1.0 Introduction

The purpose of this document is to expose a business problem from a technological viewpoint. The subject of the business problem I have selected is smartphone security. This subject will be analysed and critically evaluated, then expanded upon further to reflect the range of possible solutions and raise awareness of the risk and need of smartphone security.

1.1 Aims and objectives


  • Create an authoritative document with recommendations to raise awareness and inform businesses for the need of greater mobile security within the business environment.
  • Use insight to establish a research gap.

Main objectives

  • Assess smart mobile devices currently used.
  • Analyse security advantages and disadvantages of smart mobile devices.
  • Establish what risks smart mobile devices are exposed to.
  • Evaluate impact of risk exposed by unsecure mobile devices to businesses.
  • Examine mobile security currently available.
  • Investigate responsibility
  • Evaluate current business policies and procedures for mobile devices and how these can be enforced.
  • Construct smartphone security guide with recommendations for businesses.

1.2 Problem statement

The problem is information and financial loss due to information theft or inaccessibility from malicious software, and the detrimental impact this has upon the business.

A recent report from Gartner (reference report) indicates that sales of smartphones have grown exponentially and businesses are reaping the benefits gained from smartphones, however their use also creates security risks and opportunities for cybercriminals.

There are many types of information that can be stored on smartphones for example, personally identifiable information in the form of identity credentials, email, SMS and MMS messages, GPS coordinates, passwords, company documents and connectivity access information to company servers as just some of the examples.

Information security has gained significant value within the business domain over the past decade however this value remains subjective (why subjective? And value pertaining to what?). Users have been made aware of the risks posed by malicious software whilst using their personal computer on the internet, now assistive technology like smart mobile devices are becoming increasingly more powerful, functional and ubiquitous.

Where personal computers have at least some security software in place as standard, smartphones commonly have no security software installed as a standard and are susceptible to (Malware, Viruses, trojans,etc-examples please ;)) the exact same threats as to personal computers.

Businesses, professionals and personal users now have a greater awareness for the need of personal computer security. This has been provided by media coverage, enterprise training or through personal experience. When using a personal computer or laptop for example, it is common to find a firewall and antivirus software installed showing that internet safety has now become a social normalcy.

“…Smartphones are more powerful than supercomputers were a few years ago, and we are putting them in the hands of people who've never had anything like it before." - Google CEO Eric Schmidt

As Schmidt states smartphones are pervasive devices, workers typically need training on these devices as they are multifunctional and unless people are aware of the threats these devices pose the consequences can be detrimental on the business.

Today's organisations rely heavily upon information technology in order to allow their business to function (Khosrowpour, 2001). This is fundamentally due to how intricate information technology systems are embedded into organisations.

Smartphones provide businesses with many new opportunities (sweeping statement-what opportunities and is this your opinion/referencing?) however these opportunities provided by smartphones exist not just for business and personal users as the opportunity extends to cybercriminals too.

Malware is one of the most common sources of security failures within businesses currently (sweeping statement-most common according to who?), they have the same capabilities as personal computers and are used within business environments in the same manner, however they are typically unsecure and rely solely upon the standard out-of-the-box security features with no antivirus or firewall present.

There are many different mobile operating systems for smart mobile devices requiring different security applications. The operating systems and the risks associated will be carefully analysed.

The intentions of this paper are to investigate what impacts smart mobile devices can have on businesses, why these problems affect the organisation, and how they are overcome.

Finally, insight will be gathered and recommendations made so that businesses can use to foresee and prevent future unnecessary costs and risk.

2.0 Literature review

The focus of the subject proposed for this project is a very real-world business and information technology problem. Smartphone security is a recognisable potential problem for both individuals and businesses as most smartphone users including businesses and educational establishments do not have any specific policies in place to safeguard from smartphone security related issues.

Because smartphone security is still in its infancy, it will be a challenge to source accurate and relevant information from authoritative sources such as ‘Emerald' without resorting to web based research. However, the more this project advances smartphone security in the media is becoming omnipresent.

For the project a survey will be proposed in order to gain knowledge for understanding how aware users are for the need of smartphone security. This survey will target as many participants as possible in order to gather appropriate primary evidence. Interviews will be conducted with professionals in the field of smartphones and security such as police personnel, security advisors and mobile phone shop staff to ascertain levels of security training, public security literature and knowledge.

Authoritative information sources will be used to gain technical information directly from manufactures, websites and retail outlets such as Apple, Android, Research In Motion, Nokia and Microsoft for documentation on smartphones and smartphone platforms. Only technical information will be used from these sources as it is in manufacturer's interests to sell their products

Analysis of the survey will be done using statistical analysis tools including IBM's ‘SPSS', ‘SPSS Text Analysis' software and more modern statistical analysis web-based techniques such as MarketSight. MarketSight is a hosted research data reporting environment accessible by the internet and only available through the internet browser Microsoft explorer whereas SPSS is software directly installed onto a computer.

‘Malware: the new legal risk' the paper written by Verine Etsebeth in 2007 has invaluable source material for this project. Acquired from Emerald Insight, it is very suitable to this project as it highlights the threat of malware and risks posed to businesses. It is well written and authoritative however Emerald specified it was unique as no such document has been published previously.

The majority of sources used by Etsebeth are from Harley, D; Slade, R and Gattiker, U. Etsebeth references Viruses Revealed (McGraw-Hill, New York, NY 2001) This source is recognised and trusted within the industry as a whole and is considered to be authoritative and well-documented on its own merit. This paper focuses on the legal and professional implications of malware on companies in South Africa Etsebeth's home town.

This paper is very suitable for this project as it is a very well written and authoritative document, the majority of sources used by Etsebeth are from Harley, D., Slade, R. and Gattiker, U. (2001) Viruses Revealed, McGraw-Hill, New York, NY. The source used by Etsebeth ‘Viruses Revealed' as a well-documented authoritative document published by McGraw-Hill, a recognized trusted source. Etsebeth is a senior lecturer in the Faculty of law specialising in the areas of law and information security.

Although Etsebeth's paper ‘Malware: the new legal risk' is highly suitable in terms of qualitative information, it lacks suitable geographic law for the scope of my project. I will use the information provided by Etsebeth for Malware, as this information is not geographically bound, and analyse the legal implications after comparing them to UK law.

Etsebth highlights that companies are reluctant to report cybercrimes as it has negative implications on the company's reputation this correlates to my hypothesis.

‘Understanding the spreading patterns of mobile phone viruses' by Pu Wang, Marta Gonzalez, Cesar Hidalgo and Albert-laszlo Barabasi is a technical journal based on mobile phone virus modelling and the understanding of spreading patterns.

The journal was published in 2009 and investigates various mobile platforms relating to my assignment however the document is a highly technical report based on the mathematics of virus spreading patterns, I find this report to be highly enlightening however due to the technical awareness of the target reader of my assignment I believe this report to be too technical and out of scope.

Authoritative information directly from manufactures websites and retail outlets will be used including Apple, Android, Research In Motion, Nokia and Microsoft for documentation on smartphones and smartphone platforms as this will allow me to access accurate and current reliable information directly.

Secondary information sources will be avoided where possible such as blogs and review websites for direct smartphone technical information as these types of resources may facilitate in providing inaccurate facts.

Local mobile phone retail outlets such as Orange, Vodaphone, Phones4u, The Carphone Warehouse, O2 and T-Mobile will provide me with valuable information on device security awareness. I will enquire on staff security training and in-house company security literature currently available to public and business consumers as this will affect the average smartphone users security awareness.

After investigation smartphone security I established that some research in this area had been done already by Goode Intelligence a UK company based in London.

‘Goode Intelligence' is a company that provide strategic research and analysis that specialises in information security. Founded in 2007, Goode Intelligence has provided clients globally with statistical information from evidence accumulated from surveys in the field of information security. Goode Intelligence is viewed as an authoritative market leader of information security consumer information.

2.3 How this project fits in with the literature review

I had chosen the subject then chosen the literature review method, thus tailoring the literature review to fit the requirements of the project.

The Survey will allow me access information on how smartphone users actually use their device, how important they view the information stored on the device and users perception of the need for security

3.0 Research methods

3.1 Hypothesis

‘Businesses are not aware that they are at risk of information and financial loss or theft due to malware infections on smartphone devices.'

Information Technology consultants have recognised the gap in security for mobile devices, however it was soon realised that the physical security of the device was not the real issue, as the need for smartphone security awareness within businesses was a far greater concern. Experience establishes that the best form of security is the awareness for the need of security and why by the individuals who use the technology.

Smartphone malware is not seen as of great importance to IT professionals, business managers or general consumers. A majority of smartphone users use their devices for both business and personal use and a large share of smartphone users will be using their personal smartphone for work related activities.

The assumption is based that most individuals would know what information they deemed as confidential, more specifically, what information would they not like others to access to include such things as calendar, contacts, photos, emails and files.

IT professionals should be the most aware group of smartphone malware risk, as their experience and technological awareness should allow them to be more technologically security aware.

Antivirus used on personal computers is well known to hinder system performance and conflict with some applications and other software, The hypothesis is that antivirus products will consume more system resources then current smartphones can afford to offer and require more power from the device ultimately reducing the battery life and impacting negatively on overall system performance, rendering the device unusable by the average user.

The perception of products such as the iPhone are viewed as secure out-of-the-box along with Blackberry smartphones as they are mostly touted by mobile phone shop staff as business orientated secure devices.

3.2 Methodology

The project will be implemented using a triangulated, positivistic methodological approach. The particular technique chosen this will provide a balanced view of the subject area. It will incorporate both quantitative and qualitative primary research methods as reffered to by Bryman as multi-strategy research (Bryman, 2006). The scope of this project will mostly be Quantitative based research as indicted in Fig 1 below.

Bryman advises that quantitative data can be gathered by way of a survey and qualitative research collected from journals and interviews.

The Initial research will be conducted using primary research in the form of a cross-sectional survey questionnaire with closed questioning, interviews with professionals in the field of smartphone related security such as police personnel, security advisors and mobile phone shop staff will also be conducted to gain knowledge of their awareness of smartphone security and what advice they provide.

The survey will be available to respondents in paper form where needed however the survey respondents targeted will mostly be from the internet so it is required that the survey be electronically hosted. The web-based survey distribution method selected is ‘Survey Monkey'.

The main motivations for selecting ‘Survey Monkey' are reputation, administration features, ease of access and user layout familiarity. The survey will be designed to be concise and simple to maximise the amount of respondents in order to gain quality information.

The target survey population will represent business managers, IT professionals as well as individuals who use their smartphone for personal use to establish users who admit to using their smartphone for both business and personal as opposed to personal use only. This is suggested by Baxter as an important step in defining who should be included and excluded from participating in the survey (Baxter, L. & Babbie, E, 2004).

The users have been targeted as the project will establish not only the perception of smartphone security but also what smartphone policies and procedures are currently in place and how aware users are of these.

Research indicates that an ideal resource for the proposed target users is through a popular internet based technological social news website named ‘Reddit'. ‘Reddit' has a daily turnover of over 850.000 unique users (Alexa, 2010). According to Alexa the average ‘Redditor's' are male between the age of 18 to 44, are well educated and browses ‘Reddit' either from work or home, suggesting that the majority of ‘Redditors' are working professionals in the technology field.This suggest that the average ‘Reddit' user is technologically aware (Alexa, 2010), suggesting that ‘Reddit' would suit the proposed target survey participant.

The proposed project will be delivered using an analytical in-depth research structure. This project structure has been selected as it will primarily be research based on the current business problem as previously stated.

The intentions are to analyse the problem, understand how aware people are of the issue and propose possible solutions,

One method of analysis proposed is the conceptual method, as described by Beaney as a way of breaking down or analysing concepts into their constituent parts in order to gain knowledge (Beaney 2003). I have interpreted this to mean the compartmentalisation and analysis of data.

Critical and creative thinking skills such as Edward.De Bono six thinking hats will be used to examine the problem domain. A review will be given on how the systems work and compare them to how they should work. I will then analyse the solution domain by examining which options are available to improve the system security along with optimal recommendation and the benefits this would provide.

‘SPSS' is a well-established statistical analysis application first released in 1968. Randomised questions, Marketsight. Survey design

4.0 Results

4.1 Presentation and description of results

Who took part?

The survey was conducted to establish the awareness of information security and the need for smartphone security. Users were openly invited from technological backgrounds to partake in the survey and assured of anonymity.

A total of 758 people responded to the online survey from a possible 854,998 potential participants (Fig. 2). The survey itself was open for one month during February and March 2011.

The results indicated in Figure 2 that a majority share of survey participants, with 82 per cent being male and 18 per cent female confirms my survey target gender. When asked, both genders averaged at age 26 (Fig. 3) as denoted in Figure 3, again confirming my target survey demographic groups.

When asked 53 per cent of respondents reported they had used their smartphone solely for personal use, opposed to 45 per cent of partakers that reported they used their smartphone for both business and personal use, with 2 per cent reporting to use a smartphone solely for business use only as shown in Fig. 4 combining a total of 47 per cent.

25 per cent of respondents had only been using smartphones for the past six months, 17 per cent were aware they had been using them for at least a year and a majority percentage of 59 per cent had been using smartphones for more than one year seen in Figure 5.

Only 12 per cent of respondents opted to use the ‘pay as you go' payment facilities as opposed to the greater majority of 88 per cent that have contracts shown in Figure 6 below.

87 per cent of participants reported that they did not use any form of smartphone security software such as antivirus as opposed to 13 per cent that did as highlighted in Figure 7.


In answer to the question “What type of smartphone do you currently use?” 34 per cent of respondents said they used an Apple IPhone, 58 per cent reported to use Android smartphones, 13 per cent used Blackberries and 6 per cent of respondents had Symbian smartphones (Fig. 8).

87 per cent of respondents had used calendar functions, 94 per cent of respondents used email, 86 per cent of used games, 87 per cent of respondents used GPS features, 74 per cent of respondents used instant messaging, 52 per cent of respondents used internet banking facilities, 66 per cent of respondents used multimedia messaging service (MMS), 94 per cent of respondents used the short messaging service (SMS) feature and 78 per cent (Fig. 9) of respondents admitted to using social networking sites on their smartphone.

93 per cent of survey partakers used 3G for mobile data communication, 59 per cent of respondents used ‘Bluetooth' technology, only 4 per cent of had used infrared line of sight technology, however 75 per cent of respondents admitted to connecting via universal serial bus (USB) and 94 per cent of participators had used wireless for mobile data communication shown in Figure 10. Total of 757 participators answered this question and 1 partaker chose to skip the question.

From a total of 758 respondents, 63 per cent (476) valued the physical smartphone above the 37 per cent (282) whom valued the information more.

Figure 12 shows 62 per cent of survey participants reported that they did not pay attention to licence agreements and permissions when installing applications on their smartphones 34 per cent reported they did read the licence agreements and permissions. 4 per cent of respondents believed that this question was not applicable to them for their smartphone use.

The awareness for the need of personal computer security is apparent as 81 per cent of responders were aware for the need of security software for personal computers as opposed to the 19 per cent who were not aware. 94 per cent participants have connected their smartphone to a personal computer (PC), 6 per cent stated they had not ever connected to a PC. All 758 respondents answered this question.

Figure (XXX) shows that survey respondents considered smartphone security as ‘beneficial but not essential' as the majority answer with 64 per cent , 21 per cent (159) didn't not consider there to be a need currently for smartphone security software as opposed to 15 per cent (114) whom considered smartphone security software as absolutely essential.

95 per cent of respondents were aware of ‘Adware', 27 per cent had known about ‘Badware', 25 per cent of respondents were aware of ‘Crimeware', 69 per cent had previous knowledge of ‘Rootkits', ‘Trojans' 95 per cent,, ‘Spyware' 95 per cent, ‘and ‘Worm' 90 per cent were the most commonly aware terms of malware from the malicious software list, the majority being ‘Virus' with 97 per cent of respondents being aware of this type of malware. 731 respondents answered this question.

96 per cent of respondents stated that they owned the smartphone, only 4 per cent of respondents had employer owned smartphones. All partakers responded to this question.

Out of the 758 respondents, 15 per cent were aware of policies within their place of business, with the majority of respondents 41 per cent unaware of any workplace policies or procedures particularly orientated toward smartphones. 44 per cent responded that the question was not applicable to them. All participants answered this question.

It is interesting to find that only 15 per cent stated they were aware of specific workplace policies and procedures specifically for mobile phones and 40 per cent were aware there were no mobile phone policies and procedures. A majority of 92 per cent (699) had not been advised of any security methods to protect them or their information from fraud, theft or malicious software. 8 per cent (59) respondents agreed they had received adequate security advice.

4.2 Discussion and interpretation of survey results

Analysing the results of the survey shows the majority of smartphone users to be Android users peaking in the 20 to 24 age bracket, this would indicate that an IT professionals choice of smartphone is Android as indicated in Figure 3 below.

Smartphone survey contributors within the 20 to 24 age group were then further examined to indicate what purpose is intended when using the devices, examining the results shows clearly that a majority of survey respondents reported they viewed their smartphone use as personal use, however disturbingly over half the users in the same age group admitted to using their smartphone for both personal use and business use as shown in Figure 4.

Female respondents preferred the features provided by iPhones however also as opposed to male smartphone users who clearly preferred the Android platform over all others as seen in Figure (XXX).

Examining users perception for the need of smartphone security against those users whom did or did not have antivirus shows that the awareness for the need of security correlates to users whom did indeed have smartphone security measures in place with nearly half of users who responded ‘Absolutely essential' to the question ‘How necessary do you see the need for smartphone security software' as shown in Figure (XXX).

However the overall amount of smartphone users with antivirus or other security is disturbingly low given the malware threats currently available.

The results also show us that a large majority of IT professionals do view smartphone security as beneficial however not essential. Android users are the most security aware demographic as demonstrated in Figure (XXX) above. This indicates that users are not aware of the threats posed by malware and view the need for smartphone system performance greater than the need for security.

Business users have been defined as respondents who confirmed they used their smartphone for business only and users who reported they used their smartphone devices for both business and personal use.

Smartphones have many features of value to employees as shown in Figure (XXX) Below, Email, Calendar, GPS and SMS features were shown to be the most used features all of which are viewed to aid employee productivity. However features such as games and social networking which negatively affect employee productivity were also shown to be frequently used, suggesting that smartphones can have negative effects on employee productivity. Figure (XXX) also shows us that over half of business users reported to use internet banking facilities from their smartphones.

After finding out what smartphone features business users were most interested in I studied how aware business users were of security permissions and licence agreements prompts when installing new applications on their smartphones.

The pie chart below is a representation of business user survey respondent's awareness of how essential smartphone application installation security prompts are in regards to new application installations.

Figure (XXX) shows us that 60 per cent of all business users admitted that they did not pay attention to licence agreements and permission prompts when installing new applications.

The distinction between smartphones and personal computers is becoming increasingly marginal. Personal computers for example do not have built in billing systems and unless connected to the internet are static devices accessible via a local area network or through direct contact. Smartphones have an integral billing system are completely mobile and have multiple connectivity methods.

When business user survey partakers were asked if they used any security applications such as antivirus, an overwhelming majority responded that they did not use any security products. This confirms part of my hypothesis that business users do not perceive smartphone security as a real threat.

Discovering that the majority of business users used internet banking facilities for either personal banking or business banking and 9 out of 10 business smartphones had no security products installed it was elementary to understand if business users were aware of smartphone malware threats.

The line graph in Figure (XXX) indicates that over 90 per cent of business users are aware of malware threats such as Adware, Spyware, Trojans, Virus's and Worms however business users were all least aware of malware threats such as Crimeware as indicated in Figure (XXX)

Survey respondents who reported they used their smartphone for personal use only were excluded from the following analysis.7 out of 10 business users confirmed they were not aware of any specific smartphone security policies at work (Figure (XXX)

The awareness of security for iPhone smartphones is low as user's perception of Apple and Mac OS is that it is impervious to malware infection. Research shows that iPhone users have the least amount of antivirus installed on devices. As discussed earlier, users are completely reliant on Apple to vet all applications for malicious code, whereas Android and Symbian applications are open source so users may inspect the contents for malware.

secure smartphone model, least security aware group

Android users are the most security aware demographic group as the typical android user is conscious that malicious software exists and the android community are able to vet applications themselves. Android users were also the highest security aware group with the highest percentage of antivirus products per smartphone.

Virtual environments, least secure smartphone perception

Blackberry smartphones were the most secure devices in regards to email, network connectivity however it was found that application signatures can be purchased by anyone for a small fee thus rendering the security of the device minimal.

Very secure aspects, not as secure overall

Symbian smartphones are found to be the most current common target for malware developers.

Low security

Windows phone 7 is the newest platform on the smartphone market and only time will tell how secure the device is.

Awareness and concern

5.0 Smartphones

Private and confidential data from lost or stolen mobile devices such as laptops, USB pen drives and computer storage drives has gained negative exposure within the media recently however one of the largest growing threats to corporate information comes from unsecure smartphones.

To understand this statement it is important to appreciate the history of the smartphone to recognise why smartphones pose such a threat in today's business environment.

A mobile phone is a portable electronic device used to make and receive telephone calls. The mobile phone was first revealed by Dr Martin Cooper from the company Motorola in 1973, it was not until ten years after Dr Cooper's demonstration that Motorola released its flagship mobile phone the ‘DynaTAC', this was the world's first commercially viable mobile phone (Motorola, 2009).

Originally these devices were commercially targeted at businesses and upper class individuals as the cost of the device was very high and the actual usage was severely restricted, due to the technology limitations at this time of battery weight (Motorola, 2009) and because the battery duration was limited to last a maximum of 30 minutes thus making the device impractical and available only to businesses and professional consumers.

‘According to Moore's Law, the number of transistors on a chip roughly doubles every two years.' (Intel, 2005)

As Moore stated over thirty five years ago, due to the advancement of processors, battery technologies and overall reduced power consumption, mobile phones have become lighter, smaller, more powerful and longer lasting (Intel, 2005). Due to these fundamental technological advancements mobile phones have been able to incorporate additional existing technologies such as camera units, sensors, speakers and often take advantage of JAVA based applications and features, thus coining the term ‘Feature phone'. Feature phones are more advanced technologically than mobile phones however now

Smartphones currently reside in the top tier of mobile communication technology.

The term ‘smartphone' is ambiguous and many experts fail to agree on a suitable definition. Most smartphone features are not exclusive to a particular category, this project does not intend to make that definition, however for the scope of this project I have listed combined definitions and compared current smartphone features as listed in Figure 3 below.

Gartner, a world leading authority in information technology research define smartphones as ‘A large-screen, voice-centric handheld device designed to offer complete phone functions while simultaneously functioning as a personal digital assistant' (Gartner, 2010).

Feature phones can have several of the characteristics as listed below in figure 3, however smartphones have the capability of providing all the capabilities. As a result, any mobile device meeting all conditions of each function in figure 3 can be considered a smartphone under this definition.

Table 1 - Smartphone characteristics



Phone size

Device is compact and easily transported.

Operating System

Operating system that allows third party applications.


Device offers multiple connectivity methods


Keyboard or touchscreen keyboard functionality.

Storage expansion

Device has expandable memory storage capability.

Office functions

Applications such as email and word processing.


Device includes organiser and calendar functions.


Synchronisation of information peripheral devices.

Phone Features

Voice, text and multimedia message functionality


Acceloratormeter, light, sound and movement sensors.

Under the definition of smartphones or Smart Mobile Device (SMD) the following mobile platforms were included:

  • Apple iOS
  • Blackberry
  • Google Android
  • Symbian
  • Windows Mobile

The smartphones as seen in Figure 4 are an example of just some of the current smartphone models available. Apple iPhone 4, HTC Desire, BlackBerry Torch and Nokia N8 are some of the models available.

Smartphones are being incorporated by many businesses as important communications, collaboration and customer relationship management (CRM) tools as predicted by Gartner (Gartner, 2010). The benefits smartphones provide businesses are abundant, smartphones allow employees to:

  • Stay organised using personal organisers, automatic reminders and electronic diaries
  • Access to business applications from anywhere
  • Internet browsing

Smartphones are capable of additional storage using storage expansion cards such as secure digital storage cards as illustrated in figure (XXX). Current microSD technology is available at a maximum of 64 GB capacity however near future SDXC technologies are expected to surpass 2 terabytes.

As previously stated there are many smartphone platforms available, each platform and brand bringing different benefits and functionality. These platforms or operating systems create opportunities for both businesses and personal users. For businesses this increased functionality provides the facility for added employee productivity.

Due to the vast range of smartphone platform benefits

Table 2 - Smartphone demographics

Entertainment focused

Information focused

Communication focused

Voice calls

SMS/MMS messaging

Video calling







Music and video

External storage

5.1 Smartphone users

The three set Venn diagram in Figure (XXX) highlights three user categories entertainment, information and communication users. These users are consumer types both professional consumers and personal consumers.

The term prosumer outlines the professional consumer type defined by Cisco as ‘Someone who makes little distinction between his or her home and work lives. The prosumer engages in activities belonging to either sphere', regardless of time or location‘(Cisco, 2008).

Research shows that professional smartphone users often use their personal smartphone for business use. Indicated in Figure (XXX) a prosumer is an advanced consumer who combines communication and information smartphone use.

Figure (XXX) illustrates the overlapping segments which specify the mixture of user types for smartphones. I have indicated which smartphone user types are suitable due to the features available and target demographic group.

Apple products are orientated towards general consumers with products such as the iPad, iPod and iPhone. The main features of these products include communication and entertainment use as shown in Figure (XXX) below. The iPhone is situated between ‘Communication users' and Entertainment users' to reflect this user group.









The Ideal smartphone model for a prosumer, indicated as 4 in Figure (XXX) is the BlackBerry arguably the original smartphone, these models possess all the features required by a business professional and combine communication and information features as indicated in Table (XXX).

Smartphone Model

Operating System

iPhone 4

iOS 4.0

Nokia N8

Symbian Series 60 3rd Edition

HTC Desire

Android 2.2 Froyo

BlackBerry Torch

BlackBerry OS 6.0

5.1 Apple

The Apple iPhone was first released in June 2007 and was revolutionary being one of the earliest commercially available smartphones (Apple, 2011). The operating system iOS is Apple's in-house developed platform tailored specifically for the iPhone based upon a modified version of Mac OSX.

The iPhones target demographic are professionals, students, corporate users, entrepreneurs and medical users, the iPhone has been designed to meet the consumer needs of these users this has been achieved by the providing the facilities for consumers to store large amounts of information, communicate and allow access to entertainment on the go from a user friendly touchscreen interface.

Screen size

3.5 Inches

Screen resolution

320 by 480

Input method

Multi-touch screen


1GHz Apple A4



Operating system

iOS 4


4GB or 8GB + up to 32GB external


Quad-band (850, 900, 1800, 1900MHz)

Wireless data

Wi-Fi (802.11b/g) +Edge + Bluetooth 2.0


5.0 Megapixels


Up to 5 hours talk / video / browsing

Up to 16 hours audio playback


137 grams

Over 300,000 applications have been developed for the iPhone, these applications are one of Apple's key marketing features, all applications are vetted internally by apple before they are available for users to download.

The iPhone's primary functions are making telephone calls, email functionality, web browsing and media player. Secondary features include SMS and MMS messaging, camera, video and GPS.

Popular, perceived security (apple store, scans for malware?)

possible in the past to "jailbreak" an iDevice just byvisiting a website from the device, it's quite obvious that malicious code could be sent instead. Also, several apps have slipped through Apple's fingers that haveadded functionsthat aren't allowed in Apple's guidelines.

5.2 Android

Android is an open source Linux based platform that includes middleware and key applications. The Linux kernel provides services such as security, memory management, network stack and process management (Android, 2010).

The ‘Android Market' has approximately 150,000 applications available to users for download. Anyone can make applications for android this poses a high risk for individuals who download without.

Screen size

3.7 Inches

Screen resolution

480 by 800 AMOLED

Input method

Multi-touch screen


1GHz Qualcomm Snapdragon



Operating system



512MB ROM + up to 64GB external


Quad-band (850, 900, 1800, 1900MHz)

Wireless data

Wi-Fi (802.11b/g) +Edge + Bluetooth 2.0


2.0 Megapixels


Up to 5 hours talk / video / browsing

Up to 16 hours audio playback


1.8 Ounces

Android utilises the ‘Dalvik virtual machine' this virtual machine was designed specifically for Android and encapsulates applications within a low-memory virtual environment.

One of Androids most appealing features is that the operating system is open source, Open-source software is software that is available that permits users to study, change and improve, permissions normally only available to copyright holders.

This has and can be abused by malicious software developers as the ability to study and modify application source code means malicious software developers can develop and manipulate existing applications to incorporate their malicious code. However this ability to read source code means the Android community can check for malicious code, warn other Android users and remove the code.

.3 BlackBerry

BlackBerry has dominated the business smartphone market created by the Canadian developer Research in Motion (RIM) in 1999 (RIM, 2010). RIM provides proprietary operating systems for its Blackberry devices.

Blackberry's target consumer group are professionals, notably business managers who require an all-in-one device for email, phone, web services and personal organiser.

Screen size

3.2 Inches

Screen resolution

360 by 480 TFT

Input method

Multi-touch screen

QWERTY keyboard

Optical track-pad


1GHz Qualcomm Snapdragon



Operating system

BlackBerry OS 6.0


512MB ROM + up to 64GB external


Quad-band (850, 900, 1800, 1900MHz)

Wireless data

Wi-Fi (802.11b/g) +Edge + Bluetooth 2.0


5.0 Megapixels


Up to 5 hours talk / video / browsing

Up to 16 hours audio playback


1.8 Ounces

Current Blackberry models are

Read more:http://www.businessinsider.com/chart-of-the-day-smartphone-apps-2011-3#ixzz1KlfTSWLE

Security architecture built upon military specification, perceived most secure as email encryption (tunnelled) through Canada

Security Advantages

  • Encrypted Wi-Fi and email facilities as standard
  • Blackberry PIN

Security Disadvantages

  • Banned in several countries due to privacy concerns

5.4 Symbian

Symbian is an open source platform owned by a conglomeration of companies such as Samsung, Motorola, Sony Errikson, Sanyo, LG, Siemens, BenQ, Lenovo, Panasonic, Sendo, Arima, and Nokia as shown in Figure 5. Finnish giant Nokia owns the majority share of Symbian, Nokia is a software producing company based in London, UK.

Screen size

3.7 Inches

Screen resolution

480 by 800 AMOLED

Input method

Multi-touch screen


1GHz Qualcomm Snapdragon



Operating system



512MB ROM + up to 64GB external


Quad-band (850, 900, 1800, 1900MHz)

Wireless data

Wi-Fi (802.11b/g) +Edge + Bluetooth 2.0


2.0 Megapixels


Up to 5 hours talk / video / browsing

Up to 16 hours audio playback


1.8 Ounces

open sourcing the software opens up the availability of the Source Code to programmers, who can then develop, modify and distribute as they see fit meaning a richer and hopefully what becomes a considerably improved OS very quickly thanks to developer input.


Source: Nokia

Symbian is based upon three security concepts, capabilities, installation file signing and data caging. These three capabilities provide Symbian with its core security as the capabilities limit access to sensitive application programming interface (API) functions, installation file signing is required as without it is not possible to install any applications and data caging limits access to sensitive areas of the operating platform.

5.5 Windows mobile

Windows mobile is a mobile operating system based on Windows CE developed by Microsoft. Windows CE was developed for use with mobile devices such as mobile phones, tablet computers, PDA's and pocket PC's.

Windows mobile is founded on three security principles similar to that of Symbian security, these security principles are security roles, security policies and application signing. Security roles and policies define what rights users and groups have on the device and application signing requires that a valid application signature is required to install applications and other software.

Windows mobile is currently being phased out to be replaced by Windows Phone 7, Microsoft's based upon a cut-down version of the popular Windows operating system Windows 7. The Windows 7 Phone is currently the newest smartphone platform released.

‘In the computing world, nearly all the major virus epidemics over the past few years have been caused by vulnerabilities in Windows.' (Kaspersky, 2007)

Newest player, least perceived secure device

6.0 Smartphone role within business environment

As demonstrated in section 5 of the report there are strong business and economic values for mass consumerisation of smartphones within businesses.

Every business, be it private or public, a small to medium enterprise or a multinational, profit driven or non-profit driven, has to process data, or facts, about its operations (Chung, 1987). Businesses do this to supply management with current, accurate and reliable data. The management decisions are based on such information for market statistics, operating costs, inventory, procurement and other factors. This data can be gathered and transferred from electronic devices such as personal computers, laptops, PDA's and smartphones.

Smartphones have the ability to access the same company data as a personal computer however smartphones are more versatile as they are not static devices, smartphones are mobile devices like laptops and tablet computers and should be treated as such.

In many businesses, employees are mobile, working from home or visiting clients. For the mobile workforce smartphones are now an essential requirement for their roles as they can easily access required company information, take photos and audio notes, access email, use GPS, communicate and collaborate with colleagues and clients from anywhere.

7.0 Malware

Malware is a concatenation of malicious and software, which clearly indicates that malware is software with malicious intentions. Smart phones have access to both telephony and the Internet allowing criminals the opportunity to steal information and ….

The pervasive nature of smart phones and a large, unsophisticated user base also make smart phones particularly attractive to attackers. Important personal and financial information can likely be compromised by mobile malware because phone usage revolves largely around day-to-day user activities. For example, smart phones are increasingly being used for text messaging, email, storing personal data, including financial data, pictures and videos. (XXX) http://www.cs.rutgers.edu/~iftode/hotmobile10.pdf

Computer virology is a vast subject area as there are many variants of malicious software, this study aims to identify the main categories of smartphone malware.

Malware Type




Software that disregards a user's choice of how their device will be used.



Software that behaves in an undesirable manner. Adware, Spyware for example.



Is legitimate software that has the functionality to be used for malicious purposes.



A rootkit is software used by malicious attackers after a device's security has been compromised, allowing an attacker remote privileged access to the device.



Software that is designed to trick users into purchasing potentially dangerous software.



Software that appears to be legitimate however has malicious intent.



Software that self-replicates and attaches itself to existing programs, it can be destructive by deleting or corrupting device information.



Similar to a virus, is self-replicating and destructive, however spreads using network protocols.


Malware typically uses many of the same mediums as malware for static personal computers, however on smartphones they have more opportunities to spread via interfaces and services unique to smart phones such as Bluetooth, text messaging and multimedia messaging services.

Etsebeth, (2007) defines malware as “any software program designed to move from computer to computer and network to network to intentionally modify computer systems without the consent of the owner or operator”

Malware is continuously evolving, malicious software writers are exploiting new and creative methods in which security professionals are finding increasingly difficult to mitigate the risks posed.

An example of evolving malware is sensory malware, sensory malware can use combinations of malicious software. One particular sensory malware uses a Trojan which can sense its environment using a sound miner to detect the context of its audible surroundings to extract small amounts of high value data (XXX).

Yet despite the rapid market growth of smartphones and awareness of computer related malicious software the devices have received an inexplicably small amount of security emphasis.

The infection vectors and infection payload are terms used by security professionals, are a descriptive of what methods and techniques have been used to distribute malicious software.

Malware is typically installed on devices with the tacit approval of users, such methods are described as social engineering.

7.? Cybercriminals

There is a wide range of offences that can be committed through communication technology (Home office, 2010) such as fraud, data security and intellectual property theft.

Any individual can create software malware, even with low programming skills as the initial outlay costs in creating malware are very low and the potential rewards can be very profitable. Financially-based crime is being undertaken by serious organised criminals and their motivations are mostly for financial gain.

7.1 Badware

Badware is software that fundamentally disregards a user's choice about how his or her computer or network connection will be used (XXXXstbworg, 2011). This has been interpreted to mean that particular software acts deceptively, taking control away from the user and engages in objectionable behaviour without the user's awareness or consent.

Often there is little distinction between bad software and deliberately malicious software as some badware is not malicious in its design however can prevent users from retaining control of their activities.

Badware can be installed onto a user's smartphone from an application or from visiting infected or intentionally malicious websites through drive-by downloads or social engineering attacks.

Hoax smartphone applications such as ‘Badware Protector' which is a rogue anti-spyware application which uses scare tactics into manipulating users into installing the application by displaying a false webpage showing a system security scan with false infections. This tactic is very effective with inexperienced users.


7.2 Crimeware

Crimeware is covertly installed malicious software intentionally designed to steal financial related information or collecting high value company information for financial profit to the distributor of the software. Crimeware has been known to perform identity theft, with the goal of stealing financial related information such as bank details, usernames, passwords and other financial sensitive information.

Crimeware can be a combination of malware such as Trojans, keyloggers

7.3 Grayware

Grayware is a classification of malware where an application behaves in an undesirable manner often reporting or tracking a user's activities to the developer, these applications are usually installed and run without the permission of the user.

Grayware is an umbrella term for software often known as Adware or Spyware and can be used as medium for social engineering attacks on users.

Table 3 - Grayware risk categories

Grayware Type




Developed to deliver advertisements.



Used to make or send messages to premium rate numbers.



Are used to change a user's handset settings, however generally does not result in direct damage.



P2P is a legitimate protocol and can be used for business purposes however often used to illegally swap files with intellectual property rights and often a source of other malware.



Intended to track and analyse user's activity.


Key Logger

Designed to capture user's keystrokes and can record passwords, financial related information, email, chat and more.



Manipulate web browser or DNS settings to change a user's home page and manipulate a user's browsing habits.



Intended to add additional programs and features to existing applications with the intention to record information, this information is sent back to external sources.



Used to allow malicious software to be downloaded and installed without the users knowledge.


The term grayware is used because the intentions of the applications are not necessarily malevolent, an example of this can be seen in website tracking using cookies, these tracking cookies can be used for malicious purposes however the concept was to track a user's behaviour and direct customised sales content to the users, resulting in more sales for the developer.

Grayware applications can come from a number of sources, such as downloading shareware and freeware applications, email hyperlinks and attachments, pop-up advertising and spoofed websites (Fortinet, XXX).

Adware can be embedded into legitimate freeware applications so that developers may still profit from the developed application, often developers are not even aware of the adware included into their application as frequently this process is done by the advertisers directly in order to gain revenue.

7.4 Riskware

Riskware is software that that when installed presents a risk for the device, some riskware is classified as trusted by most anti-malware companies because the applications intention is designed for legitimately, however can be exploited for malicious purposes.

Table (XXX) below shows that FTP, IRC, network management and remote administration tools have legitimate functions and highlights the degree of risks posed when exploited by cybercriminals.

Table 4 - Riskware risk categories

Riskware Type



File Transfer Protocol (FTP)

FTP can be installed and used by Trojans to upload and download files.


Internet Relay Chat (IRC)

IRC networks can be used as ‘Botnets', and can be installed by Trojans which connect to particular IRC networks once the device is infected.


Network Management

Designed to alter network security settings and disrupt network activities.


Remote Admin Tools

Allow remote users complete access to a device, this can be used to control the device or monitor activities.


Almost all users who have their own website have used FTP applications to upload and download website related files, these FTP applications when used in their intended manner are very effective and are available to smartphone users, however malicious software such as Trojans can use these applications as a medium to upload and download malicious files to infect both the host and target devices.

Internet relay chat programs have been used for real-time group text messaging, conferencing and file sharing. Users communicate by way of channels, these channels can be used by cybercriminals to create botnets with the intention of sending spam messages, information theft and denial of service attacks against remote targets.

Botnets have been a major concern for businesses as company computers can easily be used to proliferate denial of service attacks, for example American authorities arrested a 23 year old for controlling the ‘Mega-D' botnet which comprised of over 500,000 infected devices, this botnet was capable of sending approximately 10000000000 emails daily (Stone, 2008).

7.6 Rootkits

The term ‘rootkit' represents a collection of tools used by attackers to gain access to the root of a remote system enabling the attacker to conceal their presence and remain in complete control of the system.

Smartphones and their platforms as defined in table (XXX) are all just as susceptible to malware such as rootkits due to the operating system vulnerabilities and have the potential to exploit smartphone services and compromise security.

Because a rootkit has the capability to modify legitimate smartphone operating system code, it can be very difficult for antivirus software to detect the types of rootkit as presented in Figure (XXX).

Rootkit type




Loaded to device memory and can be removed by rebooting the device.



Execute without use intervention i.e. system start-up and are generally stored locally in registry or system files.



Are stored in the core of the operating system.


Kernel Rootkits are placed within the kernel space of a smartphone operating system as shown in Figure (XXX) below. The kernel space is the top layer of the operating system giving the malware access to all system functions this means the malware can easily hide itself from reactive security programs such as antivirus as well as give the remote attacker complete access to the smartphone.

iPad and smartphone rootkits demo'd by boffins http://www.theregister.co.uk/2010/02/23/smartphone_rootkits_demoed/

7.6 Scareware

Scareware is software designed to deceive a user using social engineering to cause a perception that there is already a problem with their device for example a smartphone user connected to the internet may receive a browser pop-up from an infected website stating that malware such as a virus already exists on their device, tricking the user into purchasing a product to remove the fake threat.

As indicated in Figure (XXX), computer security experts McAfee traced scareware reports from 2008 through to 2010 and found that over 600,000 unique scareware products were discovered in 2009, the decline in their discoveries is concerning as McAfee themselves report that malware producers are concentrating their efforts on mobile devices such as smartphones.

This graph confirms that scareware is declining, however the risk of scareware to businesses is much lower than higher risk malware such as crimeware, Trojan's and viruses.

7.7 Trojan

A Trojan or Trojan horse is malicious software that compromises the security of a device by posing as legitimate software hiding its true intentions from the user. The name Trojan is appropriately derived from Greek mythology as the Greek army used a wooden horse to infiltrate the city ‘Troy' just as modern Trojan malware.

Trojan's are unlike other malware such as viruses and worms as Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet (Cisco, 2010).

Trojans are programs that appear to be beneficial software applications on the surface, but conceal malicious code. Trojans, once inside a system can be used to install other malware such as viruses and rootkits.

Trojan Type



Remote access (RAT)

Backdoor Trojans are the most common and dangerous, allowing remote access and control of a device.



Often referred to as security software disablers, are designed to disable firewalls and antivirus software.



Designed to remit critical data to remote users such as passwords, financial data and other private information.


Denial of Service Attack

Intentionally developed to be controlled by a remote user or system for scheduled attacks on specific targets.



Intended to transform a device into a proxy server to provide cybercriminals with legal anonymity.




Give example

In July 2006,

A Trojan named ‘Geinimi' was discovered in by Lookout, a mobile security company in

Android smartphones hit the news headlines in August 2010 as Kaspersky discovered the Trojan ‘SMS.AndroidOS.FakePlayer.a'. This Trojan was the first reported Android malware to send SMS messages to premium rate numbers. This Trojan posed as a media player and deceived users into granting the application permission to access the devices resources. (BBC, 2010) http://www.bbc.co.uk/news/technology-10928070

7.8 Virus

Viruses are malicious programs with malevolent intent. A Virus can spread from one device to another over USB and Wireless networks such as Bluetooth, Wireless local area network (WLAN) or can be transported manually from removable media such as external storage cards.

Viruses, like their biological equivalents, are self-replicating programs that can steal confidential information, block system resources, destroy information or damaging other programs. (Mcaffe)

A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. Symantec defines a virus as software:

* It must execute itself. It often places its own code in the path of execution of another program.

* It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike. (Symantec, 2005)


Virus Type



File infector

Can infect other program legitimate files or applications on a device.


Boot sector

Infect the boot sector or master boot record system areas of a device, residing thereafter in the devices memory.




Is a combination of both the file infector virus and boot sector virus. These are particularly difficult to remove as both need to be removed simultaneously or re-infection will occur.



Exploit common program vulnerabilities such as Microsoft word, Excel, PowerPoint and Access data files. These viruses are most common.


Cabir, was one of the first recognised mobile virus, released in 2004 by a virus writing group 29A as a proof of concept. The virus infected mobile devices on Symbian OS platform. The virus itself was quite harmless as its objective was just to self-replicate, it displayed a message on the targets handset and attempted to spread using Bluetooth.

In November 2010 Securelist detected the iPhone virus ‘ike', this virus collected user information and allowed remote control of the device, however it did not stop there, the virus targeted iPhone banking users of Dutch bank ING Direct. When iPhone users who had been infected with the ike virus attempted to use ING Direct web services they were redirected to a phishing site identical to ING Direct where the information was collected for malicious purposes. (Securelist, 2010)


8.0 Define risk to business or individual

The commercial sector is dependent on the internet and electronic information

Some businesses do consider smartphones a risk, however this risk is only perceived if they have a business orientated applications installed. Other businesses consider the loss of calendar and contact credentials a security risk. These risks can cause lost productivity, data loss, and potential liability under data-protection laws. Businesses need to protect the data on their employees' mobile devices (Microsoft, 2010).

Consider the possible consequences if a business manager's e-mail, calendar or sensitive business documents, were acquired by a competitor.

In order to define risks posed to businesses and individual smartphone users it is important to establish the categories of risk. Etsebeth defines the following categories of cyber risks faced by today's businesses shown in Figure 8 to be:

  • Unauthorised access
  • Inappropriate use
  • Information theft
  • Social engineering
  • Mobile working and wireless security

Unauthorised access can occur because many mobile devices provide a variety of network connectivity options such as WLAN, USB, Bluetooth and 3rd generation mobile telecommunications methods enabling wide-area wireless voice communication and internet access.

These connectivity routes could potentially be used to attack business computer systems. Criminals who gain unauthorised access to a smartphone may be able to impersonate a legitimate user and gain access to the corporate network.

Inappropriate use could be an employee justly in possession of a smartphone however exceeding their authority and accessing information not meant for them.

Information theftis the loss or duplication of information. Etsebeth describes information theft as a user or malicious insider who a hostile intruder or malicious insider who purloins information, makes duplicates, corrupts or destroys information on the network or business system

Social engineering can be achieved through a psychological influence or the manipulation of a person into revealing information or performing actions that result in access to unauthorised systems or information.

Mobile working and wireless security are a high risk as smartphones being physically valuable, compact in design and information rich can easily be lost or become a target of theft. Smartphones frequently contain valuable information and are often a user's primary repository of personal information because they are mobile and convenient.

As shown in the above taxonomy malware presents a very real threat to businesses and their resources. The damage potential of malware to businesses caused by these risks can be categorised as:

  • Direct damage
  • Indirect damage
  • Psychological damage

Direct damages may result in the loss or theft of sensitive personal information such as passwords, credit card information, confidential files, system instability, corruption or loss of information such as important system files, modification of files, theft of confidential and financial related information or denial of service attacks (DoS attack) (Etsebeth, 2007).

Indirect damages are damages not directly caused these damages may be inherent damages from direct damage or result from psychological damage. Etsebeth argues that all malware damage results in indirect damage due to theft of system resources by malware software.

The effects of indirect damage can have a higher detrimental effect on businesses due to loss of, customers, suppliers, reputation, tangible assets all resulting in a loss of competitive advantage.

Psychological damagescan be suffered as a result of malware infection, in the form of damage to the stakeholders of the company as the security perception of stakeholders toward the ‘victim' company, negatively effecting both trust and reputation, as Etsebth highlights that companies are reluctant to report cybercrimes as it has negative implications on the company's reputation.

9.0 Security solutions

Security updates?

A chain is only as strong as its weakest link. It's a well worn cliché,


10.0 Conclusions

While smartphone malware is still in its infancy, the mounting evidence that cybercriminals are exploiting the smartphones complete lack of security software.

One of the most prominent factors in the evolution of smartphone malware is the lack of antivirus software research has shown this is due to

Employees least protected, as a result greatest risk

By investing in an awareness program focusing on computational security awareness can reduce loss and risk posed by malware.

acquired by Microsoft?

Spyware - GPS (Eeeek)

Antivirus is reactive, it can only dectect what it knows about.

SDXC Will Replace SDHC, Offer Up to 2 Terabytes of Data Storage

* Moores Law


10.1 Summary

The awareness of security for iPhone smartphones is low as user's perception of Apple and Mac OS is that it is impervious to malware infection. Research shows that iPhone users have the least amount of antivirus installed on devices. As discussed earlier, users are reliant on Apple to vet all applications for malicious code

We believe that this trend, combined with the increasing complexity of operating systems on modern smart phones, will push attackers to employing rootkits to achieve their malicious goals. Currently, there is no available technique to detect rootkits on smart phones.

secure smartphone model, least security aware group

Android users are the most security aware demographic group as the typical android user is conscious that malicious software exists and the android community are able to vet applications themselves. Android users were also the highest security aware group with the highest percentage of antivirus products per smartphone.

Virtual environments, least secure smartphone

Blackberry smartphones were the most secure devices in regards to email, network connectivity however it was found that application signatures can be purchased by anyone for a small fee thus rendering the security of the device minimal.

Symbian smartphones are found to be the most current common target for malware developers.

Windows phone 7 is the newest platform on the smartphone market and only time will tell how secure the device is.

10.2 Future work