RUNNING HEAD: OVERVIEW AND ASSESSMENT OF MOBILE SECURITY

Overview and Assessment of Mobile Security

By

Jim Palazzolo

Eastern Michigan University

OVERVIEW AND ASSESSMENT OF MOBILE SECURITY
2

Abstract

With the introduction of the Java (www.oracle.com/us/technologies/java) application

development language and other languages that allow for network application development, an

individual or an organization has the ability to connect anywhere on the globe with a mobile

device. Mobile devices have become common among individuals and organizations. Smart

phones and Personal Data Assistants now have the ability to interface with multiple networks;

and take advantage of cloud computing. The robust features allowed through these devices also

come with inherent risks as well. As new devices are created, new vulnerabilities arise to be

exploited. This essay covers the overview of mobile devices, new security standards, and

applications that help to mitigate the risks involved with mobile computing.
OVERVIEW AND ASSESSMENT OF MOBILE SECURITY
3

Overview and Assessment of Mobile Security

As computers move from a Local Area Network based systems to a Wireless based

network system, the use of mobile computing has been on the rise. In response to this growth,

cellular devices that were originally designed to only handle voice data streams, now have the

ability to handle complex network protocols. One example is smart phones developed with the

Android operating system (www.android.com). This system is capable of internet browsing,

application downloads, uploads of information, email, and network protocol manipulation.

Many of these devices are Java language capable, a language that is widely used in many internet

applications. All of the devices have some form of keyboard integrated with the device allowing

the user text input. The reality is that the laptop computer is slowly being replaced by smaller

cellular devices or more robust Personal Data Assistants (PDAs). This transition reduces the

costs for the consumer to enter into this powerful technology, as well as increase the overall

number of devices in use.

Some mobile device manufacturers have also offered the source code to the device for

public use. This has generated a second industry for the development of applications that can be

directly downloaded to the mobile device. Private and commercial users now have the ability

through third party application development to tailor their mobile device to their needs.

However, not all mobile devices have the ability to customize their application base. As a result,

the devices that do not have application customization are slowly being phased out of the market

in exchange for those that do.

OVERVIEW AND ASSESSMENT OF MOBILE SECURITY
4

Mobile Computing and Security

Due to the wide spread dissemination of this technology to the common user, the attack

surface for malicious behavior grows exponentially. It is common knowledge within the

information technology security community, that more attacks will target systems with a larger

number of systems at its base as opposed to architecture with a smaller number of systems at its

base. Therefore with this common body of knowledge it is the researcher’s opinion that mobile

devices will become a viable attack surface for malicious behavior. In 2006 writer Joseph C.

Panettieri stated:

“More than 100 viruses now target smart phones running mobile operating systems from

Microsoft Corp. (www.mircrosoft.com), PalmSource Inc. (www.palmsource.com), and

Research in Motion Ltd. (www.rim.com), to name a few. Imagine if those viruses could

infiltrate a WiFi Connection and crawl from students’ smart phones onto your school’s

servers, desktops, and notebooks, contaminating your districts most critical data”

(Panettieri, 2006).

It is the researcher’s opinion that recent innovations have made this concept a reality. By

empowering individuals to develop applications with open source technology, the dissemination

of such information has helped to grow the number of malicious applications targeting mobile

devices.

However, writer Sandra Kay Miller states:

OVERVIEW AND ASSESSMENT OF MOBILE SECURITY
5

“This is a particular problem because wireless devices, including smart cellular phones and

personal digital assistants (PDAs) with Internet access, were not originally designed with

security as a top priority.” (Miller, 2001).

It is the researcher’s opinion that the above statement reinforces the idea that: those who wish to

do harm will look for areas with lower risk of being caught. Typically such areas are those with

little to no security posing as a defense against malicious behavior.

Although the risks to security in mobile devices are increasing, other innovations have lead

to the use of mobile devices as security tools. The National Institute of Standards and

Technology has recently recognized the use of Intrusion Detection Systems as software agents

on mobile devices (Jansen, Mell, Karygiannis, & Marks, 1999). There are several IDS agents of

various performance levels being developed. The following is a list provided through the NIST

document and their primary functions.

 Hummingbird:

o Developed by the University of Idaho, project [FRIN98] (Jansen, Mell,

Karygiannis, & Marks, 1999).

o “The Hummingbird system is a distributed system for managing misuse data.

While the system uses some agent technology, the agents are not autonomous,

nor are they mobile. Only the data collection is distributed and control remains

centralized. Emphasis is placed on sharing security relevant data among sites

having different security domains (Jansen, Mell, Karygiannis, & Marks, 1999). \

 Autonomous Agents for Intrusion Detection (AAFID)

OVERVIEW AND ASSESSMENT OF MOBILE SECURITY
6

o Developed by Perdue University [BALA98] (Jansen, Mell, Karygiannis, &

Marks, 1999).

o “AAFID employs a hierarchy of agents. At the root of the hierarch are monitors,

which provide global command and control and perform analysis of information

flowing from lover level nodes. At the leaves are agents that collect event

information.” (Jansen, Mell, Karygiannis, & Marks, 1999).

Both the Hummingbird and AAFID systems have the ability to detect anomalies within a

network. As more mobile devices are attached to networks via VPN, satellite, and the internet

there are growing demands to monitor this traffic for malicious behavior. These applications can

also be distributed to mobile devices as a client application connecting them to the host

application. Through this connectivity entities have the ability to monitor their mobile traffic.

Recent developments in mobile security have also lead to the creation of guidelines

distributed by the National Institute of Standards and Technology. Special Publication 800-124

address security issues revolving around mobile devices, and provides a rough outline on how to

develop a security framework for such devices (Jansen, & Scarfone, 2008). However, Special

Publication 800-124 does not elaborate on any specific software agent or device platform.

Conclusion

The use of mobile computing is on a steady incline, as mobile devices become more

powerful and robust. The attraction of mobile computing and cost reduction make these devices

and obvious choice for both individuals and organizations. However, like any new

developments there are inherent risks involved. In the case of mobile computing it can be seen

that their initial developments did not include security as a top priority. Therefore exploits of
OVERVIEW AND ASSESSMENT OF MOBILE SECURITY
7

known vulnerabilities began to rise to public attention. However, the developers of mobile

devices are not entirely to fault for the number of malicious attacks targeting their devices. The

ability for individuals to connect to the internet has left a large portion of the fault on the

consumer as well. With common public knowledge of social engineering, and warnings about

the safe use of social networks, individuals as well as organizations still participate in behavior

that exposes them to increased amounts of risk. However, misuse and lack of security

development in initial products will not stop the flow of mobile devices into the public and

private sectors of the economy. Conversely the dilemma of security regarding mobile devices

allows for the natural creation of an industry centered on mobile devices. It is the writer’s

opinion that the initial lack of security has created both positive and negative effect on the

consumer. It is also the writers opinion that both of these effects have created increased

awareness on the proper handling of mobile devices, as well as industry revenues in the creation

of security tools that help mitigate the risks of mobile devices.

OVERVIEW AND ASSESSMENT OF MOBILE SECURITY
8

References

Panettieri, J. (2006). Don't be out'smarted: the new breed of smart mobile phones will soon pose

the biggest danger to your data security. software companies are gearing up to nullify the

threat.(data security). T H E Journal (Technological Horizons in Education), 33(7), 18.

Miller, K. (2001). Facing the callenge of wireless security. The IEEE Computer Society, 34(7),

16-18, doi:10.1109/2.933495.

Jansen, W, Mell, P, Karygiannis, T, & Marks, D. National Institute of Standards and

Technology, (1999). Applying mobile agents to intrusion dection and response (NIST

Interim Report(IR) - 6416). Washington, DC: National Institute of Standards and

Technology.

Jansen, W, & Scarfone, K. National Institute of Standards and Technology, U.S. Department of

Commerce. (2008). Guidelines on cell phone and pda security (Special Publication 800-

124). Gaithersburg, MD: National Institute of Standards and Technology.

Jansen, W, & Karygiannis, T. U.S. Department of Commerce, National Institute of Standards

and Technology. (n.d.). Mobile agent security (Special Publication 800-19).

Gaithersburg, MD: National Institute of Standards and Technology.