Sample Essay Paper on Mobile Application Security

Abstract

The emergency of mobile phones is here to stay and individuals need to know how to protect their privacy when using a mobile device. Most individuals treat security on their computers, as an expected norm, yet they overlook the security of their mobile phones. Hackers are taking advantage of a lack of security awareness, and as a result, many individuals have become victims to identity theft. It takes many hours to void the wrong done to one’s prestige on top of any monetary loss or expenses. At times complete retrieval is nearly impossible. It is therefore paramount to emphasize the importance of mobile phone security coupled with a strong password to safeguard vital and sensitive data. Discussions herein outline the importance of security and security issues associated with mobile security applicatio

Mobile Application Security

Introduction                                                       

Mobile phones, especially phone devices form mobile PC, enables one to store confidential information, contacts and photos, access the Internet and email and download games and applications. It is therefore very crucial to protect a phone for various security reasons, just as one would secure a mobile computer (Dagon & Martin, 2004).

Mobile security has tremendously become essential in communication device computing. Enterprises and private data can presently be reserved in smart phones. Billions of consumers and companies use smart phones not only as a conveyance tool but also further as a means of mobilizing and strategizing both employment and personal lifestyle. The technology behind smart phones has resulted to profound transformations within companies, due to the emergency of information systems: although they are, also the source of new risks in companies (Dagon & Martin, 2004). Smart phones assemble a wider range of sensitive data upon which retrieval should be supervised to safeguard both the seclusion of the cognitive enterprise belongings as well as the user.

Additionally, application development has spawned unprecedented growth mobility, with over a million applications available across various platforms such as Microsoft’s Windows, Google’s Android and Apple’s IOS. Retailers benefit from these mobile applications and platform in all aspects of their businesses. Versatility enhances minimized costs, doubled workforce productivity, intense parley with clients, intense comrade interactions, client contentment and extended efficiencies in operations.

Because of this, retailers across the globe have developed programs to connect socially, offer commercials, deliver vouchers and generate sales. Marcus Neiman and Starbuck are some retailers that have expanded client-facing applications to indulge clients in unprecedented ways, thereby increasing brand loyalty and revenue (Mulliner, 2006). However, this application is exposed to devastating information breaches, which might later destroy brand stature, compromise customer trust and further affects prompt profit.

Antivirus protection is currently a prerequisite of personal computers. Since smart phones can contain vital confidential and business information, it is essential to secure a smart phone device with antivirus (Mulliner, 2006). This is so especially because malicious software is not the only threat to a smart phone device, but rather, the compact size of a mobile device makes it easier to be misplaced. Therefore, mobile antivirus apps such as kaspersky internet security come in handy to protect smart phones from virtual attackers and prying eyes.

Additionally, application 2X MDM is very important in mobile tracking. It helps relocate lost mobile and monitor the route taken during its theft. Using Q4 2011, users can lock their mobile devices by simply controlling the pin. Users can further remotely wipe the data from their tablets and Android smart phones by incorporating an online 2X MDM dashboard (Mickens & Brian, 2005). Through this, users can be rest assured that sensitive data is not exposed to potential hackers and prevents theft identity. Moreover, this security enables users to view a full list of apps that are installed on remove apps and connected devices, which could otherwise compromise security.

With remote deployment apps, one can be confident that rogue apps are not downloaded, which may consequently result to malware. Unfortunately, most users take things seriously when it is nearly or too late. Regarding mobile safety, users are advised not to delay. Tablets and smart phones security should be emphasized to avoid needless pain and embarrassment (Mickens & Brian, 2005). By simply signing to 2X MDM account, a mobile device is secured from any malicious attack.

Mobile Application Security Issues

Disadvantageously, numerous security issues are associated with mobile devices. Mobile devices and PC are the sanctioned objects under attacks. Such attacks harness the fragility associated to smart phones, which takes the form of disclosure such as the services of multimedia messaging multimedia (MMS), service of short message (SMS), Bluetooth, WI-Fi web browsers and the global standard for mobile communications (GSM). There are similar attacks that exploit software vulnerabilities from both the operating system and web browser, which are normally in conjunction with malicious software that frequently relies on the weak knowledge of average users (Becher, 2000).

Studies indicate that threats to mobile devices; inclusive of mobile-based viruses and company data leakage have been on the rise since last year. Spyware and malware are easily targeting mobile devices, leaving companies as a sitting duck to attacks (Becher, 2000). Generally, relating to matters of security, most mobile phones are the primary targets of most attackers. Security issues that are vulnerable to all mobile platforms include:

Most Mobile Devices Lack Enabled Passwords

In most cases, mobile devices lack passwords to control access to stored data and authenticate users on the devices. Most devices possess the scientific application to lock screens for authentication, verify passwords and personal recognition patterns or digits (PIN). Other mobile devices are further incorporated with biometric reader to authenticate fingerprints (Hogben & Dekker, 2010). Nevertheless, data on anecdotal demonstrates that users infrequently use such applications.

Occasionally, if users incorporate PINs and passwords to their mobile phones, they opt for PINs and passwords that can easily be determined or bypassed. For instance, most users opt for common digits such as 0000 or 1234, hence increasing security issues. In the absence of digits or passwords, possible risk is posited that data on missing or pilfered mobiles might be retrieved by unwarranted users, who might contemplate private data and embezzle the mobile device (Hogben & Dekker, 2010).

Failure to substantiate two-factor while handling personal transactions on mobile devices

Recent research indicates that generally users apply steady passwords prior to the double-factor authentication when running wired delicate transactions using their mobile phones. Applying static passwords authentication posits security drawbacks such as; the password used can be eavesdropped, guessed, stolen, written down or forgotten. Double-factor application offers increased security levels that are very crucial for delicate transactions, than the traditional passwords (Guo & Wang, 2004).

Generally, two-factor is an authentication system whereby customers are required to validate by at least using two different factors such as; something known well to the user or something possessed by the user. Mobile gargets can be used as options in some two-step validation schemes (Guo & Wang, 2004). A mobile phone can develop passwords, or better still the codes can transmitted via a short message to the phone. Unescorted by the double-factor authentication, there is an immense risk whereby unwarranted users can retrieve personal data and embezzle the mobile phone.

Wireless Transmissions Are Rarely Encrypted

Such information as e-mails sent via mobile gargets is usually not encoded while being transported. Moreover, most applications fail to encrypt data transmitted and gained on a network. Data can then be intercepted with much ease. Consider for instance, if a program is conveying information across an unencrypted Wi-Fi cable using http (instead of a secured http); it becomes very easy to intercept information (Halbronn & Sigwald, 2010). Additionally, if a wireless conveyance is unencrypted, information will easily be intercepted.

Mobile phones might entail malware

Mobile phone users may load software applications that contain malware. Malware applications are normally downloaded by users without their consent since it is often camouflaged as a security patch, games, utilities or any other applicable programs. It is challenging to distinguish between a programmed malware and a permissible application. For instance, an application can be package repeatedly  with softwares with virus and a client can inadvertently download it onto their mobile device. This makes it easy to intercept such information. A wireless transmission if not encrypted, it can easily be intercepted by eavesdroppers, who main obtain sensitive information without their permission (Dixon & Mishra, 2010).

Most mobile phones are deficient of security software

Most mobile phones are rarely installed with security program to preserve from malware-based attacks, malicious programs and spyware. On top of this, consumers hardly site security program, in section since mobile phones lack preloaded programs (Gendrullis, 2008). As much as such software may slow down the phone operations and reduce battery life on some phones, the lack of it increases the risk of an attacker effectively distributing malware such as spyware, viruses, spam and Trojans to attract users into revealing their passwords or other personal information.

Systems operation may be outdated

Certain security or fixes for operating systems of mobile phones are rarely programmed on mobile phones in promptly way. It takes a period of weeks or months before a security update is installed in the users’ device. The process of patching might entail most parties, and even get complicated contingent on the essence of susceptibility. For instance, Google creates updates on Android OS to tackle security susceptibilities, but device manufacturers need to design a particular update device to fix the susceptibility (Halbronn & Sigwald, 2010). This process can consequently consume time especially if proprietary modifications are required in the device’s software. After an update has been produced by the manufacturer, it is up to every carrier to test and transmit the updates to the users’ device.

Unfortunately, carriers can delay in the updates provision since duration is required to experiment if they confront with the programmed software or other elements of mobile device. Additionally, mobile phones that are older than two years may fail to maintain updates security since producers may cease supporting such phones (Halbronn & Sigwald, 2010). Most manufacturers cease supporting smart phones between twelve to eighteen months after their release. Such devices are exposed to increased risks, should manufacturers fail to develop patches for newly identified vulnerabilities.

Mobile devices software may be outdated

Applications on third-party security patches are rarely developed and released on time. Moreover, third-party mobile programs such as web browsers often fail to inform users on the availability of appropriate updates (Hogben & Dekker, 2010). Browsers applicable on mobiles are rarely updated unlike those webs used in traditional browsers. The use of outdated software widens the risk that a malicious attacker might exploit vulnerabilities associated with such devices.

The internet connections are not limited on mobile devices

Most mobile devices lack firewalls to minimize on internet connections. When a mobile device is connected to a wider range of network, communication ports are frequently used to connect it to the internet and other devices. Malicious hacker can then easily retrieve the mobile phone using unsecured port. The key functions of firewalls are to secure ports and enable users to select the connection preferred in their mobile device (Hogben & Dekker, 2010). The absence of a firewall exposes mobile devices to an open intrusion, through unsecured communications port, thereby enabling an intruder to misuse the device and access sensitive information.

Unauthorized modifications may be posited in mobile devices

Rooting or jail breaking is the procedure of modifying a mobile device to eliminate limitations so that users can add more features. This rooting process interferes with the management of mobile security, and can easily promulgate to security instabilities. Rooting enables users to access unauthorized software applications and functions into their devices. As much as some users may appropriate root their phones to specifically install security measures such as firewalls, other users may simply be searching for affordable or quicker method of installing desirable applications, which may not have much meaning (Bilton, 2010).

In the latter scenarios, users are exposed to security risks since they are bypassing the vetting application procedure designed by manufacturers, and therefore have limited protection against malware inadvertent installation. In addition to this, rooted devices may lack notifications on security updates from its manufacturer, and as a result might need additional effort from users to sustain software updates.

Unsecured Wi-Fi

Moreover, according to conducted research such as GAO, document that unsecured Wi-Fi network can result to the access of confidential information from mobile device by a malicious attacker (Mickens & Brian, 2005). Such a situation results to data and personal theft. Man-in-the-middle is a scenario of such attack, which exposes Wi-Fi networks. In this attack, the hacker avails at the centre of conveyance steam to steals information.

Consequently, it is normally challenging to trace device terminal since every time the terminal is retrieved by a connecting network, a new short-term identity (TMSI) is distributed to that terminal. TSMI can be applied in device terminal identification should similar network be identified again (Mickens & Brian, 2005). TSMI is normally delivered to mobile terminal inform of encrypted messages; but should the GSM algorithm encryption be altered, the attacker can intercept all unencrypted information made by the user’s mobile device.

Poorly secured communication channels

Communication channel such as Bluetooth functions when it is allowed to be viewed by other Bluetooth-enabled devices, for an effective connection. Opening such communication channels for connection in discovery mode enables a hacker to program malware or secretly activate a camera to eavesdrop user’s information (Mickens & Brian, 2005). Internet networks on Wi-Fi spots that are not secured and are used publicly encourages malicious attacker to fix the device and retrieve personal information.

Attacks derived from MMS and SMS management flaws

Some mobile devices models offer poor services in managing binary short messages. For instance, some mobile device used to send MMS to other phones with attachments. These attachments are normally infected with virus. Upon the delivery of the MMS, the user can opt to view the attachment. If the user manages to open the attachment, the mobile device will then be infected and the MMS virus infects the entire phonebook (Bilton, 2010).

A scenario of this attack is a virus on common warrior, which makes use of the phone book involving messaging multimedia service, to send an infected file to multiple recipients (Bilton, 2010). The user will then install the software as received through MMS, and the virus starts to deliver messages to recipients as taken from the phone book.

Conclusion and recommendation

As can be observed from above, mobile devices are exposed to various threats. IT managers are working hand in hand to address mobile security threats, which have increasingly become imminent. Until the entire security issue is put under control, it is paramount for companies and individuals to protect their data from spyware or malware, or any other dangerous hack attempts. Companies should draft rules, employees’ disaster recovery plan and rules to give the company more control measures and appropriate solutions in the event of a security breach occurrence. Users on the other hand should take some measures to ensure that their personal information is safe from attackers.

Some of the measures that can be taken to minimize mobile application issues include; firstly, users should authenticate their devices. With this, the mobile devices can be configured to entail PINs and passwords before gaining access. Password is further concealed to avoid unauthorized access. Secondly, users should very the authenticity of downloaded applications prior to downloading. Procedures can be implemented to ensure digital signatures of downloaded applications to confirm that they have not hampered with.

For sensitive transactions, consumers should utilize the double-factor authentication. For remote access, a mobile device on its own can be incorporated as a second factor in two-factor authentication.  A mobile device has the capacity to generate pass codes, or better still deliver such codes through a short message to the phone. Therefore, when carrying out important transactions such as financial transactions or mobile banking, it is paramount to always use a two-factor authentication.

Thirdly, users should install antimalware software. Antimalware security should be programmed to safeguard from the infected digital secure cards, programs, spyware, malware-based attack and viruses. These programs can further shield from unnecessary e-mail attachments, short messages and spam. Moreover, users should install security updates. Software updates can automatically be wired from the carrier or manufacturer directly to a user’s mobile device. Appropriate procedures should be taken to ensure prompt delivery of these updates.

Also, missing or pilfered devices ought to be remotely disabled. Remote disabling entirely erases the content or blocks the device. Fortunately, locked phones can be unlocked if they are retrieved by the personal consumer. Additionally, users should encrypt the information preserved on memory card or the phone device. Encrypting files ensures that sensitive information stored on memory cards and mobile device are protected. Most devices use the available commercial encryption or the built-in encryption capabilities. A policy should be enhanced to ensure mobile security. Such security policies should stipulate the principles, rules and practices that establish how a company treats mobile devices: whether for organizational or personal use.

As a result, mobile phones ought to be configured and controlled. Management on configuration ensures mobile protection against the introduction of improper modifications before, during and after deployment. Finally, risks assessments can be performed. Analyzing risks is helpful in identifying threats and susceptibilities, estimate possible harm from effective attacks on mobile phones and establish the possible attacks.

On-Going Research and the Future of Mobile Security

The discussion above examines the various security issues related to mobile security, and cites problems with password, the handling of personal transactions on mobile devices, lack of encryption for wireless transmissions, malware attacks, the lack of security software, system operations being outdate, internet connections, unsecured Wi-Fi, unauthorized modification of mobile devices, deficient security for communication channels, and SMS and MMS flaws as some of the factors associated with mobile security. Despite efforts to find answers to these problems, success in this respect remains elusive. For example, just in 2013, in an InformationWeek survey on Mobile Security, McAfee reported 50,926 instances of malware. Moreover, 78 percent of the participating organizations reported lost or stolen devices as their biggest mobile security concern (Finneran, 2013).

Research on the answers to these security issues has exhibited a shift from mobile device security to data security. The examples above, for example, show much effort mobile device security. In this regard, recent research has focused on data security rather than security for mobile devices. Indeed, data security- as opposed to mobile device security- has become an even more important factor in  the age of cloud computing.

Protecting Mobile Systems

As already noted above, research on mobile security is increasingly focusing on data- rather than mobile device. In this regard, this paper examines: focus on data; and BOYD and cloud technology.

  1. Focus on Data
  2. Data-Centric Security

For a long time, the construct of network security has been based on a platform-centric security, focused on what Nohl (2010) calls, ‘walled gardens’ of security within the mobile system enterprise. However, this has still been found wanting. If the definition and design of mobile data networks is anything to go by, the premise is of accessing data anytime and from anywhere. Unfortunately, this means that the normal bounds of security within geographically fixed and physically secured networks are broken (Northcutt, 2009).

The concept of data-centric security was first developed by Bilger et al (2007), which they discussed in their paper, elevating the Discussion on Security Management- the Data Centric Paradigm. The key aspect in this concept is that it focuses on the protection of data, but less on protecting the device. This concept was not exactly original when Bilger et al (2007) discussed it in the said paper. For years, it had been used in the defense industry and even other similar governmental organizations, which have long used this concept to design tiered protective measures and used security classification and clearance to limit access rights. In these organizations, in practice, files that are marked ‘SECRET’ are filed or saved in approved locked containers, as well as other isolated points on secure encrypted networks that are not connected to the open internet. This system is based on the premise that different pieces of information call for different levels of security because they are critical for different reasons. For instance, the implication of a breach on personally identifiable client information is not the same as the implications of a compromise of trade secrets or corporate financial records. The main paradigm shift in data-centric security, therefore, is that security measures are thought of in terms of the breach in the confidentiality, integrity and availability of every specific file, service, or other piece of data held by the organization. It is only when this is the case, the security measures can be put in place to protect the different levels of data (that is, in terms of their importance and, consequently, the implications of the breach of any such data).

By example, in platform or network centric system, a user may easily access the entire corporate network by a single-factor-authenticated VPN solution configured on his/her device, such as a password. Once the user is logged in, he/she can retrieve, run and push back data and applications to the corporate environment. In other words, platform or network centric systems, layers of security are defined in such a way that, as in the example above, a user accesses his/her corporate network by the same VPN. This includes access to personal data as well as sales data (often classified as ‘Level 1- Protected’). Further, if the user should choose to access a file in ‘Level 2- Classified’, he/she would have to authenticate the access using a second factor (such as the password and another one-time PIN from, say, his/her physical token). The extra authentications activates the decryption of the file through a Public Key Infrastructure (PKI) service, which then flags the file as non-locally savable on the users device. Further still, the if the system ‘discovers’ the user is using a mobile device, it might then altogether deny the user access to whatever higher level they are trying to access. This is a big problem. This example discusses the application of data classification meta-data to each file or application. However, according to Bilger et al (2006), such a system should only be used at the lowest practical level.

Data-Centric security, on the other hands, takes a new direction in providing protection. Bilger et al (2006) outline the key questions that guide the classification of data in the preparation of data-centric security strategy: where the data originated from; the owner of the data; the person who controls the data; the person or what holds the data; and the type of data it is.

The next step is to outlines the controls applicable to individual data pieces: the person to use the data and using what device(s), and for what purposes; whether the data can be shared, and under what conditions; where the data can be kept and for what duration; whether there is need to safeguard the data when it is at rest, and when it should be backed up; how the data should be disclosed, and what subset can be disclosed and what other cannot be disclosed; the protection to implement; and whether the data needs to be watermarked or distorted, among others.

Ultimately, a multi-level data centric model ensures there is the least amount of user hassle for majority of common data, and further, increasingly stringent access requirements as the data becomes more sensitive. However, even as it is important to ensure maximum security, it is also important to consider usability. The limits in platform-centric system, for example, affect employees’ ability to work from wherever and anytime as is the desire of many- if not yet all- organizations in the 21st Century. In other words, the same with all security controls, there is need to find a balance between the need to ensure maximum security and usability. According to Talmor (2010), depending on the technological implementation of data-centric security, the user may at times have to answer some or all the questions listed above whenever he/she is saving new data. In other cases, the minimum requirement would be that they select permission group (such as Finance) and a level of sensitivity (such as ‘Level 1- Protected’).

In properly implemented user interface, a successful system is the one that includes the participation of the user in defining the requirements for the protection of a given document of piece of data. The moment a data is mega-tagged, however, the system can recognize the requirements for security and automatically apply the appropriate protective measures. Alternatively or collaboratively, used software can scan file contents and assign a classification based on content recognition. Unfortunately, this approach may have its own flaws. Still, the approach may still work well in certain environments. “It is only natural that any data being entered into database assumes the classification and reliability of the field in question, and should require little or no user interaction” (Bilger et al, 2006, p.11).

That said, security police, at any degree, may be implemented based on threat-risk assessment that organizations conduct. If considered overly risky, organizations should consider data generated on mobile devices. Although mobile devices may not generate long pages of extra documents, for example, some can record voice and video or take photos, even complete with geo-tagged data on location. Even seemingly minor elements (such as contacts, phone call register and calendar items of key executives may need to be considered when preparing security measures.

  1. Prevention of Data Loss

Apart from unauthorized access to sensitive data by individuals who should not access it, there is also the problem of data loss within the organization (without necessarily being stolen an unauthorized person). This is what has since seen research into Data Loss Prevention (DLP), another technology that is said to have shown promise in addressing some security measures associated with mobile platforms. Vendors have referred to this technology by several terms, including Information Leak Prevention (ILP), Information Leak Detection and Prevention (ILDP), Information Protection and Control (IPC), Content Monitoring and Filtering (CMF) and Extrusion Prevention System (EPS). Regardless, the essence of DLP is the active monitoring and protection of information at rest and even in transit on a network (Bilger et al, 2007)

DLP is related to data-centric security. In fact, Nohl (2010) says, the two complement each other’s in many ways. For example, the file or field level tagging of data with classification and permission markings make it possible for DLP software to easily recognize data and control its flows as it transits through the network. For example, while in data-centric security system ‘Level 2’ data might flow freely anywhere within the geographically local wired corporate network, it is possible to prevent such data from transiting out through email servers, VPN’s gateways, web browsers and other common forms for data exfiltration. Many DLP vendors do recognize the stigma that many employees face in the possibility that they may be disciplined for even honest mistakes. In this regard, DLP adds self-remediating features. For example, when a user initiates an action, he/she might receive a pop-up that allows him/her to authenticate his/her action or cancel it. In other words, DLP also educates the user. This ensures that users’ actions pose fewer involuntary accidental breaches of data or reinforcing policy.

DLP, according to Talmore (2010), also allows organizations to maintain a positive inventory of every copy of a protected data and manage the lifecycle of the information as it is created, transmitted, and even securely deleted. DLP can also permit a host-based client to inspect data in the process of entering it into local applications. Moreover, DLP can also help search for certain types of data in network traffic or host inputs, including in the recognition of format of financial record or credit card number.

Ultimately, data-centric security systems are a useful mode for organizations to consider when deploying mobile networks. With appropriate policies and correct configurations, research generally demonstrates that data-centric approach to security can effectively address the issue of data at rest of valuable information on lost mobile devices, either by not allowing it to be downloaded or forcing immediate secure deletion within a certain period of inactivity.

Further research has looked into the other technologies that may permit creative solutions to this mobile security issue. For example, these researches have focused on how the availability of mobile broadband connections makes off-device (cloud) computing possible. Other researches have also focused on how organizations should implement security during inevitable mobile bloodspots, such as wireless service areas, among others (Bilger, 2007).

However, this is not the end of it. There are still even more research into emerging technologies. Even then, though, a clear trend emerges in this case, with more focus on securing data- rather than building impenetrable perimeter defenses.

  1. Further Research into the Future: BOYD, Cloud Technology and Security

But research on data-focused on security is not all there is to it. The expanded used of mobile devices today, particularly in management, has prompted even further research on what new ways to focus on data-related security.

For instance, the advent of mobile technological devices by which employees can access corporate data wherever they are and at any time has seen the emergence of Bring Your Own Device (BYOD) trend, encompassing other similar initiatives, such as Bring Your Own Technology (BYOT), Bring Your Own PC (BYOPC) and Bring Your Own Phone (BYOP). All these are part of the ‘consumerization of IT’ trends that have seen a considerable evolution of workplaces, especially in relation to the empowerment of workforces. According to a Webroot survey published in July 2014 (cited in Weise, 2014), 61 percent of companies have their employees using their personal smart phones and tablets for work. However, BOYD has been found to pose a number of security risks to organizations already implementing the policy. In relation to this, companies are concerned about the security of their vital data (Odendahl, 2014; Weise, 2014). Evans (2013) concedes that this concern is justifiable, especially considering that employees might have little or no control over their personal devices or even the risk of an employee losing his/her device or having it compromised (such as the risk of hackers and viruses).

A PC Magazine article (cited in Drew, 2014) outlined some of the ways in which BOYD can put organizational data at risk, including the increased risk of loss or theft mobile devices; failure of employees to follow password guidelines to secure their devices, among others. Most importantly, the risks associated with BOYD have been attributed to cloud computing. In agreement, the InformationWeek survey found that 36 percent of the respondents were worried about employees “forwarding information to cloud-based storage devices” (Finneran, 2013, p.1)). According to Drew (2014), information is increasingly getting stored in cloud storage networks. A new survey by Elastica (a security firm) reports that cloud storage is very high at the moment, with every employing storing an average of over 2,000 documents in the clouds and ‘broadly shares’ an average of 185 documents with others (such as coworkers) through the cloud. The report also showed the security risk associated with this trend, finding that 20 percent of the documents broadly shared contained some form of sensitive information, and that 13 percent of the stored and shared documents had no limitations and controls whatsoever. Further, according to Hannula (2014), what adds to this risk is the fact that many organizations may be overlooking some of the BOYD-related security risks for the sake of higher productivity and profits.

In response to the BOYD policy in many organizations, there has been research focused on how to handle the risks associated with this new trend. The research has focused on developing even more secure Android mobile Operating System (OS).

As an example of the projects aimed towards addressing these new security challenges, ZDNET reported on a new and more secure framework (called the Android Security Modules, ASM) for the Android OS created through a joint effort by two universities. The OS is said to have been created to make enable developers to easily utilize cutting-edge security tools. The framework would establish modules of security within the OS that would contact the security module when deciding whether to run an operation or not, thereby allowing developers to initiate significant changes to the way that the OS security without having to change device firmware. These security modules can then make data anonymous before it is sent to a third party, manage dual personas, filter out malicious code and perform yet unanticipated security tasks (Drew, 2014). This new framework is seen as part of the answer to the security problems associated with smart phones and BOYD policy in many organizations.

According to Drew (2014), it is doubtful that the ASM will ever come to be used in devices. However, this research provides hope for businesses that the research toward improving security in relation to cloud technology is headed in the right direction.

How these New Research will Improve Mobile Security

It is important for research on mobile security to set realistic goals and objectives. The term ‘realistic’ here implies attainability of security recommendations. As it were, focusing on data security is more realistic than mobile device security. Mobile devices are subject to human error, which are ever common. Indeed, it can be hard for people to follow all the recommendations on mobile device security to the letter. On the other hand, data security is easily attainable as they may not be subject to human error as mobile device security measures may be.

But most importantly, the ultimate purpose for mobile security (whether data- or device-centered) is to protect information (that is, data). Data-centered security goes to the heart of the problem right away- unlike device-centered security, which beats about the bush, avoiding the main issue.

In the end, and especially in the age when cloud computing is becoming even more prominent, data-centered security is the best answers for individual and organizational mobile security concerns. Besides, cloud technology is the future and mobile devices are not that much relevant in the search for the security of data that is in the clouds.

Conclusion and Recommendation(s)

For organization, the policy of BOYD (aimed at improving productivity and profits) has made mobile security problem even bigger. Moreover, the emergence of cloud technology increases that risk or many organizations. Cloud technology poses a problem for both individuals and organizations. To address this, involved parties must acknowledge the risk that private data face in the context of cloud technology.  While mobile devices remain essential to security, they are largely irrelevant where the protection of data in the clouds is concerned. Organizations and individuals must focus primarily on data. Besides, with data synchronization in smartphones, the problem is not necessarily about the loss of data as they are about access of data by unauthorized persons. Although data loss is key (considering that there does not have to be a human factor involved), data-focused security should focus more on preventing this unauthorized ac

References

Becher, M. (2000). Security of Smart phones at the Dawn of their Iniquitousness.                                     Manheim University.

Bilger, M., et al. (2006). Data-Centric Security: Enabling Business Objectives to Drive

Security. IBM

Bilger, M. et al. (2007). Elevating the Discussion on Security Management – the Data

Centric Paradigm. 2nd IEEE/IFIP International Workshop on Business-driven IT Management. In Conjunction with IEEE/IFIP Integrated Management.

Bilton, N. (2010). “Hackers With Enigmatic Motives Vex Companies”.

The New York Times. P.5.

Dagon, D. & Martin, T. (2004)”Mobile Phones as computing Devices: The Viruses                                    are Coming!Pervasive Computing 3 (4):11.

Dixon, B. & Mishra, S. (2010). Malware Detection in Smartphones. International

Conference on Dependable Systems and Network Workshops.

Drew, S. (2014). Android Security and BYOD: Moving in the Right Direction. Midsize

Insider, Aug. 27. Retrieved 17 November 2014, http://midsizeinsider.com/en-us/article/android-security-and-byod-moving-in-the#.VGR5qrF9laQ

Evans, D. (2013). What is BYOD and Why Is It Important? TechRadar, Aug. 23. Retrieved

17 September 2014, http://www.techradar.com/news/computing/what-is-byod-and-why-is-it-important–1175088

Finneran, M. (2013). Research: 2013 State of Mobile Security. InformationWeek,

June 02. Retrieved 17 November 2014, http://reports.informationweek.com/abstract/18/10935/Mobility-Wireless/Research:-2013-State-Of-Mobile-Security.html

Gendrullis, T. (2008). “Areal-world attack breaking A5/1 within hours”. Proceedings of CHES                      ’08. Springer. pp. 266–282.

Guo, C. &  Wang, H. (2004). “Smart-phone Attacks and Defenses”. ACM SIGCOMM                             HotNets. Association for Computing Machinery, Inc.

Hogben, G. & Dekker, M. (2010).  “Smartphones: Information Security Risks,                                          Opportunities and Recommendations” ENISA.

Halbronn, C. & Sigwald, J. (2010). Vulnerabilities and iPhone Security Model.

Hannula, J. (2014). Enterprise Mobile Security Meets User Productivity. Midsize Insider,

Oct. 09. Retrieved 16 November 2014, http://midsizeinsider.com/en-us/article/enterprise-mobile-security-meets-user-pr#.VGSmAbF9laQ

Mickens, J. & Brian, D. (2005).  “Modelling epidemic spreading in mobile                                                environments”. WiSe ’05 Proceedings of the 4th ACM workshop on                                       Wireless security. Association for Computing Machinery, Inc. pp. 77–86.

Mulliner, C.  (2006). Security of Smart Phones (M.Sc. thesis). University of                                              California, Santa Barbara.

Nohl, K. (2010). Attacking Phone Privacy. Black Hat 2010 Conference.

Northcutt, S. (2009). 2009 Security Predictions. Retrieved 16 November

2014, http://www.sans.edu/ resources/securitylab/2009_predictions.php

Odendahl, M. (2014). ‘Bring Your Own Device’ Creates Privacy Issues for Employees,

IBJ, Aug. 20. Retrieved 16 September 2014, http://www.ibj.com/bring-your-own-device-creates-privacy-issues-for-employees/PARAMS/article/49128

Talmore, E. (2010). Data-Centric Security. Retrieved 15 November

2014, https://www.infosecisland.com/blogview/4249-Data-centric-security.html

Weise, E. (2014). Bring Your Own Dilemmas: Dealing with BYOD and Security, USA

Today, Aug. 26. Retrieved 16 September 2014, http://www.usatoday.com/story/tech/2014/08/26/byod-bring-your-own-device/14393635/