Ltu Cdupp 10008 Se

2010:008
MASTER'S THESIS
Enhancing the Hierarchical Framework Model

of Mobile Security
Artjom Vassiljev
Lule University of Technology

C/D Master thesis
Computer and Systems Sciences
Department of Business Administration and Social Sciences
Division of Information Systems Sciences
2010:008 - ISSN: 1402-1781 - ISRN: LTU-C/DUPP--10/008--SE
Enhancing the hierarchical framework model of mobile

security
Artjom Vassiljev
June 2010
Abstract
The purpose of this study was to enhance the Hierarchical Framework Model of Mobile
Security proposed by the researchers from the University of Oulu in order to make
it more technology oriented and include information about attacks and corresponding
protection.
A qualitative study was done that consisted of content analysis and three structured
e-mail interviews with three security professionals. The aim of content analysis was to
identify threat and safeguard domains that can be used to enhance the framework. It
was done by reviewing the current research, technical whitepapers and market offers in
the area of mobile security. During the interviews, respondents were asked to review the
proposed enhancements.
The new framework has the same layer hierarchy, however each layer was modified to
contain three additional sub-layers: threat domains, safeguard domains, and technical
controls. Things that were considered not having any direct security implications on
mobile phones (like multimedia copyright protection) were removed. The focus was on
technical solutions leaving the higher-level mechanisms for future research.
After reviewing the new framework, all interviewees agreed that the new solution is improved over the original. It is easy to use, and can be applied during the risk assessment
process. Several drawbacks were identified in the new version, some of which, however,
were fixed after the review. This goes along with the conclusions that author draws about
the framework development process. This process should include the following phases:
learning about the problem, analyzing solutions, identifying the abstraction levels, designing, iterating.
Licence
This work is licensed under the Creative Commons Attribution-Noncommercial-Share
Alike 2.5 Sweden License. To view a copy of this license, visit http://creativecommons.
org/licenses/by-nc-sa/2.5/se/ or send a letter to Creative Commons, 171 Second
Street, Suite 300, San Francisco, California, 94105, USA.
Acknowledgements
Kudos go to Matus Korman, Ago Poolakese, Michailas Ornovskis, Dimitrios Stergiou,
John Lindstrom, Mats Nordlund, Patrik Frost, Martin Risvold, Sarfraz Iqbal, Dan Harnesk, and Hugo Quinsbert for their help with this thesis.
ii
Contents
1 Introduction
1.1
Mobile computing devices . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2
The need for protection . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3
Aim of this study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4
Research question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5
Scope and delimitation of the study . . . . . . . . . . . . . . . . . . . . .
1.6
Disposition of the document . . . . . . . . . . . . . . . . . . . . . . . . .
2 Methodology
2.1
Research type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2
Research method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2.1
Quantitative research . . . . . . . . . . . . . . . . . . . . . . . . .
2.2.2
Qualitative research . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3
Research strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.4
Data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
2.5
Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
2.6
Validity and reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
3 Framework theory
13
3.1
What a framework is . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
3.2
The need for a framework . . . . . . . . . . . . . . . . . . . . . . . . . .
14
iii
Contents
4 Background of the study

4.1
16
A hierarchical framework model of mobile security . . . . . . . . . . . . .
16
4.1.1
Property theory layer . . . . . . . . . . . . . . . . . . . . . . . . .
16
4.1.2
Limited targets layer . . . . . . . . . . . . . . . . . . . . . . . . .
17
4.1.3
Classified applications layer . . . . . . . . . . . . . . . . . . . . .
18
4.2
Limitations of the framework . . . . . . . . . . . . . . . . . . . . . . . .
18
4.3
Enhancement process . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
5 Theory
5.1
5.2
21
NIST guidelines for cell phone and PDA security . . . . . . . . . . . . . .
21
5.1.1
Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
Safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24
5.2.1
Organization-oriented methods . . . . . . . . . . . . . . . . . . .
27
5.2.2
Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
6 Literature review
6.1
6.2
29
Technical controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
6.1.1
Malware protection . . . . . . . . . . . . . . . . . . . . . . . . . .
30
6.1.2
Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
6.1.3
User authentication . . . . . . . . . . . . . . . . . . . . . . . . . .
31
6.1.4
Communication interception and eavesdropping . . . . . . . . . .
36
6.1.5
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
6.1.6
Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
Security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
7 Data analysis
7.1
41
Interview with AS Stallion . . . . . . . . . . . . . . . . . . . . . . . . . .
41
7.1.1
Mobile threats and awareness . . . . . . . . . . . . . . . . . . . .
41
7.1.2
Review of enhancements . . . . . . . . . . . . . . . . . . . . . . .
42
iv
Contents
7.1.3
Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
Interview with Entraction AB . . . . . . . . . . . . . . . . . . . . . . . .
43
7.2.1
43
7.2.2
44
7.2.3
Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
44
Interview with Tieto AB . . . . . . . . . . . . . . . . . . . . . . . . . . .
44
7.3.1
44
7.3.2
45
7.3.3
Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45
7.4
Cross-case analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45
7.5
After-review modifications . . . . . . . . . . . . . . . . . . . . . . . . . .
46
7.2
7.3
8 The improved mobile security framework model

8.1
Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
47
9 Validity and reliability of the study
55
10 Conclusion
57
10.1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
10.2 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
59
10.3 Future research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
60
Appendix A: Interview with Stallion representative
70
Appendix B: Interview with Entraction representative
73
Appendix C: Interview with Tieto representative
77
Appendix D: Document sent to interviewees
80
List of Figures
3.1
Elements relevant to any piece of research . . . . . . . . . . . . . . . . .
14
4.1
Mobile security framework . . . . . . . . . . . . . . . . . . . . . . . . . .
17
6.1
NICA authentication methods . . . . . . . . . . . . . . . . . . . . . . . .
35
6.2
VmWare Mobile Virtualization Platform . . . . . . . . . . . . . . . . . .
38
8.1
Property layer from OULU framework . . . . . . . . . . . . . . . . . . .
48
8.2
Enhanced property layer . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
8.3
Limited targets layer from OULU framework . . . . . . . . . . . . . . . .
50
8.4
Enhanced system layer . . . . . . . . . . . . . . . . . . . . . . . . . . . .
52
8.5
Application layer from OULU framework . . . . . . . . . . . . . . . . . .
53
8.6
Application layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54
OULU framework model . . . . . . . . . . . . . . . . . . . . . . . . . . .
81
Property layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
85
System layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
86
Application layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
87
vi
List of Tables
4.1
Framework enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
6.1
Authentication methods and corresponding attributes . . . . . . . . . . .
31
6.2
Escalation of NICA alert level . . . . . . . . . . . . . . . . . . . . . . . .
36
6.3
Biometric techniques for mobile devices . . . . . . . . . . . . . . . . . . .
36
vii
Abbreviations
1G,2G,3G,4G (First, second, third and fourth generation mobile phone systems)
NMT
(Nordic Mobile Telephony)
DMS
(Data and Messaging Service)
SMS
(Short Message Service)
GSM
(Global System for Mobile communications)
TDMA
(Time Division Multiple Access)
iDEN
(Integrated Digital Enhanced Network)
CDMA
(Code Division Multiple Access)
GPRS
(General Packet Radio Service)
EDGE
(Enhanced Data rate for GSM Evolution)
IMT-2000
(International Mobile Telecommunications-2000)
UMTS
(Universal Mobile Telecommunications System)
DECT
(Digital Enhanced Cordless Telecommunications)
WiMAX
(Worldwide Interoperability for Microwave Access)
SSD
(Shared Secret Data)
3GPP
(3rd Generation Partnership Project)
DoS
(Denial of Service)
Mbps
(Megabits per second)
3-D
(Three dimensional)
PC
(Personal Computer)
PIN
(Personal Identification Number)
Ghz
(Gigahertz)
IPv6
(Internet Protocol version 6)
MCD
(Mobile computing device)
WiFi
(Wireless Fidelity)
OS
(Operating System)
viii
List of Tables
NIST
(National Institute of Standards and Technology)
PDA
(Personal Digital Assistant)
LCD
(Liquid Crystal Display)
VoIP
(Voice over IP)
GPS
(Global Positioning System)
JTAG
(Joint Action Test Group)
IMEI
(International Mobile Equipment Identity)
VPN
(Virtual Private Network)
IPT
(IP Telephony)
KDA
(Keystroke dynamics-based authentication)
NICA
(Non-Intrusive Continuous Authentication)
NFC
(Near Field Communication)
IDS
(Intrusion Detection System)
SIM
(Subscriber Identity Module)
SSH
(Secure shell)
FTP
(File Transfer Protocol)
WWW
(World Wide Web)
ix
Life has become more complex in the overwhelming sea of information. And life, when
organized into species, relies upon genes to be its memory system. So, man is an individual
only because of his intangible memory... and memory cannot be defined, but it defines
mankind. The advent of computers, and the subsequent accumulation of incalculable data
has given rise to a new system of memory and thought parallel to your own. Humanity
has underestimated the consequences of computerization.
Puppet Master, Ghost In The Shell
Chapter 1
Introduction
It is hardly possible to bring the expression of surprise on anyones face by showing them
your mobile phone. Nowadays almost every person has at least one mobile phone, some
even have several for personal use and for business/work purposes. It is estimated
by eMarketer [eMarketer.com, 2010] that today almost 45% of the worlds population
uses mobile phones, and by 2014 this number will grow to 53%. United Nations report
indicates [Division, 2008] that by 2015 there will be about 7.3 billion people on Earth
which if translated into numbers gives us almost 3.7 billion mobile users.
1.1
Mobile computing devices
The history of the mobile phones (also named cell phones after the cellular network they
work in) starts as early as 1947 when two Bell Labs engineers proposed hexagonal cells
for mobile phones in vehicles [Ring and Young, 1947]. These were early ideas which later
transformed into the first fully automatic mobile phone system developed by Ericsson in
1956. One cannot call telephone clients used there mobile in the meaning we understand
now, those telephones weighted 40kg back then. One year later soviet engineer created
a portable mobile phone which had a range 20-30km, battery life of 20-30 hours, and a
total weight of 3kg which was later reduced to 500g. Fast-forward to the 21st century,
and pocket-sized mobile phones are as common as TV, cars, or Internet in every family.
Nowadays we have reached the size limit of the telephone, and the race began for the
processing power and memory capabilities of devices. Just like with the personal computers, mobile phones are incorporating more powerful processors, 3-D graphics accelerators,
Chapter 1: Introduction
bigger screen sizes, and higher memory amounts. Todays telephone can do everything a
desktop PC could 5 years ago starting with the web browsing, to document processing,
and finishing with the games. And these are not just card games but various 3-D shooters
and strategies. What we have now is not just a mobile phone, but a mobile computing
device (MCD1 ) a computer in the pocket with telephone functionality.
The technology now starts to blur the border between the real world and virtual. 3G
networks made it available to be constantly connected to the Internet. Combined with the
geographical location of a customer, and data received from telephone sensors (camera,
audio) it brings new experience to the user in the form of augmented reality. Users
connect their real-life with the virtual.
1.2
The need for protection
With an ever-increasing number of services used on mobile phones, there is a strong need
to save more data. It is hardly now that the telephone is used only as an address book. In
addition to this it has also a calendar or a professional organizer, e-mail client which can
synchronize with the server, document processing software, mobile-commerce software,
and many other programs that help the user live his everyday life. In 2005 a research
conducted by Martin Allen [Allen, 2005] concluded that over 80% of new and critical
data is stored on the phone. Thereby these devices may tell a lot about their owner. And
not only tell, but also be used and thus abused to pose as the original owner.
Back in the 2001 a research conducted by the Home Office revealed that only in England and Wales there were about 700 000 reported crimes that included theft of device
[Harrington and Mayhew, 2001]. In the article Mobile phone theft is far worse than
we thought [Leyden, 2002] John Leyden cites the research by Continental Group firm
stating 1.3 million Britons had their phone stolen during the 2001. Moreover 600 000
devices were accidentaly dropped into the toilet or other facility, 400 000 into the drinks,
and 200 000 accidentaly were put into the washing machine. It continues stating that 1.6
million cellphones were lost. It amounts total 2.9 million handsets could be potentially
abused by exploiting the information stored on the device. In 2002 F-Secure corporation
estimated [F-Secure, 2002] that 10 mobile devices are lost or stolen in the world every
minute. They survey [Clarke and Furnell, 2005] showed that 34% of users do not use PIN
1
For easier reading throughout this thesis the term MCD is interchangeable with the terms mobile
phone, cell phone, and handheld device
protection on their phones. Moreover a study by Karatzouni [Karatzouni et al., 2007] revealed that besides not using any protection on their phone, a lot of users believe they
have no valuable information that needs protection on their devices.
Although theft of personal telephone may have unpleasant consequences if a corporate
phone with sensitive data gets lost and the information leaks, results may be far worse. In
2005 Nokia estimated [nok, 2005] that among 650 million corporate e-mail accounts only
10 million were mobilised, this number was growing fast. In 2003 a Morgan Stanley bank
employee after leaving the company sold his supposedly dead mobile phone on eBay
for $15.50 [Zetter, 2003]. Later on the lucky bidder discovered hundreds of confidential
e-mails, database with more than 1 000 names, job titles, phone numbers, and addresses
of company partners and employees.
A lot of company executives are aware of the problems that come with mobile phone usage,
however as the survey showed [Ernest-Jones, 2006], while four out of five companies have
thought about risks that mobile devices pose, only a small part of them really started
to investigate this problem. This clearly indicates the need for better awareness and
protection of MCD.
1.3
Aim of this study
There are multiple comprehensive security frameworks for computers and networks like
COBIT, PCI DSS and ITIL to name the few, various standards for data protection like
BS 10012:2009 and network security like ISO/IEC 27033. There are numerous tutorials
and guides from big vendors like Microsoft (Security guides for Windows family), Cisco
(Cisco security policy builder) and governemtal organizations like NIST (SP800-123) on
how to create policies, harden servers, desktop pcs and laptops. There do exist a lot
of antivirus and malware removal software (F-Secure, Norton, Kaspersky). Most users
are aware of computer threats, computer administrators know how to write policies in
order to protect the computers, and management allocates resources for security. But
we have had personal computers and Internet for over two decades. The problem with
telephones is that nobody considered them as a potential threat due to the very nature
of telephones just to make calls. Only recently in the last years science has advanced
to the point when we have a personal computer in the pocket with telephone functions
as a bonus[Clarke and Furnell, 2005].
While searching for any guides and standards to use with mobile phones, only one security framework was found targeted specifically at mobile phones, whose intended audience
are security researchers [Howie et al., 2001]. It is divided into three layers, and gives a
hierarchical view on security problems of mobile phones. Most of the research based
on the above-mentioned framework concentrate only on a specific threat from one of
these layers [Wah, 2002, Pandelidis, 2002, Jin et al., 2007]. Additionally a NIST guideline [Jansen and Scarfone, 2008] was found that gives practical hints on protection of
handheld devices including mobile phones. However it does not allow one to the percieve
the security as a whole, which in my personal opinion can leave many security problems
unnoticed, i.e. during the policy creation. How can these two documents colorred(mobile
security framework from Oulu and NIST guidelines) be combined to provide both the
power of framework and the simplicity of step-by-step guideline? To find this out, I
look at the works of other authors like Zachman [Zachman, 1987] and others to get the
understanding, what is a framework, and why is it needed?
The aim of the study is to explore existing threats to mobile computing devices and
effective ways of protecting from them. Equipped with this knowledge, I intend to enhance
the Hierarchical framework model for mobile security [Howie et al., 2001] in order for
it to be easier to use and cover the topic in more details. I want it to become useful not
only for research community, but also to security professionals who could apply it during
their work.
1.4
Research question
1. How can the Hierarchical2 framework model for mobile security be enhanced to
provide deeper view on security problems and their countermeasures?
1.5
Scope and delimitation of the study
This study covers enhancements to the mobile security framework by merging it with the
NIST guide and other technical safeguards identified during the literature review. This
work concentrates on technical protection mechanisms (without referring to any particular technology), while higher-level controls (policy, awareness, management) are left
2
Classified according to various criteria into successive levels of layers. Source: Princeton WordNet
for future research. Additionally, this reseach does not cover directly any protocol that
mobile phone or application may use (i.e. VoIP, M-commerce, etc), however indirectly
proposed protection mechanisms can be used to secure device against attacks exploiting
weaknesses in these protocols. Although the study is conducted in Lule
a, Sweden, interviews are held with professionals from other cities and countries, so structured interviews
are conducted via e-mail.
1.6
Disposition of the document
Chapter 2 describes the methodology that this study follows for conducting research.
Chapter 3 introduces the concept of a framework. What is it? Why is it needed?
What are its goals?
Chapter 4 gives the description and analysis of the original framework model from
OULU university, and later the enhancement process is showed.
Chapter 5 the review of literature and existing research in the area of mobile security.
Similar research is grouped into domains, which are later used for the enhancement.
Chapter 6 literature review.
Chapter 7 the analysis of interviews is done with the purpose of evaluating the improvements made over the original framework.
Chapter 8 new enhanced framework is introduced in this chapter.
Chapter 9 discussion about the validity and reliability of study and its results.
Chapter 10 discussion of the results, conclusion, and future research is done here.
Appendix A interview with Michailas Ornovskis from AS Stallion
Appendix B interview with Dimitrious Stergiou from Entraction AB
Appendix C interview with Patrik Frost from Tieto Corporation
Appendix D document sent to interviewees
Appendix E After-review modifications of the framework
Chapter 2
Methodology
This chapter describes methodologies used in the thesis. It begins with the purpose of
this research, the approach being used, continues with the research strategy, data analysis
methods, and concludes with the validity and reliability of theories used and proposed.
2.1
Research type
According to Williams [Williams, 1993] who refers to Sekaran [Sekaran, 2009], there is
a general agreement that research is a systematic and methodical process of inquiry and
investigation that increases knowledge and/or solves particular problem. Williams continues the research, as opposed to the process, is essentially a review and synthesis of
existing knowledge, investigation of existing problems and proposal of solutions to them,
exploration and analysis of more general issues, constructon and creation of new systems
and procedures, explanation of phenomena and generation of new knowledge. Different types of research exist which following Kotler [Kotler et al., 2008] are exploratory,
descriptive, and explanatory research.
Kotler [Kotler et al., 2008] defines exploratory research as the one to get the initial information in order to help better define problems and suggest hypotheses. It is conducted
because a problem has not yet been clearly defined and no or too little knowledge is
available on the given topic. The goal is to accumulate as much information about the
problem as possible, gain familiarity and insights in order to further develop hypotheses
and clearly state problems. The result of such research is not always eligible to make the
decision by yourself, but can otherwise provide a significant insight into a given situa-
Chapter 2: Methodology
tion. This fits my study design well as I try to explore the ways of enhancing the mobile
security framework model and offer it as a solution, which can be further tested with the
quantitative study.
2.2
Research method
In social sciences two main research methods can be applied: Qualitative and Quantitative
research.
2.2.1
Quantitative research
Quantitative researchers seek explanations and predictions that will generalize to

other persons and places. Careful sampling strategies and experimental designs
are aspects of quantitative methods aimed at produce generalizable results. In
quantitative research, the researchers role is to observe and measure, and care is
taken to keep the researhers from contaminating the data through personal involvement with the research subjects. Researchers objectivity is of utmost concern
[Glesne and Peshkin, 1992].
Quantitative research includes extensive definitions early in the research proposal as it

operates more within the deductive model methodology of fixed research objectives. Researchers try to define all the terms in the beginning of their study and use accepted
definitions from the literature review [Creswell, 2003]. It requires the reduction of phenomena to numbers so that the researcher can conduct statistical analysis. While it may
use verbal data in the beginning, it is later transformed into numerical data and the
quantitative analysis is made [Smith, 2008].
2.2.2
Qualitative research
In his book [Thomas, 2003] Robert Murray Thomas refers to Denzin and Lincolns definition of qualitative research [Denzin and Lincoln, 2005] stating that it is a multimethod
in focus, involving an interpretive, naturalistic approach to its subject matter. It means
that researchers study things in their natural environment, trying to make sense of, or
interpret phenomena in term of the meanings people bring to them. This type of research
involves the studied use and collection of a variety of empirical materials case study,
7
personal experience, introspective, life story, interview, observational, historical, interactional, and visual texts that describe routine and problematic moments and meanings
in peoples lives.
Maxwell [Maxwell, 2005] describes the qualitative research model consisting of the following components:
1. Goals. What is the purpose of the study? Why it needs to be conducted? What
issues will it clarify, and what practices will it influence?
2. Conceptual framework. What is going on with the issues, people, settings the research plans to study? What theories, beliefs, and prior research findings will guide
the research? What literature, preliminary problem study, and personal experience
will be drawn on in order to understand the people or issues being studied?
3. Research questions. What problems this study will solve? What phenomenas will
it explain that were previously unknown or not understood? What questions will
the research answer, and how these questions are related to each other?
4. Methods. What will be done in order to conduct the study? What approaches and
techniques will be applied to gather and process the data?
5. Validity. Why should the results of the research be trusted? How might they be
wrong? How can the collected data support or challenge the ideas proposed by the
study?
Compared to quantative research, qualitative differs mainly within the analysis it is
textual, and not numerical. The concern is in intepreting a piece of text means rather than
finding its numerical properties. Qualitative approach is generally about the exploration,
description and interpretation of ones experience [Smith, 2008].
I start my research with the analysis of existing framework and identifying problematic
places, and things that need improvements using derivative research. I then go on with
exploring current threats, safeguards, and grouping them together in order to enhance
the framework. Interviews are made with security specialists in order to analyze the
improvements of a new framework, and finally draw conclusions on the work done. This
work is about exploring. The nature of data is textual, and the analysis done is the
interpretation of this text. The natural choice is to use the qualitative research.
2.3
Research strategy
Among different qualitative research designs [Leedy and Ormrod, 2009] like ethnographical, phenomenological, grounded theory, and other, content analysis and case study fit
best this research.
Leavy et al. [Hesse-Biber and Leavy, 2006] describes the qualitative content analysis as
follows:
In qualitative content analysis a researcher begins with a topical area which he or
she starts to query from his or her embodied standpoint and epistemological position.
Quickly into the process, the topic is also examined in the relation to the research
question. The researcher does not begin with preconceived codes but rather generates
code categories directly from the data. These codes can range from very literal to
abstract. As code categories emerge from the data the researcher doubles back to
reexamine data applying the new code categories.
Weber [Weber, 1996] indicates the central idea of content analysis as classifying many
words of the text into much fewer content categories. He continues saying that
Each category may consist of one, several, or many words. Words, phrases or other
units of text classified in the same category are presumed to have similar meanings.
In order to find out how to identify various threats to mobile computing devices, corresponding countermeasures and ways of applying them, and then group everything into
domains, content analysis will be applied to already existing research, different scientific
papers and surveys in this area. This literature will be reviewed and analyzed by relevance to the study as a whole, and to a particular problem, or group of problems (i.e.
papers regarding only virus attacks on mobile phones).
Going back to the research question, this study strives at enhancing the existing framework, which has a target audience. Case study will help to reach this audience in order
to find out, whether the proposed changes really improve the original work. A case study
is defined as an in depth study of particular situation rathen than a sweeping statistical survey. It is a method used to narrow down a very broad field of research into one
easily researchable topic [Shuttleworth, 2008]. Although it will not answer the research
question completely, it will give hints and indications, and allow further elaboration and
the creation of hypotheses on a given subject. It excels at bringing researcher to an
9
understanding of a complex issue or object, and can extend experience or add strength
to what is already known through previous research [Soy, 1997]. Case studies highlight
contextual analysis of a limited number of events or conditions and their relationships.
2.4
Data collection
The starting point of the study is a literature review that helps to find similar research
and work based on the original framework, analyze varying points of view on the topic,
find theories to build this work on. This helps me to identify main weak and strong
parts of the framework by looking at other research that is based on it. This is used to
guide the further search for information that is necessesary to modify and enhance the
framework.
A case study is also used as another source of data in addition to literature. The need
for a case study comes when one needs to understand complex social phenomena. Case
study inquiry relies on multiple sources of evidence, with data needing to converge in
a triangulating fashion, and as another result benefits from the prior development of
theoretical propositions to guide data collection and analysis [Yin, 2003]. Case studies
investigate phenomena in its natural context, and can provide a researcher with deeper
understanding.
As the framework enhancement is targeted at security professionals (security technicians,
engineers, officers and other personnel with similar tasks), I use a case study to find out
how well these improvements fit their needs. What I aim at achieving by using a case
study is to investigate the problem in real life, not just theoretically. What this can mean
is that professionals can reflect their knowledge and experience, project the proposed
solution into their work and hypothesize about the improvements made. Such feedback
from this group will help to draw conclusions in the end.
Case study can be done using a variety of evidence documents, artifacts, interviews, and
observations [Yin, 2003]. Interviews can be focused, semi-structured, problem-centered,
expert, and ethnographic [Flick, 2006]. Structured e-mail interviews are used with respondents due to their distant location (all interviewees are located outside Lule
a, Sweden).
While the personal semi-structured interview could bring additional valuable insights
about the area researched, structured interviews are sufficient to provide the necessary
feedback about the proposed enhancements.
10
Interviews were done with three professionals who all work within the information security
field. The choice of these people was dictated by enhancement process, which targets this
group. Interviews consist of two parts, where the first part investigates the awareness
of interviewee about mobile phone security, what frameworks does one apply at work to
conduct risk analysis, how the data is protected this will help to find out how useful this
framework is, and what are the important parts (for example, just policy, user awareness,
technology) that people use. The second part of the interview is aimed at reviewing the
proposed enhancements. Questions will help interviewee to assess the proposed solution,
and later draw conclusions about the new framework.
2.5
Analysis
Creswell [Creswell, 2003] says that according to Merriam [Merriam, 1991] and Marshall
[Marshall and Rossman, 2006], processes of data collection and data analysis must be
simultaneous in qualitative research. Throughout the data analysis process, researchers
index and put collected data into as many categories as possible. Themes and patterns
are identified from participats, which are later to be attempted explained and understood [Creswell, 2003]. While analyzing data it will be organized both categorically and
chronologically, indexed, and repeatedly reviewed.
Only data relevant to the research problem is collected, which helps to reduce the amount
of information to be processed. To achieve that, a NIST guideline is used that has a list of
threats and safeguards, which can guide further and deeper research on a topic. Collected
data is then organized into domains for easier understanding and pattern identification.
By analyzing the existing data, a new framework is built using that analysis. After
interviews are conducted, a within-interview analysis is done to identify the core points.
A cross-case analysis follows in order to group the results. Based on this analysis, the
research question is answered and conclusions are drawn.
2.6
Validity and reliability
As my subjective interpretation of the problem can influence the results of the study, it
needs to be valid. Validity is defined as the truth or accuracy of the representations and
generalizations made by the researcher; how true the claims made in the study are or how
11
accurate the interpretations are by Moisander and Valtonen [Moisander and Valtonen, 2006].
Yin [Yin, 2003] defines four conditions related to design quality:
Construct validity: establishing correct operational measures for the concepts being
studies.
Internal validity: establishing a casual relationship, whereby certain conditions are
shown to lead other conditions, as distinguished from spurious relationships. It is
used only for explanatory or casual studies, and not for descriptive or exploratory.
External validity: establishing the domain to which a studys findings can be generalized.
Reliability: demonstrating that the operations of a study such as the data collection procedures can be repeated with the same results.
In order to improve the validity of my results, multiple sources of evidence are used. The
work is based on already existing research of the topic, and also several interviews are
held with experienced professionals that validate the results of the study. I also establish
a chain of evidence by explaining my assumptions and providing the foundation for them.
The objective of reliability is to ensure that if the study will be conducted using same
methodology and same case study described by the investigator, the results and conclusions will be the same. The goal is to reduce the amount of errors and biases. It can
be achieved by documenting all the procedures and making as many steps as operational
as possible like someone is watching behind the shoulder. All conducted interviews and
materials sent to interviewees before the actual interview are documented.
12
Chapter 3
Framework theory
How to enhance the framework? Where to start and how to proceed? And what is essentially a framework? This chapter introduces the theoretical framework that is used for the
enhancement process.
For the framework to be enhanced, one needs to know what a framework is, how to
develop it, and what are its goals. Having the knowledge about these things will help to
proceed further with improvements.
3.1
What a framework is
There are many definitions of what a framework is, and each refers to a certain domain
it operates in. For example in programming, as described by Johnson [Johnson, 1997],
a framework is a reuse technique. Ideally, this technology should provide components
that could easily be connected in order to make new systems. John Zackman defines
framework as a generic classification scheme for design artifacts, that is, descriptive
representations of any complex object [Zachman, 1997]. The idea behind such classification scheme is to be able to concentrate on selected properties of an object without losing
the holistic perspective. If compared with the Zachman Framework for Enterprise Architecture [Zachman, 1987], the definition of Johnsons framework can be a single instance
of Zachmans framework the level of abstaction is lower if we describe the enterprise.
However, both definitions share the same goals represent the underlying structural
members that support the realization [Martin and Robertson, 1999].
To achieve the balance between the holistic, contextual view, and the pragmatic, im13
Chapter 3: Framework theory
plementation view, a framework needs to have characteristics of any good classification

scheme [Zachman, 1997], or in other words, it should allow for abstractions intentended
to:
simplify for understanding and communication
focus on independent variables for analytical purposes
maintain a disciplined awareness of contextual relationships that are significant to
preserve the integrity of the object
There is not much difference whether the object is physical (i.e. mobile phone), or
conceptual (i.e. department), challenges are still the same [Zachman, 1997].
3.2
The need for a framework
Zachman described [Zachman, 1987] the need for his framework was due to the increased
level of complexity and the scope of design of information systems, in order to control
components of the system, their interfaces and integration. The need for viewing system
as a whole and thus be able to improve the decision-making was also the driving factor for
Gorry and Morton during the development of their framework [Gorry and Morton, 1971].
This enabled them to see, and more important to understand, the flow and evolution
of processes and identify potential problems and benefits of using the technology in supporting management. Going lower to a technical level, Munindar Singh faced similar
problems during his research on multiagent systems [Singh, 1994] he needed a way to
analyze, specify, design, or implement multiagent systems.
Figure 3.1: Elements relevant to any piece of research
14
Chapter 3: Framework theory
A framework is not an answer to every problem, instead it is a tool for thinking

[Zachman, 1997]. Martin et al. [Martin and Robertson, 1999] add Frameworks are
models of some underlying reality constrained by our points of view. As such, models are
merely a tool employed to objectively understand that reality. To support this idea, I refer
to Checkland and Holwells figure describing elements of research [Checkland and Holwell, ].
It is shown in Figure 3.1. By using a framework and choosing relevant methodology one
can learn more about the area of concern.
15
Chapter 4
Background of the study
The chapter where mobile security framework model from the University of Oulu is introduced. Weak parts are discussed and the plan for enhancement process is described.
4.1
A hierarchical framework model of mobile security
A group of researchers from the University of Oulu proposed a framework for the systematic research of mobile security [Sun et al., 2001]. It is a hierarchical model in which
mobile security is divided into three layers: property theory, limited targets, and classified applications. Figure 4.1 illustrates the framework and interconnection of its parts
including topic domains.
4.1.1
Property theory layer
Authors indicate five main points to research on this layer, which are security objectives,
attacks, security mechanisms, security management, and security evaluation. Security
objectives aim at formulating and determining what kinds of security goals are going to
be achieved and to what extent. Attack research aims at analyzing and distinguishing
possible threats and offensive methods from all possible threats. Security mechanisms
try to find effective techniques to fulfill security objectives. In the security management
policies and rules are created, including user training and awareness, relevant to the
administration and maintenance of devices. Security evaluation includes identification
16
Chapter 4: Background of the study
Figure 4.1: Mobile security framework
of critical components and vulnerabilities, inspection of performance, and evaluation of

privacy and robustness.
4.1.2
Limited targets layer
This layer specifies three main targets, which are mobile networks, mobile computing,
and finally multimedia.
Mobile networks. The focus is on the underlying infrastructure that cell phones
use, like networks and supporting protocols. Topics of research include the security
of 2G, 3G, and the upcoming 4G networks together with protocols like Mobile IP,
the use of IPSEC in communication protocols, encryption, authentication, routing,
and other problems.
Mobile computing. Two targets are under consideration here: the problem of host
protection (the physical protection of device itself and attacks that can come from
it, like differential power analysis, side-channel attacks, and other), and software
17
agent protection (the operating system).

Mobile multimedia. Protection of multimedia content distributed using mobile devices.
4.1.3
Classified applications layer
Some applications that cannot be successfully implemented without the proper support
of secure mobile networks, and computing and media processing environment are put into
the top layer. These applications include, but are not limited to messaging (SMS, MMS,
e-mail), telephone service (VoIP, IPT, video conferencing), business applications (mobile
e-commerce).
4.2
Limitations of the framework
The framework model described above proposes a systematic way to conduct investigation
of mobile phone security based on the hierarchy proposed by its authors. The article gives
a brief explanation of how these layers are interconnected and which topics domains
belong to which layer. Although it is relatively old (9 years old at the time of writing this
paper), it is not bound to technology, which, as authors say themselves, demonstrates
that the framework can explicitly serve as an effective guide to systematic research of
mobile security. It may be effective (although authors do not mention any reviews), but
there is always space for perfection, and it can be enhanced.
Most of the studies based on this framework concentrate on a single research domain,
i.e. Multimedia Digital Video Watermarking [Wah, 2002] or Security issues in mobile computing [Pullela, 2002]. When it comes to identifying threats, this framework
alone is not enough. In their study about security implications in mobile commerce over
hotspot networks [Fourati et al., 2004], Fourati et al. apart from the mobile security
framework, additionally use other sources in order to identify security vulnerabilities to
mobile phones. Jin et al. [Jin et al., 2007] refer also to multiple sources to get a more
holistic picture of security threats.
The framework can never be complete and cover absolutely everything, but it can be
improved by introducing more layers and targets in order to make it deeper. For example,
Mobile computing domain is comprised of Agent, OS, and Terminal objects,
18
whereas OS can contain authentication methods, which is composed of several types

of authentication mechanisms. Without knowing these details it may be unclear, i.e. on
what levels operates protection.
Framework should be easy to use and it should reduce the time spent to solving problems
[Taligent, 1997] (although Taligent refers to frameworks for programming, I feel that this
property can be applied here). In order to achieve the simplility of a framework, it should
be clear, easy to use and to learn. At the moment, it is certainly a drawback in using
the original framework model as functions of layers, targets, and their connections are
difficult to follow and understand. Pictures do not help to make this task easier. To make
it more understandable, the hierarchy of the new framework should be clear, connections
between targets and layer must be easy to follow, and the new proposed solution should
be simple to use and apply during projects.
Additionally, Zachman [Zachman, 1997] in his article mentions the neutrality of the framework, which he explains as being independent of tools and methodologies. Although
frameworks are diffirent in nature, the property of being neutral also suits technical
framework it should not be bound to any particular technology, which will make it
more flexible and easy to apply in various situations. While the original framework is
already neutral, it is important to note that the new version will keep its neutrality.
4.3
Enhancement process
Table 4.1 shows the mobile security framework described using Zachman framework.
According to the framework authors [Sun et al., 2001], the purpose of their research is
to provide guidance for conducting systematic research, so their target audience is researchers. This can be mapped to the first level the Scope (highlighted with yellow).
Looking back at the scope and delimitation of my study, the targets for improvement
can be placed on the table these are the Scope (yellow), and additionally System
model and Technology model layers (highlighted with green).
The aim of describing it using Zachman framework is to indicate what will be enhanced
and not to describe precisely how the enterprise would operate on each level. That is the
reason why the Table 4.1 does not describe things thoroughly in regards to the enterprise
model, but rather briefly so that it can be visually seen what will be done.
19
1. What
1. Scope
Solutions
2. How
to
problems
2.
Business
model
Security
Provide
guid-
3. Where
4. Who
5. When
6. Why
Mobile world
Researchers
Research
Challenge, fame
ance
safe-
project
Security
tech-
Research
do-
Phone and secu-
guards
nology
Enterprise poli-
Phone
model
cies
procedures
terprise
4.
Suitable device
Encryption, au-
Available func-
Security
according
thentication
tions
HTC,
Blackberry
3.
System
20
Technology
model
to
usage
main
rity vendors
Within the en-
CIO/CISO
Market needs
Money
Policy creation
Resistance
to
threats
engi-
Risk analysis re-
Avoid
security
neer, manager
sults
breaches
Technician
Technology
Work with new
availability
technology
Phone usage
Doing business
policy
5. Detailed rep-
Phone
specs
IPhone,
resentation
(OS, model)
Blackberry
auth. server
6. Real system
Mobile phone
Calls,
Phone device
internet
browsing
Company
em-
ployees
Table 4.1: Framework enhancement
Framework
Chapter 5
Theory
This chapter describes the theoretical framework that is used to further guide the research.
NIST guideline is used for this purpose.
5.1
NIST guidelines for cell phone and PDA security
National Institute of Standards and Technology on October 2008 released a special publication numbered 800-124 and called Guidelines on Cell Phone and PDA Security. Recommendations of the National Institute of Standards and Technology [Jansen and Scarfone, 2008].
This document describes mobile devices like cell phones and PDAs in use today and gives
recommendations on security treatment of such technology. Threats and technology risks
and available safeguards are detailed in the report.
5.1.1
Threats
Many of the threats to MCD are those found for personal computers. Essentially, threat
list for cell phones is a superset of the profile for desktop computers. Additional threats
are related to the size and portability of devices, and their available wireless interfaces
and associated services.
Loss, Theft, or Disposal. Due to their small size, mobile phones can easily be lost,
misplaced or stolen. Without proper security measures applied to the device, it
may become straightforward to gain access to sensitive information that resides on
the phone or is accessible from it. Manually resetting a device to factory defaults
21
Chapter 5: Theory
before selling it or donating, it does not necessarily physically deletes data, but
the place may be rather marked as unused. Like in desktop computers where hard
drive sectors with deleted data are marked by filesystem as unused, but the data is
still retained there until overwritten. Besides the compromise of information that
may happen during the theft, a cell phone with active service can be used to place
international calls, impersonate user, and use it for service authorization.
Unauthorized access. Lack of or weaknesses in authentication process may help
attackers gain access to the sensitive information. Clarke et al. showed in the survey
[Clarke and Furnell, 2005] that many phone users either use very simple PINs or
passwords, or not use them at all. For example, before trying other ways, forensics
investigators try default PINs like 1234 or 0000 assigned by operators. Some devices
may have a backdoor access like reserve or master password, which allows full phone
access. Software and hardware forensics tools exist on the market that make it
easier to bypass built-in security mechanisms and recover the contents of telephone.
Many manufacters follow JTAG standard to make it easier diagnose problems with
processor, memory, and other semiconductor chips. Various equipment can be used
to communicate with JTAG-compliant component in order to image the contents of
locked device. Acquired memory image may contain a lot of sensitive information
like account passwords, contacts, and other data.
Malware. There are numerous ways to infect phone with malware: internet downloads, when a user downloads infected file directly from the Internet, messaging
service like SMS [Mulliner and Miller, 2009], MMS, or via instant messaging program like Skype or MSN. Bluetooth of memory card is also a popular way to spread
infection and get infected by yourself. Although spread easily and fast, usually users
have to run the installer by themsleves in order for the malware to infect device.
This is achieved by different means, most often using various social engineering
techniques. Malware attacks have been divided into the following categories:
Spoofing: Malware provides false information to the user in order for him to
perform needed action
Data interception: Malware is able to intercept or access data
Data theft: Malware is able to collect and send data to the attacker
Backdoor : Malware allows the attacker to gain access to the device at will
22
Chapter 5: Theory
Service abuse: Resident malware can perform actions that will force user to
pay higher fees
Availability: Malware impacts the integrity and/or availability of the device
itself or data stored in it
Network access: Resident malware can use the device to perform unauthorized
network activities (i.e. part of a botnet)
Wormable: Malware can use technology to propagate itself to other devices
Spam. SMS, MMS, voice messages, e-mail, and instant messages are channels for
spreading spam. Spam messages may just advertise some goods, or convince users
to call or send message to chargeable service numbers, persuade user to reveal
account passwords or other information, or download and install malware.
Electronic eavesdropping. Most people know that when the discussing sensitive
information on the phone it is important to go a place where nobody can hear
you speaking, however there exist numerous ways to eavesdrop on the conversation. Most direct and obvious way to do it is install spyware on a device to forward conversation or other information to other phone or server. Researchers also
found weaknesses in CDMA and GSM protocol families which enable them to monitor systems and eavesdrop conversations [Ryu and Jang, 2006, Barkan et al., 2003].
There are also cases known when cell phone switches were modified with malicious
intents [Prevalakis and Spinellis, 2007]. If device uses Internet to communicate,
rouge access point may be used to perform man in the middle attack and hijack
communications.
Electronic tracking. For a long time there existed a way to track users of mobile
phones by means of triangulation using cell stations that mobile phone is connected
to. Recent advancements to technology like GPS, Google Latitude, and others make
it easier to find the owner of device. These services may be used by employees to
find their way or by employer to track its workers, or may be abused by attackers to
spy on people. There have been case when this service was abused [Pamplin, 2005].
Cloning. Having reprogrammed several unique identifiers built into mobile phone
into another device, a clone will be created that can act as the original. Monitoring
radio wave transmissions of analog mobile phones made it possible to easily obtain
Mobile Identification and Electronic Serial Numbers that are used to create clones.
23
Chapter 5: Theory
While analog telephones are not in wide use today, SIM card cloning can achieve
similar results, and can be performed by people with basic computer knowledge.
Server-resident data. Service providers have a lot of services to help their clients
with various things, like phone and data backup, online address books, enabling
and disabling services, e-mail exchange, social networking, and many others. Even
without a modern smart-phone one can make use of these services. However a lot of
data is stored on external services that employer or telephone users have no direct
access. Vulnerabilities in provider infrastructure or its services, or misuse of official
duties by rogue employees can lead to data exposure.
5.2
Safeguards
One of the main problems that mobile devices pose to organization is distinguishing between employee-owned and company-issued equipment. Allowing employee-owned mobile
communication devices may seem like a cost-effective solution for a company, however it
is only an illusion. The ability to manage and control such devices is a hard to achieve
task, especially trying to apply security policies and corporate software. Below are briefly
described security mechanisms that will reduce associated risks if applied.
User-oriented methods
Without user participation it is nearly impossible to maintain high level of security of
devices. Employees should follow procedures and take precautions when using company
devices.
Physical control. Today a mobile phone can be compared with a credit card a lot
of problem will occur in case it is lost. While the cost of stolen hardware may be
minimal to organization, problems that may happen due to the blocked accounts or
leaked data a far much worse. Even lending a device can have security implications
like misuse, data manipulation, impersonation, and malware installation. Security
settings of device can also be weakend to allow further access.
User authentication. User authentication mechanisms like PIN and password are
the first barrier toward deterring unauthorized access to cell phone. Reading and
understanding device documentation may be an essential step as there may exist
24
Chapter 5: Theory
master passwords or other backdoors to remove the phone protection mechanisms or

restor forgotten passwords. Company policy for length and complexity of passwords
in use must be followed. Also the use of same password on handheld devices and
computer accounts should be forbidden. Some devices also include a timeout after
several unsuccessful login attempt, which locks telephone for a certain period of
time. Following modes of authentication are most popular:
Proof by knowledge passwords and PINs.
Proof by posession tokens, such as smart cards.
Proof by property retina scan, fingerprints, voice recognition.
Data backup. Smartphones can now hold a considerable amount of data which is
only limited by the size of memory card. Using the device as the only repository for
important information may be dangerous in case of a disaster. In order to preserve
valuable data it must be regularly backed up to other storage media, for example
to a central backup device, or synchronized with the desktop computer.
Reduce data exposure. Keeping passwords, data records, account information, and
other sensitive information on a high-risk device like cellular phone should be
avoided unless it is really needed. In that case all the data should be stored encrypted. Some memory cards can also have hardware password protection, which
can reduce risk of data exposure. If available the advantage of encryption should
be taken in communication protocols in order to protect data in transit. At the
end of device life cycle data on the phone should be erased by overwriting it several
times.
Shun questionable actions. Most mobile malware needs user interaction in order
to install itself. Content received by SMS, MMS, via e-mail attachment or using
unknown Bluetooth connection may all contain malicious software. Users should
be aware of security threats and ways of mitigating them.
Wireless interfaces. An easy solution to protect from malware is simply turn off
wireless interfaces like Bluetooth, infrared, and Wi-Fi until they become needed.
Majority of virus programs for mobile phones spread using Bluetooth channel. Although the Bluetooth protocol has no public vulnerabilities, problems may arise
from improper vendor implementation.
25
Chapter 5: Theory
Deactivate compromised devices. In order to prevent further spread of viruses and

worms, like with a personal computer it is advised to isolate it from others until
the source of problem is removed. In case the device is lost or stolen, disabling
service, locking it, or otherwise completely erasing phone data are all useful actions
that need to be applied. Some corporate class devices have the ability to wipe data
upon received special message. A phone can also be disabled from using any cellular
service upon registering its IMEI code in a special provider database.
Minimize functionality. Telephone vendors provide numerous functions that may
be helpful, however increased number of features and capabilities often opens door
to insecurities. Reducing them will achieve the opposite effect. Same process of
hardening1 computer systems can be applied to mobile devices.
Security software. Due to similar threats with computer systems, handheld devices
need antivirus software to protect them from malware and viruses, firewalls, intrusion detection/prevention systems, antispam solutions, device content and memory
card encryption and wiping software, user authentication alternatives, including
biometric and token-based mechanisms, and virtual private network software. In
the corporate environment centralized approach to security is often needed. The
following device functions are common examples of what is essential:
Device registration
Installation of client software, policy rules, and control settings
Controls over password length and composition, number of entry attempts
Remote password reset
Remote erasure or locking of device
Controls to restrict application downloads, access, and use
Controls over wireless interfaces
Controls to restrict camera, microphone, and removable media usage
Controls over device content and removable media use
Controls over VPN, firewall, antivirus, intrusion detection, and antispam components
Remote update of client software, policy rules, and control settings
1
Eliminating as many security risks as possible. Source: The Tech Terms Computer Dictionary
26
Chapter 5: Theory
Remote diagnostics and auditing

Reporting of device compliance status
Denial of services to non-compliant or unregistered devices
5.2.1
Organization-oriented methods
As an extended component of organizations infrastructure, cell phones need a proper

protection. Companies should expand their control over such devices.
Mobile device usage policy. Organizations should have a security policy in place
to control the usage of mobile devices and prevent security threats and misuse.
Security policy defines rules, principles, and practices of how the company treats
such devices, whether they are issued by the employeer or employeed can use their
own. Policy should cover the whole life cycle of device and reflect organizations
point of view about safeguards, impact of loss of device compromise, and threats
to environment.
Deployment and operational plans. Existing plans can be extended or new created
to address issues related to mobile phones. They should describe methods for
protecting data, authenticating users, responses if device was stolen or its data
compromised, access to company networks and other resources. These plans should
also consider any required business applications that will be installed on devices
and related risks and safeguards that come from their usage.
Risk assessment and management. Security is an ever going process. Risk assessment helps to identify vulnerabilities and threats, potential attacks, identify their
likelihood of success, and estimate potential damage in case they are successful.
Security awareness. User awareness of organizational policy, device usage and
threats to security that mobile phones can introduce, is one of the key points in
eliminating incidents. Employees should be trained to have updated knowledge of
new technology and relative problems, and policy updates.
Configuration control and management. Configuration control ensures that no
unauthorized modifications are introduced to system before, during, and after its
deployment. It leads to consistency with organizations security policy. While
27
Chapter 5: Theory
preparing standardized software configurations the following items should be considered: available patches and upgrades to the operating system that affect security,
unnecessary services and applications that can be eliminated or disabled, necessary
applications that require installation and proper configuration, user authentication
and access controls available on the device, other security-related control settings
available on device, certify and accredit handheld devices.
5.2.2
Discussion
NIST 800-124 guideline is a generic technical document for organizations to help them
protect mobile phones and other handheld devices. On the other hand, it is just a list
of threats and safeguards without any connection. Fl et al. [Fl and Jsang, 2009] uses
this guidline to pick a list of threats and appropriate safeguards. While it may be enough
in the context of their research, it may however, limit the cover area in more general
sense. Just by listing possible attacks without grouping them or assigning to higher-level
domains leaves one without knowledge of other similar attacks and where they may come
from.
While NIST 800-124 and Oulu framework are different in scope, they are, however,
complementary in nature they both target the security of mobile phones. But they
do it from different perspectives. By looking at the Table 4.1 it can be seen, that the
original framework operates on level one, and NIST is on a lower level, close to technology.
Merging them together will take best parts out of both in order to produce a new and
enhanced version. This process looks similar to the life and evolution. Life maintains
itself through diversity constant changes are made by combining of chromosomes in
order to get more suitable progeny that can adapt faster to the new environment.
It can be speculated endless hours whether the produced framework took only the best
parts, and even if it did, whether the combination of these parts made it better or not.
To avoid this, it needs to be tested in real life or reviewed. This is where the case study
comes into help.
28
Chapter 6
Literature review
This chapter builds further on the theory described before. Previous scientific research is
discussed along with market products that are meant to protect cell phones.
Having limited myself to technical side of the problem, I looked at the research that
applies technology for solving problems. Threats may change with time, so do their
protection methods. While the mobile security framework from the Oulu University does
not describe any threats and safeguards, NIST gives a raw list without any connection,
this chapter groups them into domains and describes them in more detail.
The result of such groups will be deeper view on security problems related to mobile
phones compared to the initial solutions. This will help to simplify the understanding of
a problem domain even more, as described by [Zachman, 1997]. Moreover, it will show
the relationship between objects, which lack in NIST and exist in Oulu framework but
on a higher level.
6.1
Technical controls
Threats and safeguards described before give a general idea of what can potentially
happen to the device and information it contains, and how to avoid these problems.
Having this information, a further review on research, technical whitepapers and marker
products is done. While the distinction between scientific research in mobile security and
market products is high, finding out about all possible problems and solutions helps to
group them together and have a wider overview.
This section has a structured review of the findings. Safeguards are grouped either by the
29
Chapter 6: Literature review
function they do (i.e. provide user authentication) or by the threat they protect against
(i.e. virus/malware). This way it gets easier to have a later view and further analysis.
6.1.1
Malware protection
Although the rate with which mobile malware was expected to evolve [Kirk, 2009, Coursen, 2007]
is slower [Gostev and Maslenikov, 2009], most of the threats and techniques are created
by security researchers themselves, which are later exploited by criminals [Higgins, 2010,
Greenberg, 2009]. Due to this, mobile malware is not yet so widely used, however most
security vendors offer protection suites that include firewalls, antivirus, and anti-spyware
programs.
Antivirus
As it may seem in the beginning the main problem with virus and malware scanners
lies not in the computation resources (McAfee claims to have less than 200 millisecond
impact on user operations [Furnell, 2006]), but rather in the requirement for user to
keep the software up to date. While this works without problem on desktop computers,
receiving updates via GPRS or 3G has the potential to hit users with shorter battery life,
and bandwidth cost.
Firewall
There is an on-going research about packet filtering firewalls for mobile devices. Langendoerfer et al. [Langendoerfer et al., 2007] proposed approach relies on the application
level gateway updating the firewall rules according to its knowledge of malicious activity in the network. Additionally there do exist several application-layer firewalls on the
market that allow or block certain programs from connecting to the Internet based on
the policy.
Intrusion detection
There exist two models of intrusion detection for mobile platforms: host-based and
network-based. In the network-based approach external monitoring is performed, where
the focus is on detecting fraudulent call behavior [Samfat and Molva, 1997] and device
30
movement patterns [Sun et al., 2004]. These type of intrusion detection systems (IDS)
are usually employed by data carrier operator on the network level, while host-based solution can be used with the cell phone. Halonen et al. [Miettinen et al., 2006] propose a
framework for creating a host-based intrusion detection system for mobile devices. They
argue that network-based IDS alone are not sufficient to offer good level of protection
and should be combined with host-based solution.
6.1.2
Spam
There has been not much research and products that protect from spam due to the low
threat compared to desktop systems. The only channels for spam distribution on mobile
devices are SMS and MMS services. Won Yoon et al. [Yoon et al., 2009] propose a hybrid
spam filtering framework that uses a combination of content-based filtering and challenge
response. Messages classified as spam are marked appropriately or deleted instantly,
messages that fall into uncertain region are further classified by sending CAPTCHA1 to
sender. A legitimate user is more likely to answer correctly whilst a spam bot will most
likely fail.
6.1.3
User authentication
Fong et al. [Fong and Seng, 2009] describes three methods for user authentication, which
can be used alone or combined together for better security. These is something the user
knows (a secret i.e. PIN or password), something the user has (a token i.e. RFID,
smart card), and something the user is (a biometric i.e. handwriting or keystroke
dynamics, iris/retina pattern, fingerprint, etc). Table 6.1 summarizes corresponding authenticators and their attributes.
Something user knows
PIN : Personal identification code is a traditional protection mechanism of SIM
card. Many users do not use it at all, do not change default, or use easy-to-guess
codes [Clarke and Furnell, 2005]. Although it may not offer strong protection, and
1
A CAPTCHA is a program used to verify that a human, rather than a computer, is entering data.
Source: The Tech Terms Computer Dictionary
31
Authenticator
Knowledge-based
Object-based
ID-based
Commonly referred to
Password, Secret
Token
Biometric
Secrecy or obscurity
Posession
Uniqueness
as
Support
authentica-
tion by
and
personalization
Security defense
Closely kept
Closely held
Forge-resistant
Traditional method
Combination lock
Metal key
Drivers licence
Digital method
Computer password
Key-less car entry
Fingerprint
Security drawback
Less secret with each
Insecure if lost
Difficult
usage
to
re-
place
Table 6.1: Authentication methods and corresponding attributes
is meant only to protect the SIM card, not the phone, it introduces one more layer
of security.
Phone password : Most modern cell phones have the ability to password-protect
device using alphanumeric phrases. A study of 32 million passwords indicated that
users tend to choose very easy to guess passwords like 123456 or password
[Center, 2010].
Unlock pattern: Recently Android operating system introduced a new authentication mechanism that requires user to draw a pattern on a screen with a finger in
order to unlock the device. There has been no research whether this method is
better than using password, however if the telephone screen is not protected with
a special cover, finger may leave traces and the unlock pattern can be guessed.
According to OGorman [OGorman, 2003], possible attack vectors to systems that are
password-protected are the following:
Client attack : guessing or brute-forcing password
Host attack : accessing file containg password
Eavsdropping: shoulder surfing password
Repudiation: by claiming that token was misplaced
Virus attack : stealing password using virus
DoS : disabling system by supplying incorrect password multiple times
Same attacks can be also applied to systems protected by tokens.
32
Something user has

Token approach relions on the user having something connected physically or via radio
channel to the mobile device. SIM card is an example of token that is used to authorize
client with the mobile carrier. The main problem lies in the users always leaving tokens
connected to the cell phone for more convenience. This breaks the whole security.
Recently telephones that make use of NFC technology appeared on the market. Although
this technology at the moment is used for e-tickets, e-parking, and other types of micro
payements, as highlighted in Lindstroms research [Lindstrom, 2007], near-field communication can be used to provide authorization by proximity. This idea can be taken
further to offer authorization of users on mobile phones, where RFID card is kept in the
pocket not far from device and offers continuous authentication of user.
Something user is
facial recognition: According to Clarke et al. [Clarke and Furnell, 2005], user preference of this technology is medium with high-accuracy results. Already in 2005 the
Japanese corporation Omron has released technology to perform face recognition
tasks on mobile phones with 99% accuracy [Nakamura, 2005]. With todays open
for developers mobile platforms like IPhone, Android, Symbian, and Maemo the
choice of technology may be bigger.
voice verification: Among other biometric techniques in the survey, voice recognition was treated as very user-friendly by respondets with high accuracy and cheap
integration price [Clarke and Furnell, 2005]. The technology to achieve that existed already in the early 2000 [Technologies, 2000]. In 2002 at Cannes GSM
Congress Domain Dynamics introduced a smart card-based voice authentication
system [George, 2002], which requires no additional hardware as this system runs
on tampre-proof SIM card. Voice authentication replaces PIN entry, and it requires
user to speak a phrase or word while the phone is switched on. Additionally Das et
al. [Das et al., 2008] extends the concept of voice authentication to mobile services
like e-banking and others.
keystroke analysis: There has been quite a lot of research in the area of keystroke
analysis and user authentication based on this [Clarke et al., 2003, Clarke and Furnell, 2007,
seob Hwang et al., 2009]. While password-based authentication is the most com33
monly used, it becomes vulnerable when the password is stolen. Keystroke dynamicsbased authentication (KDA) transforms keystroke patterns into timing vectors in
order to authenticate subscriber. Clarke et al. [Clarke and Furnell, 2007] concluded
that the two-factor authentication (when KDA is combined with PIN/password) improves the overall reliability of authentication. Both the research of Hwang et al.
[seob Hwang et al., 2009] and Kang et al. [Kang and Cho, 2009] proved that it is
possible to achieve low error-rate results using these methods.
fingerprint recognition: A small number of handset manufacters like DNTT DoCoMo, CECT, and Willcom have introduced built-in fingerprint sensors in order
to provide better security mechanisms. However, although this authentication
method increases the level of security, this technique remains intrusive for users
[Clarke and Furnell, 2005].
iris scan: Iris scan is considered to be a technique with high accuracy and with
medium acceptance from users [Clarke and Furnell, 2005]. Although the technology
already exists, there has been lack of research in the context of mobile phones. Spanish startup Mobbeel (http://www.mobbeel.com) offers their product BioWallet,
which is an application for secure information storage. It is able to authenticate
users by the means of handwriting recognition or iris scan.
handwriting recognition: Although the handwriting authentication technique has
existed for a long time, it has not been viewed as a means of authentication method
for cellular phones. Solutions like Mobbeels BioWallet mentioned in the previous
paragraph take use of handwriting/signature authnetication method.
hand geometry: While users prefer other methods of authentication, hand geometry
scan offers high precision results. Rokita et al. [Rokita et al., 2008] achieved highprecicion results of 99.82% with a cell phone camera, which indicates that such
method can be used, although there a missing commercial products that use this
technology.
ear shape recognition: There is not much research in the area of using ear shape
recognition as a means of authentication on mobile phones, only as a means of
normal authentication by Iwano et al. [Iwano et al., 2003]. Nevertheless given the
appropriate hardware it would make the authentication process during phone calls
invisible for the user like with the voice recognition.
34
service utilisation: There are commercial systems to detect user substitution according to their behavioral patterns, i.e. in banks to detect if user instead of paying
his regular bills, transfers all his money to another country, or in mobile carriers to
detect abnormal behavior like numerous calls to foreign countries if the client never
did that. Albeit the existence and usage of such systems in big infrastructures,
they are not used in mobile context due to the very limited resources. A research
by Mazhelis and Puuronen outlines the structure of such system in mobile context
[Mazhelis and Puuronen, 2007].
Many of these methods can be combined to provide continuous user authentication.
Clarke et al. [Clarke et al., 2008] proposes Non-Intrusive Continuos Authentication
(NICA) architecture, that meets the following objectives:
Increase security beyond secret-knowledge techniques
Provide transparent/non-intrusive authentication
Authenticate user continuously/periodically throughout the day in order to maintain confidence in the identity of the user
Link the provision of security with service utilisation
NICA uses six biometric methods to provide continuous authentication on handheld devices. These methods utilise existing technology that is already available on mobile
phones. Only of these methods, fingerprint scan, is intrusive to users. Figure 6.1 shows
how device capabilities can be used to enhance authentication process.
While user performs his normal tasks on mobile phone, NICA captures biometric samples
and buffers them to ensure that the most recent data is available to enable both scheduled
and on-demand authentication judgements. In order to continuously ensure that the user
is legitimate, NICA schedules periodic authentication judgements during active sessions.
The result is used for alert level, which increases if the authentication is deemed to have
failed (as illustrated in Table 6.2)
Apart from scheduled authentication attempts, when user attempts to start a service
for which an associated security requirement has been specified, NICA will perform ondemand judgement. There is a required level of authentication confidence, which is
assigned to each service. User cannot use the service unless there has been achieved
35
Figure 6.1: NICA authentication methods

Alert level
NICA authentication action
Perform transparent authentication using most recent data in input cache
Perform transparent authentication using remaining data in input cache
Perform transparent authentication using next available input
Issue an intrusive authentication request using a high-confidence method
Issue a further intrusive authentication request using a high-confidence method
Successive authentication failure invokes system lock
Table 6.2: Escalation of NICA alert level
sufficient confidence of his identity. Each service can be configure for various confidence
levels.
Table 6.3 shows confidence levels and intrusiveness for each biometric method taken
from the user survey [Clarke and Furnell, 2005].
6.1.4
Communication interception and eavesdropping
There are around 3 billion users of GSM, and the number is growing no matter that the
GSM protocol has been proven to be insecure [Nohl and Kriler, 2009, Maximov et al., 2005].
Although UMTS was built with some security in mind, it has also its drawbacks. In order
to avoid call interception, end-to-end encryption must be in place to ensure that data
has not been tampered or sniffed. Market offers a lot of security solutions to encrypt
both sms and conversation, like Ericssons SIMSEC or PhoneCrypt. Researchers have
36
Method
Accuracy
Intrusive to users?
Ear shape recognition
High
Facial recognition
High
Fingerprint scan
Very high
Hand geometry
Very high
Handwriting
Medium
Iris scan
Very high
Keystroke analysis
Medium
Voice verification
Low
Service utilisation
High
Table 6.3: Biometric techniques for mobile devices
also found numerous solutions to this problem, like for example a new protocol smssec
for short message exchange [Lo et al., 2008].
6.1.5
Applications
There is no way to control precisely whether the application does what is says it will,
unless the source code is available or the application was reverse-engineered. For some
telephone platforms there exist a so-called market place where people share their phone
applications for free or sell them. It depends on the market policy how strict the review
process is. Applications can be published there without any review, or it can be controlled
by the market employees whether the program does what it actually states or not. While
installing a new program, some mobile phones show only the API they will utilize, but
not for what purpose. Enterprise-level devices have the ability to set permissions for
variety of system calls, like changing device settings, communicating with other devices,
reading e-mail data, and other.
Another idea offered by researchers at University of Trento, Italy [Bielova et al., 2009]
is to use security-by-contract (SxC) similar to programming-by-contract. SxC is a
digital signature that binds together code with a contract, not only certifies the origin of
the code. Contract describes features that the application has and relevant interactions
with the host platform. This contract is then matched against telephone policy, and if
the application doesnt list hidden functions in its contract, it will simply fail to start.
The problem here, however, is that authors assume a global policy for the phone, but the
requirements may differ from one application to another.
37
6.1.6
Virtualization
There has been a lot of interest in recent years in mobile virtualization platforms. With a
powerful device two or more operating systems can run simultaneously, separating work
environment from home. This makes it easier for company to manage devices and keep
up security, backup data (virtual machines) or migrate to another hardware. Figure 6.2
shows how a product from VmWare works.
Figure 6.2: VmWare Mobile Virtualization Platform
6.2
Security policies
It is impossible to protect from everything only with the use of technology. Technology
acts only as a second line of defence, as a supplement to people. Users should know about
the potential threats, and policies should help in closing this gap. Although the study
is aimed at enhancing only the technological part, it is necessary to briefly get familiar
with how policies can improve the protection of mobile phones.
Security policies for MCD do not differ from those created for other mobile devices like
laptops and PDAs. Security frameworks like PCI, ISO 27001, and COBIT do not cover
specifically mobile phones, however they can be adopted for cell phone usage. Friedman
and Hoffman [Friedman and Hoffman, 2008] highlight following points that the policy
should cover:
38
Usernames, passwords, and authentication methods

The use of data encryption
The use of VPNs
Security application installed on each mobile device
Types of mobile computing devices, storage devices, and software applications that
are authorized, and those that are forbidden
Under what circumstances new software applications can be downloaded
What type of information or files can be stored on mobile devices
What type of information or files can be transmitted to other people inside and
outside of company
Additionally security policy should cover what type of mobile phones are allowed to use
for corporate data and calls, whether it is company-issued or employee-owned. It is easier
to control configuration and maintain relatively high level of security if all devices are of
same type and company-issued. This could also have impact on the software that can
be installed on devices as diffirent vendors support different operating systems, and it
can become a problem to protect a multitude of various phones. For example, Windows
smartphones support Windows Mobile MSFP (Messaging and Security Feature Pack)
that can be used to centrally control security parameters of the device and update other
settings.
Terry Ernest-Jones argues whether centralized approach is good or bad for the management of mobile devices [Ernest-Jones, 2006]. Strict policies and use of company devices
may limit workers productivity, but raise the security level. The opposite will decrease
the security, but will enable employees work more freely and choose technology they feel
comfortable with. However in order to protect itself, company must be able to monitor
who connects to what network, who devices belongs to. It is also vital that software
lifecycle management becomes part of the work routine.
Cellcrypts mobile phone policy [Cellcrypt, 2010] highlights topics like phone management, describing how to use mobile phone in various environments, how to avoid being
infected by malware. It continues with specifying risks related to call security threats
39
like interception, hijacking, and eavesdropping, and ways to avoid leaking sensitive information during a call. One must ensure he and the person he is speaking to are in secure
environment where the conversation cannot be overheard or lip-read. Accent is made on
calling practice how to reduce risk of call interception. This includes:
Never assume the conversation is secure, especially if it is an international call
Referencing key parts of conversation in such a way that eavesdropper would obtain
incomplete set of information (i.e. instead of telling real customer name, he can be
referred as customer that visited last week)
For conversations that cover confidential data a call encryption is mandatory
Routine calls can be as sensitive as important ones
Care should be taken to ensure that all participants of conversation are in secure
environment
If secure environment is not available, confidential information should never be
disclosed, instead this call should be postponed
Finally, the usage of security policy should be enforced in the company, and any employee
not following it should be punished.
40
Chapter 7
Data analysis
Reviews of the proposed framework model were done by representatives from 3 companies
in order to find out whether the proposed enhancement is good or not, whether it is
applicable in real-life, and can be used by companies. Analysis of these reviews is given
in this chapter. Interview transcriptions are enclosed in the document appendix so as the
document with framework that was sent to interviewees.
7.1
Interview with AS Stallion
7.1.1
Mobile threats and awareness
According to Michailas [Vassiljev and Ornovskis, 2010], the data on his mobile phone is
not critical to the business and does not have any value to a thief or competitor expect the cost of hardware. His mobile phone device is being used both for personal and
corporate use. Thus, it is considered as an attack vector to gain access to other networks, and is protected using two-factor authentication. No other safeguards for mobile
phones are used, and no policies covering the use of such devices is in place, however, as
Michailas says, none of the workers uses its mobile phone to access corporate resources,
and companys network perimeter is well-protected. While the threat identification and
protection planning processes, he follows both his experience, different guidelines and
standards. The effective way to identify threats to cell phones is to follow the guidelines
of mobile security vendors, and to observe the market. While technical controls are helpful, they alone are not enough different policies should be in use, mobile devices should
be also controlled from the unified management application. If needed, all applications
41
Chapter 7: Data analysis
and network traffic can be also controlled.
7.1.2
Review of enhancements
Michailas does not see any structural differences in the model architecture except the
excluded multimedia layer, but states that things are explained in detail. Answering the
question what can be improved even more, he says that the framework model should
consider having mobile device management from where the remote wipe of phone can be
done. The classification of attacks should be better as now it seems more like a random
list, instead they have to cover all the threats. Denial of service attacks are not too critical
for mobile phones, and cannot be mitigated only by the software security updates. He
goes on saying that the most risk for these devices comes from data leakage, which can
be remediated using DLP (Data Loss Prevention) and encryption, and viruses. SPAM
does not pose a threat to cell phones as it is now handled in the cloud1 . Besides,
applications like facebook can be easily controlled by proxy or application layer firewall
policies allowing only business applications to be used.
The interviewee does not know of any other frameworks targeted at mobile phone security.
He thinks that it will be useful to apply it at work, however threats layer should be
improved. The hierarchy is also reasonable as long as the whole framework does not
depend on any technology.
7.1.3
Analysis
From the interview it is clear that mobile phones are considered as an attack vector and
need to be protected, however there are no special tools or policies used for that purpose.
Michailas mentioned data leakage as one of the main risks, however the device he uses
is not protected against such leaks even contact details can be considered as valuable
information (as in the case with [Zetter, 2003]). Company follows various guidelines,
standards, and common sense in order to identify threats for these devices, however,
there are no solutions on the market targeted specifically to mobile phones that would
fulfill the requirements.
1
Cloud computing refers to applications and services offered over the Internet. These services are
offered from data centers all over the world, which collectively are referred to as the cloud. Source: The
Tech Terms Computer Dictionary
42
The new framework describes things in more detail and is applicable as a helping solution
at work, however it needs several modifications. According to Michailas, the identified
drawbacks are the following:
Better attack classification. Currently the proposed solution just describes threat
domains without going into details about all possible threats, leaving this to the
user.
Introduce the mobile device management control: centralized device management
from which data wipe can be done. The need for such a solution was also established
by big market companies [Ernest-Jones, 2006].
Denial of service attacks cannot be mitigated only by software updates. While this is
true for PC platform, most of the DoS attacks nowadays target specific applications
on mobile phones (i.e. [Mulliner and Barisani, 2009, Mulliner and Miller, 2009] to
name the few), and in rare cases the underlying infrastructure (i.e. [Enck et al., 2005]).
During the literature review none of the solutions were found that could protect
against DoS exploits for applications other than software updates, which, however,
may change in the future.
SPAM is not considered a threat probably due to misunderstanding of how it can
get to the device not by e-mail, but via SMS/MMS. This happened due to the
framework not indicating the origins of SPAM, which can be considered a drawback.
Problems of SMS SPAM are described in [Yoon et al., 2009].
7.2
7.2.1
Interview with Entraction AB

The mobile phone device of Dimitrios [Vassiljev and Stergiou, 2010] contains a lot of
private information that pose high value to competitors, it can be used not only to get
some insider information, but also get access to the internal network. Therefore the device
is considered as an attack vector, and thus is protected all the information is encrypted.
Although the company provides SIM card and a telephone of choice for its employees,
most of them use single device both for personal and corporate needs, which opens the
potential for attacks [Ernest-Jones, 2006]. During the threat identification resources like
43
ISO27001, NIST, and Octave are used along with common sense. Company also uses
reports and guidelines from other security vendors and companies (Gartner, Forrester)
most of which are specific to personal computers. However, since the necessary technology
is not yet available for cell phones, some risks are just accepted. Dimitrios thinks that
service providers will not be able to protect devices from possible threats, so safeguards
should be implemented on the client side.
7.2.2
Although Dimitrios has no experience in the mobile security field specifically, he feels that
the new framework model is improved over the original it looks operational, functional,
and easily implementable. He could not name any other framework, thus could not
compare it with others. He mentions, however, that this model will be used during
their next risk assessment. The overview of threats is sufficient, as the hierarchy is also
reasonable. The attack tree would be helpful addition to the framework, as everything
else that can make it more accessible to non-security people.
7.2.3
Analysis
The company considers mobile phones as a security threat, and has certain protection
implemented. However, due to the lack of available technology on the market, some
risks are just accepted. There are no special toolkits or frameworks targeted specifically
at mobile phones, and the company considers using this solution during the next risk
assessment as it is seen as suitable and sufficient.
7.3
7.3.1
Interview with Tieto AB

Patrik is aware of security problems that mobile phones have [Vassiljev and Frost, 2010],
and it is considered as an attack vector in the company. Cell phones can be compared
with portable computers having the same problems and solutions (i.e. data encryption).
Easy and effective way to identify threats is to conduct a risk analysis, which will include
mobile devices. To the question whether other service providers like cell phone operator,
44
facebook, and other should be considered while protecting the device, he replied that it
depends on a certain project.
7.3.2
Although Patrik was short with the answers, he said that layer hierarchy seems reasonable, and the framework might be useful to apply it during the risk analysis process at
work. He mentioned that during such analyses it is important to work according to the
plan, and have it documented the framework can help with that.
7.3.3
Analysis
Due to the restrictive policy it was not possible to get all the answers, however the
company considers mobile phones a potential threat and takes action to protect them.
From a brief analysis, the improved version seem applicable at work.
7.4
Cross-case analysis
Here the data across all cases is analyzed in order to identify similarities and diffirences in
their opinions on the security of mobile devices and enhancements made to the framework
model. This analysis seeks to group opinions together in order to draw conclusions later.
The mobile security topic is clear among the respondents everyone is aware of the
problems that these devices pose. Methods of protection ranges among companies: from
not keeping any confidential information on the device, to various authentication mechanisms to encrypting information. Due to the lack of special technology on the market,
some risks are just accepted. Even though some employees are offered company devices,
one mobile phone is used for both purposes corporate and personal. During the risk
analysis process various frameworks and guidelines are used, which include ISO 27000
family, NIST, Octave, but none that targets specifically mobile phones. Personal knowledge and experience are also used. Although guidelines and whitepapers from mobile
security vendors are used, there are no useful resources targeted specifically at mobile
phones. Technical controls are not enough to protect mobile devices, and the protection
should be device-centric, as content and service providers (phone operator and content
providers) are not able to protect devices from possible threats.
45
All three respondents found the proposed solution useful to apply during their risk assessment processes. As only one respondent identified several weak points in the framework,
there is no need for cross-case analysis of this part. However, as these changes are to be
added to the framework, they are briefly discussed further in this chapter.
7.5
After-review modifications
Framework development is an iterative process (as [Johnson, 1997] and [Taligent, 1997]
also mention). One can see that many frameworks are refined over time. For example,
Zachman framework is constantly being developed over time from the initial version
[Zachman, 1987] to the latest [Zachman, 2010]. After analyzing interviews, I implemented
several changes that Michailas [Vassiljev and Ornovskis, 2010] mentioned during our talk.
These are:
Introduce mobile device management control, which acts as a centralized device
management to perform functions like pushing software policies, data wipe, device
tracking. This is done on all three layers.
Better attack classification: Michailas pointed out that the framework needs better
attack classification. The original goal was to have only attack domains, wich can
describe the nature of the attack, as the attack itself can change over time. This
comment was probably caused by the phishing attacks bubble, which described
four types of phishing attacks. The decision is remove this bubble to avoid
confusion. Additionally, the origin of SPAM is clearly indicated.
The new proposed framework can be found in the next chapter.
46
Chapter 8
The improved mobile security
framework model
An overview of the resulting framework is given in this chapter along with all the enhancements.
8.1
Framework
The resulting framework has the same structure and hierarchy of its layers as its predecessor. However, each layer was enhanced with additional groups and details for deeper
problem coverage. Each of the layers is made of three sub-layers: threat domain (highlighted with red color), safeguard domain (highlighted with white color), and controls
(highlighted with blue color). Some threat domains appear in multiple layers, which
means that the attack vector may exploit the same target using different paths, or one
threat may be protected using multiple approaches.
Property layer
Property layer is illustrated on Figure 8.2 (for easier comparison, Figure 8.1 shows the
property layer of OULU framework). Although I have limited myself to technology
and considered management level very briefly (policy creation and management), it is
impossible to completely avoid this layer people should also know how to deal with
threats, not only technology.
47
Chapter 8: The improved mobile security framework model
Figure 8.1: Property layer from OULU framework
Authors of the original framework model used this layer to guide the research of basic issues of security like security objectives (goals to be achieved), attacks (possible threats),
mechanisms (safeguards), management (laws and policies), and evaluation (evaluation of
performance, privacy, etc). They later describe three main objectives of security: confidentiality, integrity and availability. I used the same objectives and applied them to the
information that mobile phones store. Targets attacks and mechanisms are used in
all three layers (combined into groups/domains).
While most of the targets in property layer are aimed at high-level security research,
only management target is directly used in this study to provide control mechanisms for
device protection. Things like conversation eavesdropping (when someone near listens to
a person speaking), server-resident data (3rd party services like facebook, e-mail servers,
or service provider), data loss and other cannot be directly controlled. Policies should
describe the way how this is to be handled, and users must be aware of these procedures.
Threats like data loss and corporate data on personal phone can partly be controlled by
using virtualization, however it will not solve all the problems unless the policy does not
cover specific procedures. The same goes to data wipe on the device. The reason security
awareness was put as a safeguard only to phishing and phone/sim cloning threats is that
policy cannot control it directly users must know about these threats and how to deal
with them, and policy should just describe the way to inform them about these problems.
However, ideally security awareness should cover all threats on every layer.
48
Figure 8.2: Enhanced property layer
49
System layer
Figure 8.4 shows the system layer (Figure 8.3 shows the same layer from OULU framework). Many of the threats here can and should be covered by security policy, however
the proper use of technical controls can prevent most of the threats without the user
knowledge.
Figure 8.3: Limited targets layer from OULU framework
Authors put mobile multimedia to the Limited targets layer describing it as valuable
not only to subscribers, but also to composers and providers. The illegal use of multimedia and abuse of rights can be considered a threat more to the rights holders. Although
it poses risks to the company in the way of fines, in my point of view it does not have any
security threat to the privacy of device owner or to the device itself, thus it will be left
out of the framework. Remaining two targets (mobile computing and mobile networking)
are combined to form the System layer.
Most of the threats in the Infrastructure target cannot be controlled by the phone user
at all as the client has no access to telephone switches and other equipment. Nevertheless
these threat domains are needed in order to keep the users aware of them and try to avoid
transmitting sensitive information when possible. Several of the threat may take place
both in the operator network and in the phone device itself. For example, eavesdropping
can happen on the phone by installing a special program (i.e. virus) or by getting access
to the cell operator facilities (i.e. spying on the PBX station or re-routing traffic) that
is way a signle threat domain can be connected both to OS and Infrastructure.
Many problems may occure due to the unauthorized access to device. While the first
layer of protection is user awareness not lending your phone to unknow people, not
leaving it without supervision, etc, but i.e. it may get stolen. There are many security
controls that help to prevent or bring to the minimum the problem of unauthorized access
50
user authorization, data encryption, and other. These should be combined together to
offer best results.
As many telephone devices can now provide services like SSH, FTP, WWW, and many
other, they should be also protected from the threats that could exploit this vector.
51
Figure 8.4: Enhanced system layer
52
Application layer
Application layer on Figure 8.6 highlights problems that may arise on the application
level (Figure 8.5 shows the application layer from OULU framework). Authors name
it Application layer and give examples like VoIP, IP telephony, and others, which can
be viewed as at least 3 separate parts: application client (program that is installed in the
telephone), server (software installed in a service provider infrastructure) and protocol
(protocol that is used for communication between server and client). Server and protocol
targets are indirectly dealt with in System layer, while only client part is left here.
This helps to keep the hierarchy simple and framework easy to use without overloading
it. Many problems could and probably will be eliminated by security controls on the
OS level as the technology advances and telephones become usual computers with same
functions.
Figure 8.5: Application layer from OULU framework
The level of SPAM on mobile platform is not high due to its cost prices for SMS/MMS
are much higher compared to e-mail, and e-mail SPAM can be filtered before it reaches
the device. But there are solutions to protect against SMS/MMS SPAM if it becomes
a problem. Software exploits and denial of service attacks against applications can be
eliminated using software updates. Unfortunately the technology is not yet so advance to
fight it on the lower level, however these threats have not been so widespread now. There
are multiple solutions to fight telephone malware starting from the antivirus software
and continuing with application policies in the operating system.
53
Figure 8.6: Application layer
54
Chapter 9
Validity and reliability of the study
Validity and reliability issues related to the study are discussed here.
There may rise several questions regarding the validity and reliability of the study and
proposed enhancements. For example, was the theory relevant, was it sufficient for this
study, were the respondents for the case study appropriate, and other. To address them,
I will try to critically analyze my work.
I started with the analysis of the original Hierarchical framework model of mobile security. Using my personal experience and research that was based on this work problematic
places were identified. While my experience may be insufficient to objectively judge the
framework, I do not see this as a point of failure as I consider myself a user of the
framework, and user feedback is always helpful for impovement.
NIST mobile security guideline was chosen to further guide myself in the search for threats
and countermeasures, and no other. This could limit the study to a single point of view
of the author, and affect the end result. This certainly happened, however, during the
literature review every threat and safeguard was carefully analyzed using multiple sources.
There is always an issue of never enough, which means that I could miss some vital
research or theory that my work could benefit from. This risk cannot be eliminated, and
just has to be accepted it is impossible to find every single research, analyze it and use
for the study. For the same reason there is no perfection in the world. But one can do
its best to come close to being perfect.
Single case study with three respondents was used in order to verify the proposed enhancements. This was done in the way of interviews. Were three interviews sufficient?
Were respondents skilled enough to review the framework? One of the respondents did
55
Chapter 9: Validity and reliability of the study
not have experience within the mobile security field. Could this influence the results?
It has its influence on the validity. How far can these results be trusted? While the
mobile security experts that work directly within the field would raise the validity of
data. Due to the time limits it was impossible to have mobile security experts review
the work, however as the enhancement was targeted to a wider audience which included
both researchers and security professionals, chosen respondents may be sufficient to draw
certain conclusions and hypotheses.
56
Chapter 10
Conclusion
This chapter finale of the manuscript, but not the research. It concludes the results of
this study, what has been achieved, and what will be done in the future. It is the chapter
that answers the research question.
10.1
Results
The aim of this study was to explore existing threats to mobile computing devices and
effective ways of protecting from them, and using this knowledge enhance the framework
model for mobile security. This lead me to the research question:
How can the Hierarchical framework model of mobile security be enhanced to
provide deeper view on security problems and their countermeasures?
In order to find the answer, I started with defining what is a framework, what is its
purpose, and why is it needed. This helped me to see the end goal of the enhancement
to be a tool that helps to see a more holistic picture of the area being studied, to help
better understand it, analyze, find problems and what is more important solutions. I
went on to proceed with the analysis of the original framework in order to identify what
needs to be improved. A research based on the original work was reviewed to find out
how it used the framework, and then a Zachman Framework [Zachman, 1987] was used
to indicate where the improvements are to be done. The study was limited only to the
technical part of the framework leaving the managerial for future.
57
Chapter 10: Conclusion
I used NIST [Jansen and Scarfone, 2008] to guide myself in the search of attacks and
safeguards for mobile phones. Existing research, technical whitepapers and market offers
were analyzed, and the findings were grouped into domains and organized into layers in
the new framework, which, however, inherited the main layer hierarchy.
To enhance the framework, each layer was reorganized: only management target was left
on the property layer, and attacks with objectives are used in all three layers; mobile
media was removed from limited targets layer, as it did not pose any threat to the device
or its owner; instead of application protocols, applications layer focused on the mobile
applications themselves. Three additional sub-layers were introduced for each part of
the framework: threat domains, safeguards domains, and technical controls. These sublayers are themselves organized into hierarchy and connected to each other in order to
clearly see what can be done and how. Doing so helped me to optimize and improve the
framework to make to useful also for security managers and engineers. This was further
tested by three interviews with two security engineers and one security manager.
The first part of the interview had the intention of finding out about the awarenees of
respondents, what problems they face with mobile phones, and how they protect them,
what tools do they use during the risk analysis. It was meant to help me find out about
new approaches, tools, other similar frameworks. However, respondents did not know of
any similar research, guideline, or a framework for mobile phones, and their awareness
was in the boundaries described by Clarke and Furnell in [Clarke and Furnell, 2005] and
Alan Goode [Goode, 2010]. This makes me believe in the usefulness of the research and
its contribution not only based on my personal analysis, but also based on the comments
from respondents.
Second part of the interview clearly indicated that the framework can be used by security professionals during their work. Interviewees stated that the framework provides deeper view on the security, and problems are explained in details; it looks operational, functional, and easily implementable. These comments correlate with the
goals and properties of a framework described in Chapter 3: it is a tool to understand
the reality, it simplifies the process of learning and describing the the area of concern
[Zachman, 1987, Johnson, 1997]. From this I can conclude that the new version is improved over the original. There are, however, several drawbacks found by the respondents
which are discussed later in this chapter.
58
10.2
Conclusions
Although mobile phones have existed for over two decades, the security of this topic is
still a new area only several security frameworks that target mobile phones could be
found, and respondents did not know of any more. They also highlighted the absence of
mobile phone policy and the usage of personal devices for corporate needs, which leads
me to the conclusion that include the question of mobile security in their policies and risk
assessments. Similar problems have been described in [Furnell, 2006, Ernest-Jones, 2006,
Jansen and Scarfone, 2008], and this study came to same conclusions.
In order to address this need, a mobile security framework was enhanced to make it
uselful for various communities of interest. Having done this and getting review from
professionals, I come to the conclusion that this proposed solution serves its goals and
contributes to the community.
From the research I have done, I can also draw several conslusions about the process of
developing a framework, which I consider to be very similar to the enhancement process:
Learn about the problem: before offering any solution, the problem should be analyzed in order to understand what could be the best possible solution.
Analyze solutions: in the case with this research, I analyzed the existing framework
and derivative works to find out how they work, what do they offer, what do they
lack, and how they can be made better.
Identify the abstraction level : how close the the abstraction is to the real world, the
closer it is the harder it gets to apply it in various problems.
Design: using the data gathered in the previous steps, create the new design.
Iterate: it is hard to cover the whole problem domain during the first time, and
with time solutions may also change.
By following this plan can help to make the process of development easier and more
smooth. The analysis of other frameworks in Chapter 3 goes along with what has been
said during the interviews about the properties of a framework. For it to be usable (good),
a framework should be:
Flexible: it should be applicable in different contexts.
59
Simple: it should be easy to use, connections should be easy to trace, and interaction
with a framework should be clear.
Complete: it should cover things needed by the users to solve the particular problem.
While the framework can never be complete, too easy to use, or can be applied in any
situation, these properties can be mixed just like security safeguards in the enterprise in
order to achieve the best balance.
10.3
Future research
This study was limited only to the exploration of technical controls leaving out the
thorough analysis of managerial controls. Additionally, the original OULU framework
mentioned the evaluation of security mechanisms. These two topics can make a separate
study.
These interviews done during the study concluded that the framework is operational and
can be applied at work, for example, during the risk analysis process. However, it will
be also necessary to actually use it in order to do a risk analysis and evaluate how well
it behaves, and what can be improved further.
During the literature review I found only few documents related to the creation of policies
for mobile phones, and it seemed like this area is not well-researched. A new study can
do the analysis of how well this new framework is suitable for creating policy for mobile
phone usage and protection, what are the difficulties, and how it correlates with policies
for computers.
60
Bibliography
[nok, 2005] (2005). Nokia expands business portfolio with mobile e-mail. http://mea.
nokia.com/about-nokia-en/press-releases/show-press-release?newsid=-936.
Accessed 23 February 2010.
[Allen, 2005] Allen, M. (2005). A day in the life of mobile data. http://www.bcs.org/
server.php?show=ConWebDoc.2774. Accessed 23 February 2010.
[Barkan et al., 2003] Barkan, E., Biham, E., and Keller, N. (2003). Instant ciphertextonly cryptanalysis of gsm encrypted communication. In Proceedings of Crypto 2003,
volume 2729, pages 600616.
[Bielova et al., 2009] Bielova, N., Dragoni, N., Massacci, F., Naliuka, K., and Siahaan,
I. (2009). Matching in security-by-contract for mobile code. In proceedings for the
1st workshop on Formal Languages and Analysis of Contract-Oriented Software, volume 78, pages 340358.
[Cellcrypt, 2010] Cellcrypt
tion
security
(2010).
Mobile
policy.
phone
informa-
http://www.cellcrypt.com/documents/
Mobile%20Phone%20Voice%20Security%20Policy%20Template.doc.
Accessed
24 March 2010.
[Center, 2010] Center, T. I. A. D. (2010). Consumer password worst practices. http://
www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf.
Accessed
21 March 2010.
[Checkland and Holwell, ] Checkland, P. and Holwell, S. Information, Systems, Information Systems: Making Sense of the Field. Wiley.
61
Bibliography
[Clarke and Furnell, 2005] Clarke, N. and Furnell, S. (2005). Authentication of users
on mobile telephones a survey of attitudes and practices. Computers and Security,
24:519527.
[Clarke et al., 2008] Clarke, N., Furnell, S., and Karatzouni, S. (2008). Beyond the
pin: enhancing user authentication for mobile devices. Computer fraud and Security,
2008(8):1217.
[Clarke and Furnell, 2007] Clarke, N. L. and Furnell, S. (2007). Advanced user authentication for mobile devices. Computers and Security, 26(2):410417.
[Clarke et al., 2003] Clarke, N. L., Furnell, S., and Reynolds, P. L. (2003).
Using
keystroke analysis as a mechanism for subscriber authentication on mobile handsets.

In Proceedings of the IFIP SEC 2003 Conference, pages 97108.
[Coursen, 2007] Coursen, S. (2007). The future of mobile malware. Network Security,
2007(8):711.
[Creswell, 2003] Creswell, J. W. (2003). Research design: qualitative, quantitative, and
mixed method approaches, pages 203204. SAGE, second edition.
[Das et al., 2008] Das, A., Manyam, O. K., Tapaswi, M., and Taranalli, V. (2008). Multilingual spoken-password based user authentication in emerging economies using cellular
phone networks. In proceedings of IEEE workshop on spoken language technology, pages
58.
[Denzin and Lincoln, 2005] Denzin, N. K. and Lincoln, Y. S. (2005). The SAGE handbook
of qualitative research. SAGE, third edition.
[Division, 2008] Division, U. N. P. (2008). World population prospects: The 2008 revision
population database. Technical report.
[eMarketer.com, 2010] eMarketer.com (2010). How big will mobile get? http://www.
emarketer.com/Article.aspx?R=1006855. Accessed 22 February 2010.
[Enck et al., 2005] Enck, W., Traynor, P., McDaniel, P., and Porta, T. L. (2005). Exploiting open functionality in sms-capable cellular networks. In ACM Conference on
Computers and Communications Security.
[Ernest-Jones, 2006] Ernest-Jones, T. (2006). Pinning down a security policy for mobile
data. Network Security, pages 812.
62
Bibliography
[F-Secure, 2002] F-Secure (2002). Content security at hand. Technical report.

[Flick, 2006] Flick, U. (2006). An introduction to qualitative research, pages 149160.
SAGE, third edition.
[Fl and Jsang, 2009] Fl, A. R. and Jsang, A. (2009). Consequences of botnets spreading to mobile devices. In 14th Nordic Conference on Secure IT Systems, pages 3743.
[Fong and Seng, 2009] Fong, L. L. and Seng, W. C. (2009). User authentication on mobile
phones what is the best approach. In proceedings of the 3rd international conference
on informatics and technology.
[Fourati et al., 2004] Fourati, A., Kamoun, H. K. B. A. F., and Benzekri, A. (2004). Security issues of m-commerce over hotspot networks. In IEEE Wireless Communications
and Networking Conference, volume 2, pages 837838.
[Friedman and Hoffman, 2008] Friedman, J. and Hoffman, D. V. (2008). Protecting data
on mobile devices: A taxonomy of security threats to mobile computing and review of
applicable defences. Information Knowledge Systems Management, (7):159180.
[Furnell, 2006] Furnell, S. (2006). Securing mobile devices: technology and attitude.
Network Security, 2006(8):913.
[George, 2002] George, M. (2002). Guarding the mobile handset against phone-jackers.
Card Technology Today, 14(5):10.
[Glesne and Peshkin, 1992] Glesne, C. and Peshkin, A. (1992). Becoming qualitative researchers: an introduction, page 6. Longman.
[Goode, 2010] Goode, A. (2010). Managing mobile security: How are we doing? Network
Security, 2010(2):1215.
[Gorry and Morton, 1971] Gorry, A. and Morton, M. (1971). A framework for management information systems.
[Gostev and Maslenikov, 2009] Gostev, A. and Maslenikov, D. (2009).
malware evolution:
An overview.
Mobile
http://www.viruslist.com/en/analysis?
pubid=204792080. Accessed 24 February 2010.

[Greenberg, 2009] Greenberg,
ery
iphone
in
the
A.
(2009).
world.
How
to
hijack
ev-
http://www.forbes.com/2009/07/28/
63
Bibliography
hackers-iphone-apple-technology-security-hackers.html.
Accessed
23
March 2010.
[Harrington and Mayhew, 2001] Harrington, V. and Mayhew, P. (2001). Mobile phone
theft. Technical report.
[Hesse-Biber and Leavy, 2006] Hesse-Biber, S. N. and Leavy, P. (2006). The practice of
qualitative research, page 289. SAGE.
[Higgins, 2010] Higgins, K. J. (2010).
bile botnet.
Smartphone weather app builds a mo-
http://www.darkreading.com/insiderthreat/security/client/
showArticle.jhtml?articleID=223200001. Accessed 23 March 2010.

[Howie et al., 2001] Howie, D., Sun, J.-Z., Koivisto, A., and Sauvola, J. (2001). A hierarchical framework model of mobile security. In Personal, Indoor and Mobile Radio
Communications, 2001 12th IEEE International Symposium on , Volume: 1, pages
251256.
[Iwano et al., 2003] Iwano, K., Hirose, T., Kamibayashi, E., and Furui, S. (2003). Audiovisual person authentication using speech and ear images. In proceedings of workshop
on multimodal user authentication, pages 8590.
[Jansen and Scarfone, 2008] Jansen, W. and Scarfone, K. (2008). Guidelines on cell
phone and pda security. Technical report, National Institute of Standards and Technology, U.S. Department of Commerce.
[Jin et al., 2007] Jin, Y., Zhang, J., and Zheng, X. (2007). Specification and runtime
enforcement of security policies. In IFIP International Conference on Network and
Parallel Computing, pages 244249.
[Johnson, 1997] Johnson, R. E. (1997). Components, frameworks, patterns. In the 1997
symposium on software reusability, pages 1017. ACM.
[Kang and Cho, 2009] Kang, P. and Cho, S. (2009). A hybrid novelty score and its use
in keystroke dynamics-based user authentication. Pattern recognition, 42:31153127.
[Karatzouni et al., 2007] Karatzouni, S., Furnell, S., Clarke, N., and RA, B. (2007). Perceptions of user authentication on mobile devices. Proceedings of the ISOneWorld
Conference, Las Vegas, USA.
64
Bibliography
[Kirk, 2009] Kirk,

malware.
J. (2009).
Analysts see alarming development in mobile
http://www.computerworld.com/s/article/9135577/Analysts_see_
alarming_development_in_mobile_malware. Accessed 24 February 2010.

[Kotler et al., 2008] Kotler, P., Armstrong, G., Wong, V., and Saunders, J. (2008). Principles of marketing, pages 332333. Pearson Education, fifth edition.
[Langendoerfer et al., 2007] Langendoerfer, P., Piotrowski, K., Peter, S., and Lehmann,
M. (2007). Crosslayer firewall interaction as a means to provide effective and efficient
protection at mobile devices. Computer Communications, 30(7):14871497.
[Leedy and Ormrod, 2009] Leedy, P. and Ormrod, J. E. (2009). Practical research: planning and design. Pearson Educational International, ninth edition.
[Leyden, 2002] Leyden, J. (2002). Mobile phone theft is far worse than we thought.
http://www.theregister.co.uk/2002/02/20/mobile_phone_theft_is_far/. Accessed 24 February 2010.
[Lindstrom, 2007] Lindstrom, J. (2007). Security challenges for wearable computing. In
proceedings of the 4th international forum on applied wearable computing.
[Lo et al., 2008] Lo, J. L.-C., Bishop, J., and Eloff, J. (2008). Smssec: An end-to-end
protocol for secure sms. Computers and Security, 27(5):154167.
[Marshall and Rossman, 2006] Marshall, C. and Rossman, G. B. (2006). Designing qualitative research. SAGE.
[Martin and Robertson, 1999] Martin, R. and Robertson, E. (1999). Formalization of
multi-level zachman frameworks. Technical report. Accessed 21 May 2010.
[Maximov et al., 2005] Maximov, A., Johansson, T., and Babbage, S. (2005). An improved correlation attack on a5/1. Lecture Notes in Computer Science, pages 118.
[Maxwell, 2005] Maxwell, J. A. (2005). Qualitative research design: an interactive approach, pages 34. SAGE, second edition.
[Mazhelis and Puuronen, 2007] Mazhelis, O. and Puuronen, S. (2007). A framework for
behavior-based detection of user substitution in a mobile context. Computers and
Security, 26:154176.
65
Bibliography
[Merriam, 1991] Merriam, S. B. (1991). Case study research in education: a qualitative

approach. Jossey-Bass.
[Miettinen et al., 2006] Miettinen, M., Halonen, P., and Hatonen, K. (2006). Host-based
intrusion detection for advanced mobile device. In 20th International Conference on
Advanced Information Networking and Applications, volume 2, pages 7276.
[Moisander and Valtonen, 2006] Moisander, J. and Valtonen, A. (2006). Qualitative marketing research: a cultural approach, pages 2425. SAGE.
[Mulliner and Barisani, 2009] Mulliner, C. and Barisani, A. (2009).
Android mal-
formed sms and dalvik api dos vulnerabilities. http://www.ocert.org/advisories/

ocert-2009-014.html. Accessed May 31 2010.
[Mulliner and Miller, 2009] Mulliner, C. and Miller, C. (2009).
in your phone.
Fuzzing the phone
http://www.blackhat.com/presentations/bh-usa-09/MILLER/
BHUSA09-Miller-FuzzingPhone-PAPER.pdf. Accessed 15 March 2010.

[Nakamura, 2005] Nakamura, T. (2005). Mobile phone gets face lift. Biometric Technology Today, pages 45.
[Nohl and Kriler, 2009] Nohl, K. and Kriler, S. (2009). Subverting the security base of
gsm. In Hacking at Random.
[OGorman, 2003] OGorman, L. (2003). Comparing passwords, tokens and biometrics
for user authentication. In proceedings of the IEEE, volume 91, pages 20192040.
[Pamplin, 2005] Pamplin, J. (2005). How to track any uk gsm mobile phone. 2600, 22(4).
[Pandelidis, 2002] Pandelidis, A. (2002). Defining the security required for wap based
mobile ticket sales. Technical report.
[Prevalakis and Spinellis, 2007] Prevalakis, V. and Spinellis, D. (2007). The athens affair.
http://spectrum.ieee.org/telecom/security/the-athens-affair. Accessed 15
March 2010.
[Pullela, 2002] Pullela, S. (2002). Security issues in mobile computing. Technical report.
[Ring and Young, 1947] Ring, D. and Young, W. (1947). Mobile telephony wide area
coverage. Bell Laboratories Technical Memorandum.
66
Bibliography
[Rokita et al., 2008] Rokita, J., Krzyzak, A., and Suen, C. (2008). Cell phones personal authentication systems using multimodal biometrics, pages 10131022. Springer
Berlin/Heidelberg.
[Ryu and Jang, 2006] Ryu, D. H. and Jang, S. J. (2006). A security weakness of the
cdma cellular service. International journal of Computer Science and Network Security,
6(5):218227.
[Samfat and Molva, 1997] Samfat, D. and Molva, R. (1997). An intrusion detection architecture for mobile networks. IEEE journal on selected areas in communications,
15(7):13731380.
[Sekaran, 2009] Sekaran, U. (2009). Research methods for business: a skill building approach. Wiley India Pvt. Ltd., fourth edition.
[seob Hwang et al., 2009] seob Hwang, S., Cho, S., and Park, S. (2009). Keystroke
dynamics-based authentication for mobile devices. Computers and Security, 28:85
93.
[Shuttleworth, 2008] Shuttleworth,
M.
how to conduct a case study.
(2008).
Case
study
research
design:
http://www.experiment-resources.com/
case-study-research-design.html. Accessed 6 March 2010.

[Singh, 1994] Singh, M. (1994). Multiagent systems. A theoretical framework for intentions, know-how, and communications. Springer-Verlag.
[Smith, 2008] Smith, J. A. (2008). Qualitative psychology: a practical guide to research
methods. SAGE, second edition.
[Soy, 1997] Soy, S. K. (1997). The case study as a research method. http://www.
ischool.utexas.edu/~ssoy/usesusers/l391d1b.htm. Accessed 6 March 2010.
[Sun et al., 2004] Sun, B., Yu, F., Wu, K., and Leung, V. C. M. (2004). Mobility-based
anomaly detection in cellular mobile networks. In proceedings of the 3rd ACM Workshop on Wireless security, pages 6169.
[Sun et al., 2001] Sun, J.-Z., Howie, D., Koivisto, A., and Sauvola, J. (2001). A hierarchical framework model of mobile security. In 12th IEEE International Symposium on
personal, indoor and mobile communications, volume 1, pages 251256.
67
Bibliography
[Taligent, 1997] Taligent (1997). Building object-oriented frameworks, part 2. Taligent

whitepaper.
[Technologies, 2000] Technologies, K. (2000). Hands-free phone protected with voice
verification. Btt, page 5.
[Thomas, 2003] Thomas, R. M. (2003). Blending qualitative and quantitative research
methods in theses and dissertations, pages 13. Corwin Press.
[Vassiljev and Frost, 2010] Vassiljev, A. and Frost, P. (2010). Personal communication,
Appendix C.
[Vassiljev and Ornovskis, 2010] Vassiljev, A. and Ornovskis, M. (2010). Personal communication, Appendix A.
[Vassiljev and Stergiou, 2010] Vassiljev, A. and Stergiou, D. (2010). Personal communication, Appendix B.
[Wah, 2002] Wah, C. P. (2002). Multimedia security digital video watermarking. Technical report.
[Weber, 1996] Weber, R. P. (1996). Basic content analysis, page 12. SAGE, 6 edition.
[Williams, 1993] Williams, E. (1993). Research and paradigms. http://www.umdnj.edu/
idsweb/idst6000/williams_research+paradigms.htm. Accessed 25 February 2010.
[Yin, 2003] Yin, R. K. (2003). Case study research: design and methods, pages 1015.
Sage Publications, third edition.
[Yoon et al., 2009] Yoon, J. W., Kim, H., and Huh, J. H. (2009). Hybrid spam filtering
for mobile communication. Computers and Security, 29(4):446459.
[Zachman, 1987] Zachman, J. (1987). A framework for informations systems architecture.
IBM systems journal, 26(3).
[Zachman, 1997] Zachman, J. (1997).
Concepts of the framework for enterprise
architecture. background, description and utility.
http://apps.adcom.uci.edu/
EnterpriseArch/Zachman/zachman3_files/zachman3.htm. Accessed 21 May 2010.

[Zachman, 2010] Zachman,
ficial concise definition.
J.
(2010).
The
zachman
framework:
the
of-
http://www.zachmaninternational.com/index.php/
the-zachman-framework.
68
Bibliography
[Zetter, 2003] Zetter, K. (2003). Blackberry reveals banks secrets. http://www.bcs.

org/server.php?show=ConWebDoc.2774. Accessed 23 February 2010.
69
Appendix A: Interview with Stallion

representative
Interview was conducted via e-mail with Michailas Ornovskis security solutions specialist at AS Stallion.
AS Stallion is a leading Estonian data security company established in 1994. Stallion provides data security consulting, support and system integration services, as
well represents the best of breed security vendors as a value added reseller. We
have customers from nearly every sector, including government, banking and finance, telecommunication, retail, manufacturing and many more.
Security consulting services we provide include: IT security assessment, ISO 17799
consulting, security policy development, system penetration testing, disaster recovery planning, and much more.
Interview
Q: What do you think, how valuable is your mobile phone with all the information it
contains to a usual thief, to your competitor?
A: Not valuable at all, I dont have any critical data or built-in authorized access to
the corporate network. Only attack which cannot be performed is the social engineering
identity theft.
Q: Did (do) you consider a mobile phone as an attack vector to get access to your corporate resources?
A: Yes, it indeed is the attack vector or an entry point, thus strong two factor authentication mechanisms and other security policies should be applied.
Q: Do you have any protection already implemented in the company (authentication
mechanisms, data encryption, security awareness of mobile threats, etc)?
70
Appendix
A: We dont have any security policies regarding mobile device access applied. However,
no one uses its mobile phone to gain access into the corporate network. Network perimeter and also internal network is protected with different security devices and techniques
e.g. firewalls with IPS, Antivirus etc.
Q: Do you (your employees) use the same device both for personal and corporate needs?
A: In some way, yes. However the computers are well protected.
Q: In the process of threat identification, what do you follow? An existing framework or
guideline, your experience and common sense?
A: We follow experience and different guidelines to identify the threat.
Q: While planning the protection of your device, do you follow any guideline or framework?
A: We follow different guidelines and security standards.
Q: What do you think is an effective and easy way to identify the threats to cell phones
your organization faces?
A: Observe the market, identify vendors which deal with mobile protection and follow
their guidelines.
Q: If we look at the problem from another angle, do you think it is enough to protect
information only by implementing technical controls in the device itself? Do you think
mobile operator should be considered also? What about third-party service providers
that offer their services for mobile phones (i.e. Facebook, Spotify, Flickr)?
A: The technical measures are not enough different policies should be used. Mobile
devices should be also controlled from the unified management application, depending on
organizational needs all applications and traffic can be controlled.
Q: In your opinion, was the proposed framework improved over the original one?
A: I really did not find structural differences (only the excluded multimedia layer). However, it is explained in detail.
Q: What do you think can be done better, improved even more?
A: You should consider having mobile device management in your framework, device wipe
etc is done directly from there. Also the attacks should be classified in better way for
me it seems to be just a random list of them, instead they have to cover all the threats.
DoS attack cannot be handled only with the security updates also it is not so critical
for the mobile phones more to the perimeter network devices (routers, firewalls). The
most risk comes from the data leakage (can be remediated using DLP and device encryp-
71
Appendix
tion solutions) and viruses. SPAM also nowadays is handled in the cloud - different
antispam devices deal with it before it reaches the phone. Applications like facebook etc
can be easily controlled with proxy or an application layer firewall with security policies
allowing only business applications to be used.
Q: If you know of any other frameworks/guidelines targeted at mobile phone security,
what is missing in the proposed one compared to other alternatives? What is good about
it?
A: I dont know any other frameworks.
Q: Will it be useful for you to apply it at work?
A: Yes, it would be.
Q: How useful do you think this framework will be in evaluating the security of mobile
phones in company?
A: It would be useful but it needs some work on the threats side.
Q: Do you think this hierarchy is reasonable?
A: I think it is really fine as long it does not depend on certain technology.
Q: Is the overview of threat domains and corresponding safeguards enough? Is the connection between them appropriate?
A: Already wrote about it.
Q: If there was an attack tree as an addition, would it be useful for easier threat and
countermeasure identification?
A: It is really pointless to write out all the attack measures because in this case the
list would had to be updated periodically. I think that only the attack vectors such as
trojans, dialers etc without writing their names will be appropriate. The mobile device
itself nowadays is the computer so we can apply some security standards from the PC
and PC networking world.
72
Appendix B: Interview with

Entraction representative
Interview was conducted via e-mail with Dimitrios Stergiou chief information security
officer at Entraction AB.
Entraction Holding AB works to create profitable growth and long-term value enhancements for its shareholders by continuously evaluate attractive business opportunities in the fast-growing digital gaming industry. Prospective investments
of interest to the Entraction Group are companies operating as suppliers within
the digital gaming industry and which have a core product with strong growth
and profitability potential. Entraction Holding is not a financial investor, but is
only interested in companies offering significant synergies with the current supplier
operations. Entraction can contribute knowledge, management and access to the
considerable opportunities for cross-selling and advantages of scale that exist within
the Group.
Interview
A: I estimate the value of the data contained in my mobile phone as very high. Not only
I carry business related emails on my phone, but I also have access to non-published
corporate resources (via bookmarks), access to corporate network (via VPN) and access
to personal sensitive files (via online storage media). Therefore, availability, confidentiality and integrity is crucial when it comes to data contained on my mobile phone.
A: Mobile phones, especially the past few years with the introduction of smartphones
73
Appendix
tend to be quite a plague for a corporation. More and more employees request mobile
access (mainly email) and at the same time take no precaution to protect corporate data.
Mobile phones, in my opinion are a valid attack vector and they threat will continue to
grow as more and more functions are introduced in the mobile phones world.
A: Encryption has been implemented, to protect data storage on the mobile phones. Unfortunately, since the mobile phone is not a powerful processing unit, no additional
measures have been implemented (endpoint protection, firewalls, etc).
A: Yes, the company provides the SIM card and a choice for the device, but the vast majority of the employees use the same SIM/phone for both personal and business reasons.
A: We use a combination of methods and guidelines, ranging from Octave and NIST to
ISO 27001 and common sense. We try to keep up with vendor reports, as well as 3rd
party reports (Gartner, Forrester) and utilize the best from each world.
Q: While planning the protection of your device, do you follow any guideline or framework?
A: We use vendor guidelines, guidelines from respectable groups (e.g.: SANS, CIS) and
common sense.
A: Currently we apply the same methodology to mobile phones, as we do for personal
computers / laptops, since we consider the mobile phone to be a smaller computer.
Unfortunately though, since technology does not provide the same solutions for both
platforms, occasionally we just have to accept the risk and deploy solutions which are
not up to higher security standards.
A: I believe that we cannot expect anything from the operators. The purpose of the
application operators (Facebook, etc) is to make money, while the purpose of the mobile
operators is to make money while providing the infrastructure. As we have seen in the
74
Appendix
previous years, in the PC world, ISPs did very little to make Internet a safer place. Although they have invested in antivirus, network protection, etc, 90% of the problems we
had 10 years ago, we still have now. As the mobile operators leave the old telephone
world and come closer to the IP world, I believe that they wont be able to solve problems
that ISPs were not able to solve for so many years.
A: Since I have not worked in this field, I cannot directly compare the two frameworks.
I can definitely see though that the proposed framework is more detailed and broader,
which leads me to believe that it presents an improvement over the original proposal.
A: After reviewing the model, I cannot find any deficiencies or make any suggestions for
improvement. The model seems to be complete, covers all aspects of information security
for the mobile world, and seems operational, functional and easily implementable.
it?
A: I am not aware of any other model that addresses information security for the mobile
world, and therefore I am unable to comment or suggest improvements.
A: We will definitely consider the model described above when we deal with information
security in the mobile world. I have to mention though that it will not be a priority since
mobile phones are not the companys core business and therefore they are covered under
the generic risk assessment process.
phones in company?
A: The framework mentioned above will definitely be used during our next risk assessment, at least some parts of it.
A: Yes, the hierarchy is reasonable and complete. It covers all threats and scenarios that
can attack information security in the mobile world.
A: Yes, the threat domains provide sufficient coverage and the connections are easily
75
Appendix
traced and make sense.

Q: If there was an attack tree and threat list as an additional module, would it be useful
for easier threat and safeguard identification?
A: I believe that the model is sufficient the way it is, but any addition that would make
it more accessible to non-security people would be an asset.
76
Appendix C: Interview with Tieto

representative
Interview was conducted via e-mail with Patrik Frost security specialist at Tieto AB.
Tieto is an IT service company providing IT, R&D and consulting services. With
approximately 17 000 experts, we are among the leading IT service companies in
Northern Europe and the global leader in selected segments.
Interview
A: More and more information is stored in mobile devices, it is a growing problem. Just
like portable computers there must be a solution to stolen mobile phones, i.e encrypted
data.
A: Yes
A:
A:
A:
Q: While planning the protection of your device, do you follow any guideline or frame77
Appendix
work?
A:
A: The normal way, with Risk Assessment of all the corporations valuable assets.
A: Here I think it will be up to the business case for the different providers.
A: It is not possible due to the time spent studying the frameworks to be sure.
A: I would like to see more of a connection between the old framework, and the new.
Why three layers? What is the same between the frameworks and what is new, what is
moved between layers.
it?
A:
A: Yes, it might be.
phones in company?
A: It is important to work from a plan, and have it documented. The framework can
help with that.
A: Yes. But that is from limited time study.
A: Too little time to comment.
Q: If there was an attack tree and threat list as an additional module, would it be useful
for easier threat and safeguard identification?
78
Appendix
A: Too little time to comment.
79
Appendix D: Document sent to

interviewees
Introduction
This study aims at offering deeper and easier way of conducting research in the area of
mobile phone security and helping to find security threats and corresponding countermeasures in a fast and easy way by enhancing the existing framework.
Disposition of this paper
In the beginning, a framework model that my research is based on, is briefly described
including my personal comments on the structure and its drawbacks. A new and improved
framework is proposed after, which is a result of analysis of weak parts. Finally, there
are interview questions that will help me to analyze the work I have done.
A hierarchical framework model of mobile security
A group of researchers from the University of Oulu proposed a framework for the systematic research of mobile security. It is a hierarchical model in which mobile security is
divided into three layers: property theory, limited targets, and classified applications.
Property layer
Authors indicate five main points to research on this layer, which are security objectives,
attacks, security mechanisms, security management, and security evaluation. Security
objectives aim at formulating and determining what kinds of security goals are going to
be achieved and to what extent. Attack research aims at analyzing and distinguishing
80
Appendix
Figure 1: OULU framework model
possible threats and offensive methods from all possible threats. Security mechanisms
try to find effective techniques to fulfill security objectives. In security management,
policies and rules are created, including user training and awareness, relevant to the
administration and maintenance of devices. Security evaluation includes identification
of critical components and vulnerabilities, inspection of performance, and evaluation of
privacy and robustness.
While most of the targets in property layer are aimed at high-level security research,
only management target is directly used in this study to provide control mechanisms
for device protection. Other targets are used indirectly on all three layers as it helps to
provide deeper view. For example, attack and safeguard classes are introduced that help
understand, what problems may happen on each corresponding layer. Evaluation is left
out for future research, as the goal now is to concentrate more on protection.
81
Appendix
Limited targets layer

This layer specifies three main targets, which are mobile networks, mobile computing,
and finally multimedia.
Mobile networks. The focus is on the underlying infrastructure that cell phones
use, like networks and supporting protocols. Topics of research include the security
of 2G, 3G, and the upcoming 4G networks together with protocols like Mobile IP,
the use of IPSEC in communication protocols, encryption, authentication, routing,
and other problems.
Mobile computing. Two targets are under consideration here: the problem of host
protection (the physical protection of device itself and attacks that can come from
it, like differential power analysis, side-channel attacks, and other), and software
agent protection (the operating system).
Mobile multimedia. Protection of multimedia content distributed using mobile
devices.
Authors put mobile multimedia to the Limited targets layer describing it as valuable
not only to subscribers, but also to composers and providers. The illegal use of multimedia and abuse of rights can be considered a threat more to the rights holders. Although
it poses risks to the company in the way of fines, in my point of view it does not have any
security threat to the privacy of device owner or to the device itself, thus it will be left
out of the framework. Remaining two targets (mobile computing and mobile networking)
are combined to form the System layer.
Application layer
Some applications that cannot be successfully implemented without the proper support
of secure mobile networks, and computing and media processing environment are put into
the top layer. These applications include, but are not limited to messaging (SMS, MMS,
e-mail), telephone service (VoIP, IPT, video conferencing), business applications (mobile
e-commerce).
Authors name it Application layer and give examples like VoIP, IP telephony, and
others, which can be viewed as at least 3 separate parts: application client (program that
is installed in the telephone), server (software installed in a service provider infrastructure)
82
Appendix
and protocol (protocol that is used for communication between server and client). Server
and protocol targets are dealt with in System layer, while only client part is left in this
layer. This helps to keep the hierarchy simple and framework easy to use.
Limitations of this framework model
The framework described above proposes a systematic way to conduct investigation of
mobile phone security based on the strict hierarchy. The article gives a brief explanation
of how these layers are interconnected and which topics domains belong to which layer.
Although it is relatively old (9 years old at the time of writing this paper), it is not bound
to technology, which, as authors say themselves, demonstrates that the framework can
explicitly serve as an effective guide to systematic research of mobile security. However,
each layer may contain multiple sub-layers that can guide researcher to investigate even
more narrow area. For example, Mobile computing domain is comprised of Agent,
OS, and Terminal objects, whereas OS can contain authentication methods,
which is composed of several types of authentication mechanisms. Without knowing
these details it may be unclear, i.e. on what levels operates protection. Most of the
studies based on this framework concentrate on a single research domain or target, i.e.
Multimedia Digital Video Watermarking or Security issues in mobile computing.
When it comes to identifying threats, this framework alone is not enough. In their study
about security implications in mobile commerce over hotspot networks, Fourati et al.
apart from the mobile security framework, additionally use other sources in order to
identify security vulnerabilities to mobile phones. Jin et al. refer also to multiple sources
to get a more holistic picture of security threats.
New enhanced framework
The resulting framework has the same hierarchy as its predecessor. However, each layer
was enhanced with additional groups and details for deeper problem coverage. Each
of the layers is made of three sub-layers: threat domain (highlighted with red color),
safeguard domain (highlighted with white color), and controls (highlighted with blue
color). Some threat domains appear in multiple layers, which means that the attack
vector may exploit the same target using different paths, or one threat may be protected
using multiple mechanisms.
83
Appendix
Property layer
Most of the things on this layer cannot be dealt with technology directly or at all. Policy
and internal security standards should describe how to deal with these threats.
System layer
Although threats and safeguards here should be covered by policy, and can be dealt
with by training users, most of the security problems can be protected also by technical
controls.
Application layer
Application layer highlights problems that may arise on the application level. Malware
and rogue applications, exploits against applications, Denial of Service attacks against
applications, and SPAM are the main targets on this layer.
84
Appendix
85
Figure 2: Property layer
Appendix
86
Figure 3: System layer
Appendix
Figure 4: Application layer
General questions
What do you think, how valuable is your mobile phone with all the information it
Did (do) you consider a mobile phone as an attack vector to get access to your
corporate resources?
Do you have any protection already implemented in the company (authentication
Do you (your employees) use the same device both for personal and corporate needs?
In the process of threat identification, what do you follow? An existing framework
or guideline, your experience and common sense?
While planning the protection of your device, do you follow any guideline or framework?
What do you think is an effective and easy way to identify the threats to cell phones
87
Appendix
If we look at the problem from another angle, do you think it is enough to protect
information only by implementing technical controls in the device itself? Do you
think mobile operator should be considered also? What about third-party service
providers that offer their services for mobile phones (i.e. Facebook, Spotify, Flickr)?
Framework evaluation questions
In your opinion, was the proposed framework improved over the original one?
What do you think can be done better, improved even more?
If you know of any other frameworks/guidelines targeted at mobile phone security,
what is missing in the proposed one compared to other alternatives? What is good
about it?
Will it be useful for you to apply it at work?
How useful do you think this framework will be in evaluating the security of mobile
phones in company?
Do you think this hierarchy is reasonable?
Is the overview of threat domains and corresponding safeguards enough? Is the
connection between them appropriate?
If there was an attack tree and threat list as an additional module, would it be
useful for easier threat and safeguard identification?
88

Ltu Cdupp 10008 Se

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Ltu Cdupp 10008 Se

Diunggah oleh

Hak Cipta:

Format Tersedia

2010:008

Enhancing the Hierarchical Framework Model

Lule University of Technology

Enhancing the hierarchical framework model of mobile

Mobile computing devices . . . . . . . . . . . . . . . . . . . . . . . . . .

The need for protection . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Aim of this study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Scope and delimitation of the study . . . . . . . . . . . . . . . . . . . . .

Disposition of the document . . . . . . . . . . . . . . . . . . . . . . . . .

Validity and reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The need for a framework . . . . . . . . . . . . . . . . . . . . . . . . . .

4 Background of the study

A hierarchical framework model of mobile security . . . . . . . . . . . . .

Property theory layer . . . . . . . . . . . . . . . . . . . . . . . . .

Limited targets layer . . . . . . . . . . . . . . . . . . . . . . . . .

Classified applications layer . . . . . . . . . . . . . . . . . . . . .

Limitations of the framework . . . . . . . . . . . . . . . . . . . . . . . .

NIST guidelines for cell phone and PDA security . . . . . . . . . . . . . .

Communication interception and eavesdropping . . . . . . . . . .

Interview with AS Stallion . . . . . . . . . . . . . . . . . . . . . . . . . .

Mobile threats and awareness . . . . . . . . . . . . . . . . . . . .

Interview with Entraction AB . . . . . . . . . . . . . . . . . . . . . . . .

Mobile threats and awareness . . . . . . . . . . . . . . . . . . . .

Interview with Tieto AB . . . . . . . . . . . . . . . . . . . . . . . . . . .

Mobile threats and awareness . . . . . . . . . . . . . . . . . . . .

8 The improved mobile security framework model

9 Validity and reliability of the study

10.3 Future research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Appendix A: Interview with Stallion representative

Appendix B: Interview with Entraction representative

Appendix C: Interview with Tieto representative

Appendix D: Document sent to interviewees

Elements relevant to any piece of research . . . . . . . . . . . . . . . . .

Mobile security framework . . . . . . . . . . . . . . . . . . . . . . . . . .

NICA authentication methods . . . . . . . . . . . . . . . . . . . . . . . .

VmWare Mobile Virtualization Platform . . . . . . . . . . . . . . . . . .

Property layer from OULU framework . . . . . . . . . . . . . . . . . . .

Enhanced property layer . . . . . . . . . . . . . . . . . . . . . . . . . . .

Limited targets layer from OULU framework . . . . . . . . . . . . . . . .

Enhanced system layer . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Application layer from OULU framework . . . . . . . . . . . . . . . . . .

OULU framework model . . . . . . . . . . . . . . . . . . . . . . . . . . .

Authentication methods and corresponding attributes . . . . . . . . . . .

Escalation of NICA alert level . . . . . . . . . . . . . . . . . . . . . . . .

Biometric techniques for mobile devices . . . . . . . . . . . . . . . . . . .

(Nordic Mobile Telephony)

(Data and Messaging Service)

(Short Message Service)

(Global System for Mobile communications)

(Time Division Multiple Access)

(Integrated Digital Enhanced Network)

(Code Division Multiple Access)

(General Packet Radio Service)

(Enhanced Data rate for GSM Evolution)

(International Mobile Telecommunications-2000)

(Universal Mobile Telecommunications System)

(Digital Enhanced Cordless Telecommunications)

(Worldwide Interoperability for Microwave Access)

(Shared Secret Data)

(3rd Generation Partnership Project)

(Megabits per second)

(Personal Identification Number)

(Internet Protocol version 6)

(Mobile computing device)