1. technology and computing
2. consumer electronics
3. telephones
4. mobile phones

Volume 5, Issue 3, March 2015
ISSN: 2277 128X
International Journal of Advanced Research in
Computer Science and Software Engineering
Research Paper
Available online at: www.ijarcsse.com
Special Issue: E-Technologies in Anthropology
Conference Held at Bon Secours College for Women, India
Cyber Crime and Security Issues in Smartphone Technology
N. Elamuhil, K. Durga
2nd Year MCA. Anjalai Ammal - Mahalingam Engineering College,
Kovilvenni, Thiruvarur DT., India
Abstract: Smart phones are becoming a vehicle to provide an efficient and convenient way to access, find and share
information; however, the availability of this information has caused an increase in cyber attacks. Unlike Personal
Computers, they are in one location but smart phone by their very nature move from location to location.
Traditional security software found in personal computers (PCs), such as firewalls, antivirus, and encryption, is not
currently available in smart phones. The number and sophistication of attacks on mobile phones is increasing, and
countermeasures are slow to catch up. Currently, cyber threats range from Trojans and viruses to botnets and toolkits.
Presently, 96% of smart phones do not have pre-installed security software. This research study aims to explore
security risks associated with the use of Android smart phones and the sensitive information. This proposed research
work is focused to identify issues regarding smart phone access, control and security as well as to discover a
programming model to overcome these issues using java and XML platform for remotely track and control the
resources of smart phone and its access.
Keywords: XML, VPN, PKI
I.
INTRODUCTION
The Mobile platforms and technologies are changing rapidly as on today. With the addition of new and
advanced user platforms such as the world's most popular smart phone platforms are now under the verge of being
subdued by the emerging platform namely Google Android. Google Android is one of the most popular mobile
Operating Systems for Smart phones on the market. Fifty percent population of United Kingdom owns a smart phones
Millions peoples of United Kingdom have internet connectivity on their smart phones and access to data services on the
move. These latest mobile platforms such as iPhone, Blackberry and Windows mobiles become one of the top selling
smart phones/tablets. But due to high risk threats to the Google android frameworks, security assessment is required.
Smartphones are becoming very popular almost like desktop and laptops but due to their special characteristics, these
devices provide various security risks which are required to be addressed.
Mobile applications have rapidly grown and made the users to store more data on their mobile devices and
connect their devices to internet more often. Increase in use of the internet creates more security challenges such as
malware threats and viruses similar to desktop environment but since the mobile device operating system is not that
much developed it is more difficult to mitigate the risks. There are a number of technologies that can be implemented on
mobile devices to provide some level of security such as encryption, VPN, firewall and anti-malware scanners. Clearly
malware and viruses are not the only threat to mobile devices. Mobile devices are frequently lost or stolen, they will be
misused by employees and management is not willing to establish the required policy to ensure the security of mobile
devices is enforced. All of these factors are making mobile devices more vulnerable than other types of platforms such as
desktops and laptops.
II.
RELATED WORKS
The threats in the mobile device environment are not only limited to personal users, but it also includes
corporate environments. It was just a few years ago that only business executives were using Smartphones. However,
currently mobile devices are used everywhere in different types of businesses such as sales, management, service and
almost any employee who works outside of the office. Remote connectivity is used for the very same work that portable
laptops were handling in the field previously, such as managing the inventory, sales, client records, voice communication
and email. The only difference is that while laptops are using the same familiar operating systems as a corporate office
workstation, mobile devices are running on unfamiliar operating systems which are still evolving rapidly and whose
security is not appropriately improved. The differences in mobile devices and operating systems that are running on
them with different service providers create a difficult and challenging situation to develop a security baseline in
comparing to Windows/Unix desktop environment where the security has been matured. It has been revealed by a group
of security specialists that if unprotected data such as intellectual property (67%), customer data (40%) and employee
details (26%) which are being carried out in mobile devices get misplaced, it would have dangerous consequences for
the organization. At this time, such a data is being carried on mobile devices by few persons like executive managers but
© 2015, IJARCSSE All Rights Reserved
Page | 152
Elamuhil et al., International Journal of Advanced Research in Computer Science and Software Engineering 5 (3),
March- 2015, pp. 152-157
surely when connectivity and integrity of these devices with corporate networks increases, more data is going to be at
risk due to lack of security on mobile devices. Client-side software vulnerabilities are considered as the most dangerous
types of software vulnerabilities.
Since OS vulnerabilities are mostly covered by security experts, hackers are now concentrating on exploiting the
existing vulnerabilities in applications and software such as Adobe Acrobat, Flash and MS Office. As more applications
are installed on mobile devices, it is
very likely that they will be the target of these kinds of attacks as well [5]. So far, mobile platforms have not been the
target of hackers quite much. At first, hackers were motivated out of curiosity but now the motivations have been
expanded to financial gain. This has led to the theft of a large number of credit card numbers and banking credentials and
creation of botnets all over the world. At the time, hackers have not yet felt the need for exploiting mobile devices but
when they do, features such as speed of data transfer and permanent connectivity makes mobile devices the perfect
devices to be used for sending spam and launching denial of service attacks or as botnets. The more sensitive data is
stored on the phone, the more they attract cyber criminals‟ attention and the more vulnerable they become [6]. In a
recent study [7], it has been identified that less than 2% of companies have encountered a “serious incident” from mobile
devices. However less than half of the same responders mentioned mobile wireless security is important and has the
highest priorities. Mobile threats have been classified into three categories.
a) Physical
b) Mobile network connectivity
c) Malware.
III.
SECURE BOOT
The software installed in a smartphone should not be modified after shipment because doing so could nullify
some of the protection measures implemented during manufacture. Even if the phone is protected by anti-virus software
against malware and by LSM against illicit accesss, tampering with its software can weaken the security function of these
protection technologies.
Secure boot uses digital signature technology to detect software tampering, and it prevents the execution of
software that has been tampered with. A digital signature-created through a combination of a public-key cryptosystem
and hash technology – is used for confirming that data exchanged between the data creator and the data user has not been
illicitly modified.
In the secure boot process, a digital signature of the software(i.e., a “program image”) is created and written into
the smartphone. A function verifies the signature of the program executed on boot-up (i.e., the boot-loader). That is, the
boot-loader reads the boot-strap program image and verifies the digital signature, thereby ensuring the integrity of the
program.
The android os has a linux kernel, and smart phones running android are generally designed in such a manner
that multiple boot-loaders are executer sequentially after the power is switched on before the android system is started
up(figure 1). The image of the primary boot-loader is stored as a non-rewritable program in read-only memory (ROM).
It verifies the image of the secondary boot-loader by verifying the digital signature that has been created and stored in
advance. The secondary boot-loader verifies the image of the linux kernel in the same way.
Power on
Primary
boot -loader
Primary
Boot-loader
Start-up
Secondary
boot loader
Linux
kernel
Memory initialization
Application CPU
Secondary boot-loader
initialization
loading and signature
Linux kernel loading and
verification
signature verification
Secondary boot loader
Linux kernel start-up
Start up
Android
system
Android system start-up
Figure 1 Sequential execution of multiple boot-loaders
3.1 Procedure for creating digital signature
The creator of the digital signature generates a private key and a public key in advance. A hash value, called a
“message digest”, is calculated from the target program image by using a hash function. The creator then encrypts the
message digest by using the private key. The encrypted message digest is used as the digital signature. Subsequently,
the program image and digital signature are written into the internal memory of the smartphone(figure 2).
© 2015, IJARCSSE All Rights Reserved
Page | 153
Elamuhil et al., International Journal of Advanced Research in Computer Science and Software Engineering 5 (3),
March- 2015, pp. 152-157
Program
image
Hash value calculation
Encryption
Message digest
Figure 2
Private
Signature creation process key
kety
signature
Internal
memory
Public
key
In addition, the public key must be stored in advance into a memory region that cannot be rewritten. This is
because the reliability of the digital signature verification would be compromised if the public key itself were rewritten.
An example of the memory arrangement in a smartphone is shown in figure 3.
INTERNAL MEMORY
ROM
FLASH MEMORY
Primary
boot-loader
image
Secondary
boot-loader
image
Linux
kernel
image
Android
system
image
User data
ROM
signature
Public key
signature
Figure 3: Example memory arrangement in Smartphone.
3.2 Procedure for verifying digital signature
When the smartphone is switched on, the primary boot-loader(stored in Rom) is executed. It reads the image of
the secondary boot-loader(stored in flash memory) and acquires the digital signature and public key. It calculates the
hash value of the secondary boot-loader image and compares that value with the message digest in the digital signature
(which is decrypted using the public key). If the values match, the image read from the flash memory is judged to not
have been rewritten, and control is switched to the secondary boot-loader. If they do not match, the image is judged to
have been rewritten, and the start-up process is terminated. The linux kernel is verified in the same manner.
3.3 Operation rules for creating digital signature
If the private key is leaked, digital signature data could be created by a person with malicious intent. To reduce
the risk of leakage, an operation rule for creating signatures should be strictly enforced. For example, the signature
creators should be required to work in a secure location, one that is physically separated from the developers, when they
create signatures.
IV.
PROPOSED SOLUTION
When it comes to mobile networks, the current design of network security known as platform centric security
would not be suitable anymore because it only focuses on the platform and the applications. Mobile data networks
© 2015, IJARCSSE All Rights Reserved
Page | 154
Elamuhil et al., International Journal of Advanced Research in Computer Science and Software Engineering 5 (3),
March- 2015, pp. 152-157
require access to business data anytime and from everywhere and this would create new sets of threats since it
compromises the security of a physically secured network in an organization. Data-centric security has been described in
order to protect the data rather than protecting the devices. The concept of Data-centric security is to place several layers
of security controls on a system. This approach allows a system to use multiple and different sets of methods in order to
defend against any attack. Figure 1 illustrates the Data-centric security where the data should be protected by placing
different layers of security.
Each level of security protects and restricts access to data in different ways. Data-centric security is mostly used
in the defense industry and governmental organizations. These types of organizations use security classification and
security clearance to provide access rights and security measures. For example, a file classified as „SECRET‟ is stored in
secure encrypted networks which in not connected to the open internet. Any type of information has its own level of
importance and in case they get misplaced, they would produce different sets of troubles. To understand the concept of
data-centric security, it is better to think about the consequences if confidentiality, integrity or availability of a particular
file, service or any other data in the organization are compromised. This way, it is possible to provide security measures
to protect any data with any level of importance.
Let‟s have a look at an example to understand the Data-centric security more precisely. In a Platform/network centric
security model, users might be able to use a VPN with a single-factor authenticated such as a password and access the
entire corporate network in order to run applications and modify databases etc. In this example, the layers of security in
the data-centric module are defined as follows: a user logs in to the network through a VPN and this allows him to access
personal data and sales data which are classified as „Level1- Protected‟. If the user tries to access a „Level 2 –
Confidential‟ data, then he would require to use a second factor of authentication such as one time PIN from a physical
token to authenticate himself. The second authentication allows the file to be decrypted using a public key (PKI) and
marks the file as non-locality savable on the device. In case the user requests to access a document that is marked as
„Level 3 – Corporate Secret‟, the system will deny the request once it realizes that the user is using a mobile device.
Layers of Data-centric module are shown in figure 2.
Figure 2. Data-centric Platform
© 2015, IJARCSSE All Rights Reserved
Page | 155
Elamuhil et al., International Journal of Advanced Research in Computer Science and Software Engineering 5 (3),
March- 2015, pp. 152-157
This example applies meta-data classification of data to all the files and application, but this must be extended to
the lowest practical level. In a database that stores customer information, it is possible that all the fields have
classification tag; it is even possible to tag fragments of a file as sensitive it would be handled differently from the rest of
the file. Like any other security control, a balance is required between the requirements of security practices and
usability. At least the users need to come up with a permission group for example „Finance‟ and a group for sensitive
data for example „Level 2 – Confidential‟. All these steps can be easier with the implementation of a proper user
interface which reduces the user interaction. However in order for the system to be successful some level of user
participation is necessary to declare the requirements for protecting a data. It is important that these steps be carried out
precisely, however meta-tagging the data will enable the system to identify the security measurements required to protect
the data automatically. On the other hand, the software is able to scan the file and define a classification level based on
the content of the file. This method may have some problems, but it may be useful in some data environments. Normally,
when a data enters a database, it would be classified based on the field in question without any user interaction.
An organization may perform a threat-risk assessment and implement a security policy based on that. If the
assessment is considered risky, then the data that is generated on the mobile device can be considered. Mobile devices
might not have the ability to create documents with long pages of texts, but they have other abilities such as taking
photos or recording voice and video. It is also important to consider the data stored in the contacts, call register and
calendar of mobile devices critical and prepare appropriate approaches for securing them. When deploying mobile
networks, data-centricity is a useful model to be considered. If right configuration and policies are in place, data-centric
security can effectively and efficiently handle the data-at-rest issue of important information on the mobile devices that
are lost by securely deleting (self-destruct) them after they are inactive for a short time or prevent the downloading of the
information in the first place. This matter can be addressed by solutions provided by other technologies but they each
have their own challenges as well.
An example of these technologies can be the availability of mobile broadband connections that makes cloud
computing possible. By employing a thin-client model it is possible in real time to push the screen image of the data to a
Smartphone instead of the actual data. In this way, it is possible to simplify the playing field by employing remote
desktop or VNC connection to the core network such as a single tunnel to the network, a single application to secure on
the handset and the volatility of the data once the connection is terminated. An important matter that needs to be
addressed is that during inevitable mobile blind spot how security should be implemented by an organization. Most of the
time even when the mobile device is out of wireless service areas, work still requires to be carried out. In such situations,
consideration and policies should be conducted carefully to ensure only the data that is required for the work to be carried
out is stored on the device locally based on parameters that are confidentially predetermined.
To ensure high confidence of data-breach prevention, encryption and deletion measures are required to be
employed in case a security incident or device loss happens. However still much research is required to be carried out on
these new technologies, it is clear that the focus should be toward securing the data and less focus should be given to
trying to build impenetrable perimeter defenses.
V. CONCLUSION
Due to Smartphones highly connected and powerful portable communication skills, their usage is increasing
rapidly and soon they are going to replace portable and desktop computers for many tasks. In order to establish corporate
policy for security, businesses should understand the range of vulnerabilities that a Smartphone is open to. By their very
nature, they are more prone to information theft, password compromises, hacks and theft in general. Organizations have a
lot of time to come up with policies and implement technical procedural measures to ensure security of desktops. But the
rapid shift to the mobile model requires threat-risk assessments, incident handling planning and preparation and user and
administrator training. Mobile devices generate several new threats due to their highly connected natures and unique
portability features which demands appropriate attention. Most of the organizations do not want to spend money and
time on securing the treats that have not yet caused any damaged but for sure there are several vulnerabilities on
traditional workstations and servers that need to be addressed properly. Mobile-targeted malware can steal the corporate
data or cause denial of service and compromise the availability of the resources. It is very important to consider policies
for mobile systems and cover mobile devices in the incident response process because one thing is for sure and that is
incidents would certainly happen someday and you better be ready for them. Integrating data-centric platform security
with anti malware software can be considered as future work to enhance the security of mobile devices even more. In this
way, data stored in databases can be classified and changes made to data by mobile device users can be monitored as well
to ensure unauthorized modification does not occur.
REFERENCES
[1]
1 Farhood Norouzizadeh Dezfouli, 2 Ali Dehghantanha, 3 Ramlan Mahmod, 4 Nor Fazlida Binti Mohd Sani, 5
Solahuddin bin Shamsuddin “A Data-centric Model for Smartphone Security”.
[2]
Yasuhiko abe , Hitoshi ikeda, Masafumi Emura, “Security Technology for Smartphones”.
[3]
Prof. P.L. Ramteke, Dr. D.N. Choudhary, “Smart Phone Access, Control & Security : A survey”.
[4]
B. Hancock, “Hacker Target: Mobile Phones,” Journal of Computers & Security, vol 19, issue 6, pp.494-495,
2000.
[5]
Y. Hao, L. Haiyun, Y. Fan, L. Songwu, Z. Lixia, “Security in mobile ad hoc networks: challenges and
solutions,” IEEE Journal of Wireless Communications, vol 11, issue 1, pp.38-47, 2004.
© 2015, IJARCSSE All Rights Reserved
Page | 156
Elamuhil et al., International Journal of Advanced Research in Computer Science and Software Engineering 5 (3),
March- 2015, pp. 152-157
[6]
The Top Cyber Security Risks, 2009. Available online at www.sans.org/top-cybersecurityrisks [Accessed April
18, 2011].
[7]
A. Dehghantanha, N.I. Udzir, R. Mahmod, “Toward Data Centric Mobile security”, Information Assurance and
Security (IAS) Conference, 2011.
[8]
E. Couture, “Mobile Security: Current threats and emerging protective measures”, SANS Institute, 2010.
[9]
S. Furnell, “Handheld hazards: The rise of malware on mobile devices,” Journal of Computers & Security, vol
2005, issue 5, pp.4-8, 2005.
[10]
Charlie Collins, and Matthias Kaeppler,‖Android in Practice ―, Manning Publications; 1st edition, 2009
© 2015, IJARCSSE All Rights Reserved
Page | 157