spoof the Caller ID and pretend to be a trusted party. Researchers also demonstrated how to spoof MMS messages that appeared to be messages coming from 611, the number the carriers use to send out alerts or update notications [12]. Further, base stations could be spoofed too. 4) Phishing: Phishing attack is a way to steal personal information, such as user name, password, credit card account, and etc., by masquerading as a trusted party. Many phishing attacks have been recognized in social networking, emails, and MMS messages. For example, many mobile applications include social sharing and payment buttons. A malicious application can similarly include a Share on Facebook button and redirect the users to a spoofed target application. The target application can then request the users secret credentials and steal the data. 5) Pharming: In pharming attacks, attackers can redirect web trafc in a smartphone to a malicious or bogus website. By collecting the subscribers smartphone information, specic attacks may follow after pharming attacks. For example, when a user browses a web site in a smartphone, the HTTP header usually includes the smartphones operating system, browser information, and version number. With this information, an attacker may learn the security leaks of the smartphone and is then able to start specic attacks on the smartphone. 6) Vishing: Vishing is a short term for voice and phish- ing. It is an attack which malicious users try to gain access to private and nancial information from a smartphone user. By spoong the Caller ID, the attacker may look like from a trusted party and spoof the smartphone users to release their personal credentials. 7) Data leakage: Data leakage is the unauthorized trans- mission of personal information or corporate data. It includes both intentional or unintentional data leakage. Malicious soft- ware may steal persons information such as contact list, location information, bank information and send this data to a remote website. A smartphone owner may be at risk of identity theft due to the data leakage in the phone. Business owners or classied users such as government and military users have even more concerns about data leakage. ZitMo, a mobile version of Zeus, has been found in Symbian, BlackBerry and Android and could be used to steal one-time passwords sent by banks to authenticate mobile transactions. 8) Vulnerabilities of Webkit engine: A vulnerability on web browsers in smartphones is another usual scenario of attacks. The Webkit engine used by almost all mobile platforms has a certain vulnerability which allows attackers to crash user applications and execute malicious code. In a recent vulnerability revealed by CrowdStrike, the attackers could use the Webkit vulnerability to install a remote access tool to eavesdrop on smartphone conversations and monitor the user locations. The vulnerability has been found in BlackBerry, iOS Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE This article has been accepted for publication in Computer but has not yet been fully edited. Some content may change prior to final publication. 4 TABLE I SMARTPHONE SECURITY: THREATS AND ATTACKS Threats and Attacks Description Snifng Tapping or eavesdropping, e.g., GSM A5/1 cracked Spam Email spam and MMS message spam, e.g., unsolicited MMS Spoong Spoof Caller ID or MMS Sender ID, e.g., spoofed MMS messages from 611 Phishing Steal personal information using a spoofed target mobile application Pharming Redirect web trafc to a malicious website and followed by more specic attacks Vishing Voice phishing by utilizing VoIP technique Data leakage Unauthorized transmission of data, e.g., mobile virus ZitMo Vulnerabilities of Webkit engine Vulnerability allowing attackers to crash user applications and execute code, e.g., the Webkit vulnerability revealed by CrowdStrike DoS Jamming Jamming radio channel Flooding MMS message ooding attacks and incoming phone call ooding attacks Exhausting Battery exhaustion attack Blocking Use smartphone blocking functions to disable smartphone and Android. 9) Denial of Service (DoS) attacks: Smartphone users also suffer from various DoS attacks. Jamming attacks Smartphones are based on radio commu- nication technology and they are vulnerable to jamming attacks. The communication between smartphones and base stations could be disrupted using jamming devices. Flooding attacks Flooding attacks can be carried out using both text messages or incoming calls. A smartphone could be disabled if it received hundreds of text messages or incoming calls. Exhaustion attacks Battery exhaustion attack is another DoS attack on a smartphone which causes more battery discharge than is typically necessary. Blocking attacks Blocking features in a smartphone can be used too to start DoS attacks. If a malicious user keeps calling a smartphone user using a blocked phone number, the smartphone subscriber cannot do anything else. Many attacks could be turned on in a stealth mode. Users may not observe and realize these attacks for days and months. A malicious user can always plant malware in a smartphone rst and use it when in need. Table I summarizes these threats and attacks. III. SECURITY CHALLENGES AND IMPACTS Many techniques used to secure desktop and laptop com- puters can be used for smartphone security, such as, anti-virus software and anti-malware software. However, smartphones also have some unique characteristics which make smartphone security extremely challenging. This section reveals these unique characteristics of smartphones, evaluates their impacts on smartphone security, and discusses some countermeasures to overcome the challenges. A. Smartphones are a consumer product A smartphone is not perceived as an accessory that people expect to keep for great lengths of time. People view them as devices that are going to get scratched and damaged and will need to be replaced in a limited time span. Smartphones are consumer products. Different groups of people have different preferences. The wide range of smartphone subscribers also indicates the wide variety usage of smartphones. Smartphones can be used for communication, information, social network- ing, gaming, entertainment, business enterprise, etc. People have different perspectives on smartphones and thus their needs for smartphone security are also different. Since a smartphone is a consumer product and it has a wide range of users, there is no single security tool which can be applied to all groups of subscribers. A smartphone business user typically has more concerns about smartphone security than a smartphone gamer and thus is willing to spend more money to ensure smartphone security. Smartphone security tools should meet these needs of smartphone subscribers. It is also desirable for a smartphone security tool to be exible and congurable to meet different groups various needs. B. Smartphones are platform-oriented A smartphone is pre-installed with a mobile operating sys- tem. Unlike desktop operating systems, which are dominated by Microsoft Windows, the majority smartphone mobile op- erating system market is shared by Android, iOS, BlackBerry OS, Symbian, and Windows Mobile [5] (Figure 3). Fig. 3. Desktop OS and Smartphone OS Each mobile operating system provides different applica- tions, features, and interfaces. It is great for consumers to se- lect personalized devices. However, it also means more efforts for hardware vendors and smartphone application developers to support these mobile operating systems. Further, for each mobile operating system, multiple versions of the operating system may exist, especially for the Android OS. The difference between these operating systems dictates the security software as the smartphones must also be platform oriented. Operating systems have different security breaches and security software must address each of these breaches Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE This article has been accepted for publication in Computer but has not yet been fully edited. Some content may change prior to final publication. 5 specically. Since multiple versions of mobile operating sys- tems exist, it is also important for mobile security software developers to be aware of the version issue and proceed with cautiousness. Security software must be customized for each mobile platform to deal with multiple operating system issues and multiple version issues. C. Smartphones are a multiple entrance open system A smartphone is a multiple entrance open system. Each entrance might be a potential back door for malware. As shown in Figure 1, malware might disguise in either one of the smartphone applications and each communication channel might be a potential spread path for malware. Each attack on a smartphone forms a loop as discussed in Section II-A. Due to the multiple entrances of the smartphone, in practice, there are many combinations to form an attack loop. To secure a smartphone, the attack loop must be broken. Many approaches can be used to break the loop. For example, a loop cannot be formed if malware is detected, prevented, and removed from smartphones. Alternatively, resource control could also be used to break the attack loop since the purpose of the malware is eventually to gain access of smartphone resources or manipulate smartphone data. D. Smartphones are easy targets because of their central data management Smartphones have been widely used for social networking, web surng, calendaring, and contact management. Many applications in smartphones cache users secret credentials and store this information within each smartphone. People also use smartphones for banking, business, and various purposes. The sensitive data in smartphones that may include, but is not limited to, Personal information such as home address, phone num- ber, pictures, contact lists, etc. Correspondence information such as emails, text mes- sages, MMS messages, call logs Credit card information, secret credentials such as user names and passwords Files on ash memory or memory card Geographic location Corporate data Smartphones carry sensitive data and all of it is located within storage units in smartphones. Disclosing this data may end in data leakage, nancial loss, or invasion of the privacy of smartphone owners. To protect data in smartphones, encryption techniques could be used. Migrating data from smartphones to cloud might also be an option to secure data and reduce risk of data theft in smartphones. E. Smartphones are resource-constrained devices and are easy to physically tamper A smartphone is a resource-constrained device. It is powered on battery and has limited battery life. It needs to be recharged after the battery is drained. Further, a smartphone has limited computational power and memory, and thus cannot be used for extensive computational applications. Since a smartphone is a resource-constrained device, any security solutions for smartphones need to consider their computational complexity and battery consumption. The enhancement of security in smartphones cannot sacrice their battery life. It is also easy to physically tamper with a smartphone. Among all threats and attacks in smartphones, theft and loss are two main concerns. According to a report by Lookout, there were 9 million lost smartphones in US in 2011 which equals one phone every 3.5 seconds [13]. The results of losing control of smartphones, even if it is just temporary such as lending your phone to another, might be catastrophic. With some simple setup, it is easy to reprogram rmware and ash memory in a smartphone, physically clone the memory card, or install spyware in a smartphone. Some simple techniques may help to protect smartphone theft and loss. For example, add password or enable auto- lock in smartphones. Anti-theft technology, such as remotely wiping sensitive data when a smartphone leaves a secure zone, is also available through third-party applications [14]. F. Smartphones are at high risks with embedded sensors inside A smartphone is often embedded with many sensors inside. These sensors greatly enrich the functions of a smartphone. However, the smartphone is also at high risks due to these sensors. For example, researchers found a way to use ac- celerometers to decipher computer keystrokes. With a 58,000 words dictionary, it can achieved 80% accuracy [15]. As more sensors are planned for installation in smartphones, new threats and attacks might be explored and discovered using these sensors. Many smartphones provide settings to allow applications to use GPS data and turn on/off cameras. However, it is not enough to protect smartphone owners against the abuse of using smartphone sensor data. For example, smartphone applications abuse their right to use the data and disclose the data to a third party. malware may be disguised as a normal application and request access of GPS data. Smartphone owners may authorize its request. malware may jailbreak a smartphone and gain control of the smartphone sensors. To reduce the risks of abuse of using the embedded sensors in smartphones, a real time resource monitoring is desirable. Further, it is also helpful for the smartphones to have certain intelligence to detect and block illegal access of the embedded sensors by utilizing real time monitoring. G. Smartphone jeopardizes business operations Smartphones are now extensively used for both personal and professional use. As companies adopt smartphones for their business, Bring Your Own Devices (BYODs) have recently raised many security concerns for business administrators and IT professionals [16]. BYODs have the benets to allow em- ployees to easily access corporate applications and resources. Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE This article has been accepted for publication in Computer but has not yet been fully edited. Some content may change prior to final publication. 6 However, it is also difcult to audit and enforce security policy in a personal device. Challenges faced by enterprises with smartphone security include unwillingness to backup, restricting to company issued phones, and lack of encryption on critical data. Further, although many companies have security policies for smart- phones that are used for business, many employees lack awareness of these policies and it is also hard for companies to enforce and audit these policies [9]. It is inevitable that a smartphone includes both personal data and business data. However, there is lack of separation between personal data and business data in smartphones. One approach is to isolate personal data and business data and enforce a higher security level on corporate data. Moreover, security policy enforcement in smartphones is also desirable for enterprise administrators and IT professionals. H. There is lack of security awareness among smartphone subscribers and enterprise administrators With Android reaching 10 billion downloads, as of Jan 2012 there were about 400,000 applications available for download at android market, however, there are only few applications providing security features to android smartphone users. Unlike desktop and laptop computers, anti-virus soft- ware and anti-spyware are still not popular among smartphone subscribers. The lack of security awareness reects a reluctance to update rmware and apply security patches. Using packet sniffer software, it is easy for a malicious user to detect a smartphones operating system and browser information. An attacker can then use known security leaks in a browser or an operating system to start specic attacks. Further, many enterprises allow employees to use smartphones for business. However, many employees do not know the companys secu- rity policies or are not aware of the existence of such security policies. Education of smartphone subscribers is helpful in promoting smartphone security awareness. Smartphone security policy should also be enforced and regular auditing of smartphones can be conducted to ensure the security of smartphones. Table II summarizes these challenges, their impacts, and possible countermeasures to smartphone securities. IV. DESIRED SECURITY FEATURES A smartphone carries sensitive information and because of this information, greater security is desired for smartphones. Condentiality, integrity, and authentication are three of the most desired security services. 1) Condentiality: Most smartphones provide synchroniza- tion between smartphones and computers. In another words, it is possible for another user to access the smartphone le system. Thus, sensitive information should not be stored in a smartphone in plaintext. Encryption techniques should be used. 2) Integrity: Integrity includes two aspects: data integrity and system integrity. For applications in application stores, software integration should be veried to avoid malicious modications. Further, smartphones should also provide mech- anisms to protect system integrity. The unauthorized data access request from an application should be blocked too. 3) Authentication: Authentication is another desired service in smartphones. As discussed, Caller ID, and MMS mes- sage Sender ID could be spoofed. Smartphone authentica- tion service will be able to protect smartphone users against those attacks. As femtocells are used to improve both coverage and capacity, authentication becomes important to validate the identity of a carrier. Smartphone security is challenging due to the unique char- acteristics of smartphones. There are a couple of security features which are highly desired in smartphones. A. A smartphone needs the ability to separate sensitive data from nonsensitive data A smartphone needs to separate sensitive data from non- sensitive data and grant users the exibility to assign data to sensitive data. Allowing this capability of separation in smartphones brings many benets. Sensitive data might be an easy target for hackers. How- ever, it is also advantageous to have a clear target to protect instead of taking extra computational power and battery to protect the entire ash or memory card. It is easy to use security techniques, such as encryption and steganography, to protect sensitive data. Isolation of sensitive data is good for business too. Smartphone users can assign corporate data as sensitive data and enforce a higher security level on corporate data. B. Sensitive data should be encrypted in smartphones Sensitive data cannot be stored in smartphones in plaintext. Encryption techniques must be used. Memory cards should be encrypted as well. Without proper decryption key, the contents of the memory card should not be disclosed. Migrating data from smartphones to cloud is another option to protect sen- sitive data. Cloud-based intrusion detection techniques could also be used to detect misbehavior and protect sensitive data [17]. However, the option is at cost to add cloud service and more data usage in smartphone service plans. C. The enhancement of smartphone security cannot sacrice battery life Smartphone security is highly desired. However, any en- hancement of smartphone security cannot sacrice battery life. Smartphones are resource-constrained devices. Public-key cryptography, such as RSA, usually requires more computa- tional power and should be used with caution. D. Further exploration is necessary regarding smartphone security for business Many enterprises allow smartphones used for business. Em- ployees can either use company-assigned smartphones or use Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE This article has been accepted for publication in Computer but has not yet been fully edited. Some content may change prior to final publication. 7 TABLE II SMARTPHONE SECURITY CHALLENGES, IMPACTS, AND COUNTERMEASURES Challenges Impacts and Countermeasures Smartphones are a consumer product Different groups have different perspective and security needs. Smartphone security tools should be exible and congurable. Smartphones are platform-oriented Multiple operating systems, e.g., Android and iOS, exist. Security software must be customized for each operating system and each version. Smartphones are a multiple entrance open system Each entrance (Bluetooth or Internet) might be a potential back door for malware. Need to break the attack loop, e.g., malware detection, prevention, and removal. Smartphones are easy targets because of their A smartphone carry sensitive data, personal and banking information, in a central place. central data management Encryption techniques and migrate data to cloud. Smartphones are resource-constrained devices and Security solutions must consider computational complexity and battery consumption. are easy to physically tamper Add password or enable auto-lock, anti-theft technology. Smartphones are at high risks with embedded Smartphone sensitive data might be stolen and abused. sensors inside Resource monitoring and intelligence to block illegal sensor access. Smartphone jeopardizes business operations It is difcult to audit and enforce security policy in a personal device. Isolate and enforce security policy at a higher security level on corporate data. There is lack of security awareness among Reluctant to update rmware and apply security patches. smartphone subscribers Education, smartphone security policy enforcement, and audit their own devices. In either case, enterprises should provide tools to secure these smartphones. The communication of these smartphones needs to be audited too. Smartphone security for business needs to be further explored. E. New business models are desired to achieve smartphone security Many enterprises have started to look into security issues in smartphones [9], [10]. However, solutions must be designed in consideration of the unique characteristics in smartphones. It is currently left to the smartphone subscribers to install and ensure the security of smartphone applications. However, Security should not be the sole responsibility of smartphone owners. It requires collaboration among mobile users, service providers, and industry partners. New business models for smartphone security are highly desired. F. Easy ways to help secure smartphones Smartphone security is challenging and complicated. How- ever, there are also some easy ways to help to secure smart- phones. 1) Increase security awareness A smartphone is the same as your desktop or laptop computers. It can be hacked, infected or phished. Smartphone subscribers should be aware of those smartphone threats and attacks when installing a software [18] or authorizing a software the privileges to access ash or smartphone sensors. 2) Apply password and auto-lock after a period of time Most smartphones support password and auto-lock func- tions and enable these features to protect your smart- phones. 3) Do not store data you cannot afford to lose in smartphones It is easy for a smartphone to be lost or stolen. 4) Backup smartphone data regularly. Sync your smart- phone with a computer on a regular basis. Always keep a backup of your smartphone data. 5) Turn off Bluetooth Virus can spread through Bluetooth in your smartphone. Turn off Bluetooth when you are not using it. 6) Do not use unsecure WiFi hotspots to connect to the Internet. Packet sniffer software like Wireshark may disclose useful information from smartphone data trafc. 7) Use a smartphone security tool Secure your phone using a reliable and trusted smartphone security tool. 8) Install anti-theft technology Check your smartphone or service providers and nd out if they provide anti-theft technology such as erase data or default smartphone remotely. There are some subtle signs which may indicate that a smartphone is under attack. For example, the cell phone battery is warm even when the phone has not been used, cell phone lights up at unexpected times, including occasions when phone is not in use, unexpected beeps or clicks during phone conversations and so on. When these happen, be alert and have a security professional check your smartphone. V. CONCLUSION Securing smartphone is challenging task due to their unique characteristics. These unique characteristics include: smart- phones are consumer products, they are resource-constrained devices, they have embedded sensors inside, etc. This unique- ness has many impacts on smartphone security and it must be considered when a security solution is proposed. There are certain security features which are highly desired in smartphones. For example, the ability to separate sensitive data from nonsensitive data, encrypt sensitive data, preserve a smartphone battery, and so on. A smartphone has functions far beyond making or receiving a call. A smartphone is a mobile platform and it is capable of running many applications like a desktop or a laptop computer. A smartphone is certainly a phone. However, it can also be a wallet, a credit card, or a mobile bank. Be aware of those threats to your smartphone and treat the device like a real credit card or wallet. As more functions and services emerge in smartphones, smartphone security becomes critical. A new business model is highly desired to solve the complex and numerous smartphone security issues. REFERENCES [1] IDC, Mobile phone market grows 17.9% in fourth quarater, Jan 2011. Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE This article has been accepted for publication in Computer but has not yet been fully edited. Some content may change prior to final publication. 8 [2] , Smartphones outstrip feature phones for rst time in western europe as android sees strong growth in 2011, Jun 2011. [3] Nielsen, In US, smartphones now majority of new cellphone pur- chases, Jun 2011. [4] ITU, Key global telecom indicators for the world telecommunication service sector, Nov 2011. [5] IDC, Worldwide smartphone market expected to grow 55% in 2011 and approach shipments of one billion in 2015, Jun 2011. [6] N. Leavitt, Mobile security: Finally a serious problem? Computer, vol. 44, no. 6, pp. 11 14, june 2011. [7] W. Jeon, J. Kim, Y. Lee, and D. Won, A practical analysis of smart- phone security, in Proceedings of the 2011 international conference on Human interface and the management of information - Volume Part I, ser. HI11. Berlin, Heidelberg: Springer-Verlag, 2011, pp. 311320. [8] N. Husted, H. Sadi, and A. Gehani, Smartphone security limitations: conicting traditions, in Proceedings of the 2011 Workshop on Gover- nance of Technology, Information, and Policies, ser. GTIP 11. New York, NY, USA: ACM, 2011, pp. 512. [9] Mobility and security: Dazzling opportunities, profound challenges, McAfee, Tech. Rep., May 2011. [10] 2011 mobile threats report, Juniper Networks, Tech. Rep., February 2012. [11] K. Nohl, Attacking phone privacy, in BlackHat 2010 Lecture Notes, July 2010. [12] Z. Lackey and L. Miras, Attacking SMS, in BlackHat 2009, July 2009. [13] Lookout, Lookout projects lost and stolen phones could cost u.s. consumers over $30 billion in 2012, Mar 2012. [14] Virginia Tech cybersecurity breakthrough keeps sensitive data conned in physical space, engineering team says, BLACKSBURG, Va., October 2011. [15] P. Marquardt, A. Verma, H. Carter, and P. Traynor, (sp)iphone: decoding vibrations from nearby keyboards using mobile phone accelerometers, in Proceedings of the 18th ACM conference on Computer and commu- nications security, ser. CCS 11. New York, NY, USA: ACM, 2011, pp. 551562. [16] J. Burt, BYOD trend pressures corporate networks, eWeek, vol. 28, no. 14, pp. 3031, Sep 2011. [17] A. Houmansadr, S. Zonouz, and R. Berthier, A cloud-based intrusion detection and response system for mobile phones, in Dependable Systems and Networks Workshops (DSN-W), 2011 IEEE/IFIP 41st International Conference on, june 2011, pp. 31 32. [18] D. Barrera and P. Van Oorschot, Secure software installation on smartphones, IEEE Security and Privacy, vol. 9, no. 3, pp. 4248, May 2011. Yong Wang is an Assistant Professor in the National Center for the Protection of the Financial Infrastructure at Dakota State University. His research interests include wireless networks, optical networks, smartphones, and related security and privacy issues. He is a member of IEEE and IEEE ComSoc. Contact him at yong.wang@dsu.edu. Kevin Streff is the Director of the National Center for the Protection of the Financial Infrastructure. His has over 15 years of signicant I.T. and information security experience and has extensive experience in the nancial services/banking industry. He is also the founder of Secure banking Solutions, a security consulting rm focused on improving security in community banks across the country. Contact him at kevin.streff@dsu.edu. Sonell Raman is a second year graduate student at Dakota State University majoring in Database Management. He received his Bachelors degree in Computer Science and Engineering at JNTU from Hyderabad, India. His research interest as a Graduate Assistant at DSU includes Smartphone Security with respect to mobile applications. Digital Object Indentifier 10.1109/MC.2012.288 0018-9162/$26.00 2012 IEEE This article has been accepted for publication in Computer but has not yet been fully edited. Some content may change prior to final publication.