Abstract-Advances in wireless networking technology have engendered a new paradigm of computing, called mobile computing ; in which users carrying portable devices have access to a shared infrastructure independent of their physical location. This provides flexible communication between people and continuous access to networked services. Mobile computing is expected to revolutionize the way computers are used.
This paper is a survey of the ways in which mobile devices have transformed into becoming an integral part of everyday tasks, the flipside being the emergence of several noteworthy issues. The paper identifies the critical open issues in mobile security as well as discusses at some suitable strategies to address them.
Index Terms-mobile device trends, critical issues, routing strategies, malware, digital signatures
This paper discusses the trends indicating the past, present and future of mobile computing by discussing the open critical issues and providing up-to-date information about mobile security. Solutions to the listed security issues and prevention against attacks have also been discussed in detail.
Let us take a look into the history of security; the past present and the future .
Then: In the early days of computing, security breaches mainly included viruses and worms that would flash a message or advertisement on the screen without causing any serious damage to the information or systems being used. As times changed, attacks also changed. Since the turn of the century, information security breaches have gained an unprecedented potential to impact negatively on businesses' reputation, profitability, customer confidence and overall economic growth.
B. Now: The present innovations and developments are largely dependent on IT (Information Technology) infrastructure. Attackers have matured from using hacking skills to show that they can circumvent the authentication process to access files and use them in the theft of confidential information. This has resulted in information security threats like identity theft, social engineering, phishing, etc which can easily compromise authentication and authorization credentials.
C. The future: The future of information security remains clouded with numerous uncertainties. However, two things remain certain; IT infrastructures are vulnerable and motivated attackers are always ready to exploit these vulnerabilities. It is therefore critical that securing information and infrastructures should not be considered in fear of inevitable attacks, but in preparation for the uncertain future. This requires innovative ideas and insightful analysis of security issues to appropriately respond to the challenges posed by new developments. Another challenge is that as information security moves to respond to new threats in current and future environments, it must also protect against well-known threats.
The chart below describes the various avenues of security which need to be monitored and safeguarded. We also look at the trends in mobile computing which signal a need to improve the process in some of these areas.
Fig. 1. The IT security landscape simplified 
TRENDS DRIVING THE NEED FOR BETTER MOBILE SECURITY
Before discussing the trends let us look at some of the recent developments which have led to an increase in the use of wireless devices for specific activities such as accessing the internet .
Bandwidth: Bandwidth requirements continue grow over the years as the number of internet and mobile users increase rapidly and with the need for very specialized voice, data and video services.
Mobile devices: Mobile devices have been preferred over fixed line services due to their size, portability and many other convenient features like wireless internet access and other uninterrupted services.
Mobile users: Mobile users continue to increase at a steady rate. As the demand for bandwidth and the need for more complex technology grow, the security protocols have to be designed in a manner that can greatly reduce the likelihood of any possible threat.
Based on the above-mentioned developments, the current trends in the mobile computing space can be summarized as follows :
Trend 1: Increasing mobile influence
Scenario: Modern day mobile devices are embedded with heavy features and applications comparable to any personal computer, which presents users with a good alternative.
Issue: In contrast to traditional Personal Computers, the data or information in mobile devices is very difficult to secure given their size and lack of established security mechanisms.
Trend 2: Catering to the unique needs of a mobile environment
Scenario: Technologies like WIMAX provide users with data, telecommunication and other interactive services not typically available in fixed line, which has led to its rapid deployment.
Issue: Companies need to find a optimum security solution that can be applied both to personal computers as well as mobile devices and at the same time respond to the challenges of the mobile industry.
Trend 3: Monitoring access points to private systems
Scenario: A growing concern in the corporate world is regarding the use of mobile devices. As such, there exists no concrete policy or framework regarding the use of personal devices to access company data or information, and even if a policy exists, it is very difficult to implement in this particular case.
Issue: It is very important for a company to secure its data and information assets. Therefore, it needs to have adequate security measures or policies in place that clearly define the use of mobile devices regarding access to corporate information.
Trend 4: Misuse of corporate policy
Scenario: In addition to securing personal computers, organizations also need to be aware of the consequences that can result through the use of mobile devices. Usually mobile applications require different security mechanisms than personal computers and laptops, and therefore are not very easy to implement.
Issue: Lack of existing corporate policies that define the type of features that can be used in personal mobile devices by employees, so that the use of any particular application does not cause any security issues to the organization.
Trend 5: Sophistication of threats
Scenario: Due to rapid and continuous development of new technology, the vulnerability and susceptibility of mobile devices to possible sources of threats has increased.
Issue: In recent times, there have been instances of Trojan horse viruses and worms attacking text messaging services and phones running on Windows platform. Many spyware programs have also been discovered that are supposed to attack mobile devices. Unfortunately, there are very few countermeasures in place to thwart these types of attacks.
Understanding Parameters Which Determine Security
Below are some definitions and relationships between various security parameters such as risk, likelihood, consequence and severity .
A risk is the chance, in quantitative terms, of a defined hazard occurring. A consequence is the level of harm that could be caused on the resource such as human injury, damage to property, damage to the environment, or economic loss. It has a natural interpretation as the logarithm of the Risk or Expected Cost per year associated with a particular hazard. Here,
Risk = Expected Cost = Consequence Ã- Likelihood (1)
and the scores sum because multiplication becomes addition on a logarithmic scale. For example, if the likelihood were a rate of 0.1 events per year and the consequence were $108, then, on average, for nine years out of 10 the cost would be $0, while one year in ten the cost would be $108.
A risk exposure  is the probability of being exposed to an infectious agent. Below is an equation which shows us how risk exposure can be specified in terms of likelihood and severity,
Risk Exposure = Likelihood Ã- Severity (2)
where the likelihood is a measure of how probable it is that the threat/vulnerability pair will be realized and severity is a measure of the magnitude of the consequences that result from the threat/vulnerability pair being realized for that resource .
Critical Issues In The Mobile Security Space
Routing security issues: A MANET (Mobile Ad Hoc Network) routing protocol finds routes between nodes . Over these nodes, data packets are forwarded toward the final destination. In contrast to traditional network routing protocols, MANET routing protocols must be adaptable to cope with the features such as frequent changes in network topology. If the routing protocol can be subverted and messages can be altered in transit, then no amount of security on the data packets at the upper layers can mitigate threats.
Sinkhole attacks: A sinkhole attack tries to lure almost all the traffic toward the compromised node, creating a metaphorical sinkhole with the adversary at the centre . For example, the attacker could spoof or replay an advertisement for a high quality route that passes through the compromised node. If the routing protocol employs an end-to-end acknowledgment technique to verify a route's quality, a powerful laptop class attacker could then provide a very high-quality route by transmitting with enough power to reach the destination (sink node or base station) in a single hop. Since sinkhole attacks imply a great number of nodes (those on or near the high-quality route), they can enable many other attacks that need tampering with circulating traffic, such as selective forwarding.
Multiple User support with security: Traditional client operating systems support multiple users; however, their architectures grant each user a different operating environment . For example, a desktop operating system will require a separate username/password for each user logging into the machine, thus ensuring the data from one account is not readily available to the other. On a mobile device, the world is different. There is no such thing as logging into a mobile device as a separate user (not yet anyway). After entering a four-digit PIN (Personal Identification Number), the user is logged into the system. In this situation, if one application is used purely for business purposes, and the others are personal applications for the family to use, there is no distinction from one application to the next. Each application might need a different security model so the data from one does get exposed to the other; however, because there is one user profile, the device may or may not to be able to support the distinction.
Challenges in Mobile Multimedia: All mobile communication devices share the same radio frequency bandwidth, which is a limited, scarce resource. Some relief is expected from 3'd Generation (3G) mobile systems like UMTS (Universal Mobile Telecommunication Services) and enhancements of existing systems, like EDGE (Enhanced Data rates for GSM Evolution) and GPRS (General Packet Radio System) . However, there are serious doubts that 3G systems will allow attractive, reliable and cost efficient multimedia services in the future due to still existing bandwidth limitation per user and cell.
Phishing: TheÂ mobile devices are exposed to several types of attacks. Specifically, phishing attacks can easily take advantage of the limited or lack of security and defence applications therein . Furthermore, the limited power, storage, and processing capabilities render machine learning techniques inapt to classify phishing and spam emails in such devices. According to [x], phishing has become a significant threat to Internet users. Phishing attacks typically use legitimate-looking but fake emails and websites to deceive users into disclosing personal or financial information to the attacker. Users can also be tricked into downloading and installing hostile software, which searches the user's computer or monitors online activities to steal private information .
Malware: To date, security vendors have marketed mobile specific versions of antivirus software. However, as the complexity of mobile platforms and threats increase, mobile antivirus solutions will look more like their desktop variants . The functionality required to detect sophisticated malware can have significant power and resource overhead - critical resources on mobile devices.
Some Strategies To Counter These Open Issues
A multi-fence security solution: Multi-fence security solution provides the state-of-the-art security proposals for mobile networks. There are two approaches to securing a mobile network :
Proactive: Attempts to thwart security threats using various cryptographic techniques. Mainly used for securing routing messages exchanged between mobile nodes.
Reactive: Seeks to detect threats and react accordingly. Widely used to protect packet forwarding operations.
A complete security solution for mobile networks should integrate both proactive and reactive approaches, and encompass all three components:
Prevention: Deters the attacker by significantly increasing the difficulty of entering the system
Detection: Discovers ongoing attacks through identification of abnormal behavior exhibited by malicious nodes.
Reaction: Makes adjustments in routing and forwarding operations, ranging from avoiding the node in route selection to collectively excluding the node from the network.
Network Layer security: The network layer security designs for mobile networks are concerned with protecting the network functionality to deliver packets between mobile nodes through multi-hop ad hoc forwarding. They seek to ensure that the routing message exchanged between nodes is consistent with the protocol specification, and the packet forwarding behavior of each node is consistent with its routing states.
There are several cryptographic primitives for message authentication, the essential component in any security design:
HMAC (Hash-Based Message Authentication Code): Two nodes sharing a secret symmetric key can efficiently generate and verify a message authenticator using a cryptographic one-way hash function. Although the computation is very efficient and even affordable for low-end devices, the practicality of an HMAC to be verified only by the intended receiver, and the concept of 'n.(n-1)/2' number of keys that need to be maintained in a network of 'n' nodes makes it both unappealing for broadcasting message authentication and a nontrivial problem.
Digital Signature: Involves much more computation overhead in encrypting and decrypting operations since it is based on asymmetric key cryptography e.g., RSA (Rivest-Shamir-Adleman). It is less resilient against DoS (Denial of Service) attacks since an attacker might feed a victim node with a large number of bogus signatures to exhaust the victim's computation resources for verifying them. However, a digital signature can be verified by any node given that it knows the public key of the signing node which makes it scalable to large number of receivers.
One-way HMAC key chain: The computation involved is lightweight, and one authenticator can be verified by a large number of receivers. The features of one-way HMAC key chain requires clock synchronization at granularities, receivers to buffer a message to verify them when the key is revealed, the timer to be carefully gauged since the release of the key involves a second round of communication and hash chain storage which is nontrivial for long chains.
Table 1 below highlights the comparison between the signature database sizes of five sample detection engines and their threat detection capability.
Table 1: The number of threats addressed in various detection engines .
Signature Database Size
>Â 5 million sigs + behavioral
Classification of existing proposals of network-layer security:
Secure ad hoc routing: The secure ad hoc routing protocols take the proactive approach and enhance the existing ad hoc routing protocols with security extensions. However, an authenticated node may have been compromised and controlled by the attacker requiring us to further ensure proper compliance with the following routing protocols even for an authenticated node:
Source Routing: The main challenge in this technique is to ensure that each intermediate node cannot remove existing nodes from or add extra nodes to the route which is achieved by attaching a per-hop authenticator for the source routing forwarder list so that any altering can be immediately detected. This can be used only to protect discrete metrics.
Distance Vector Routing: The main challenge in this technique is that each intermediate node has to advertise the routing metric correctly. This can be used only to protect discrete metrics.
Link State Routing: Secure Link State Routing is a link state routing protocol for ad hoc networks with operations similar to Internet link state routing protocols (e.g., Open Shortest Path First, OSPF) where each node seeks to learn and update its neighborhood by Neighbor Lookup Protocol (NLP) and periodically floods Link State Update (LSU) packets to propagate link state information. NLP is responsible for maintaining mappings between MAC (Media Access Control) and IP(Internet Protocol) addresses, identifying potential discrepancies and measuring the control packet rates of and from each neighbor.
Secure packet forwarding: The secure packet forwarding ensures that each node forwards packets according to its routing table. This is achieved by the reactive approach. At the heart of the reactive solutions are a detection technique and a reaction scheme, which are described below:
Detection: Detection can be achieved either locally or by acknowledgement. Detection results at individual nodes can be integrated and refined in a distributed manner to achieve consensus among a group of nodes since there might be cases where a malicious node may abuse the security solution and intentionally accuse legitimate nodes.
Reaction: Once a malicious node is detected, certain actions are triggered to protect the network from future attacks launched by this node. Reaction schemes can be categorized as global and end-host. In the global scheme, all nodes in the network react to a malicious node as a whole. In other words, the malicious node is excluded from the network. In the end-host scheme, each node may make its own decision on how to react to a malicious node (e.g., putting this node in its own blacklist or adjusting the confidentiality weight of this node).
Link Layer Security: Link-layer security solutions protect the one-hop connectivity between two direct neighbors that are within the communication range of each other through secure MAC protocols. The standard MAC protocol for mobile networks, 802.11, is used here to illustrate the link-layer security issues.
IEEE 802.11 MAC: The vulnerability of the IEEE (Institute of Electrical and Electronics Engineers, Inc.) 802.11 MAC to DoS attacks was recently identified and a security extension proposed, which follows the reactive approach and seeks to detect and handle such MAC layer misbehaviors.
IEEE 802.11 WEP: It is well known that the IEEE 802.11 WEP (Wired Equivalent Privacy)is vulnerable to the message privacy and message integrity attacks and the probabilistic cipher key recovery attacks such as the Fluhrer-Mantin-Shamir attack. Fortunately, the recently proposed 802.11i/WPA (Wi-Fi Protected Access) has mended all obvious loopholes in WEP. Further countermeasures such as RSN (Robust Security Network)/AES (Advanced Encryption Standard)-CCMP (Counter with a Cipher Block Chaining Message Authentication Code based protocol) are also being developed to improve the strength of wireless security.
Malware detection engines: By moving the detection capabilities to a network service, we gain numerous benefits including increased detection coverage, less complex mobile software, and reduced resource consumption. This approach is not only feasible and effective for the current generation of mobile devices, but will become even more consequential and valuable in the future as the scale and sophistication of mobile threats increase. Fig 2 below shows the effect of using multiple engines in parallel to detect malware. The chart establishes that as more engines operate in parallel, there is increased detection coverage of malware.
Fig. 2. An Example of the increased detection coverage against a dataset of recent month's worth of desktop malware samples when using multiple engines in parallel 
VI. CONCLUSION AND FUTURE WORK
Mobile devices have acquired a ubiquitous nature today and the importance of mobile security in such times is most important. Analysis on the history of security and its progress towards sophistication and impact has been a prime factor to be considered in this research. This paper highlights the important issues mobile computing is facing today in terms of security and also looks at some strategies which would ensure a more robust system which can be adopted by developers in designing future mobile systems. The challenge for mobile computing designers is to find out how well the system designs can adapt themselves in the same manner in which the designs adapt to traditional computing .
The networking opportunities for MANETs are intriguing and the engineering tradeoffs are many and challenging. This paper presented a description of ongoing work and a vision for the future integration of mobile networking technology into the Internet. There is a need for standardized, secure, and interoperable routing and interface solution(s) for mobile networking support . The future holds the possibility for deploying inexpensive, IP internetworking compatible solutions to form self-organizing, wireless routing fabrics for commercial, military or general use.
G.H. Forman and J. Zahorjan, "The Challenges of Mobile Computing,"
Computer, vol. 27, no. 4, pp. 38-47, 1994.
Dlamini MT et al., Information security: The moving target, Computer Security (2009), doi:10.1016/j.cose.2008.11.007
ESecuritytogo. Security landscape. http://www.esecuritytogo.com/category.aspx?categoryid=247
D. Kotz and R. S. Gray, "Mobile agents and the future
of the internet," IEEE Trans. Automat. Contr., vol. AC-28,
pp. 1081-1090, December 1983.
M. Bancroft, Five Trends Driving the Need for Better Mobile Security, CSOOnline, 2008.
R. Jarrett and M. Westcott 2010, 'Quantitative risk', in G Bammer (ed.), Dealing with uncertainties in policing serious crime, ANU E Press, Canberra.
E. Wheeler, A Techie's Musings, http://ossie-group.org/blog/?p=79, 2009.
G. Stoneburner, A. Goguen, et al. (2001). Risk Management Guide for Information Technology Systems. Washington D.C., National Institute of Standards and Technology.
D. Djenouri, L. Khelladi, A.N. Badache, A survey of security issues in mobile ad hoc and sensor networks, Communications Surveys & Tutorials, Fourth Quarter 7 (4) (2005) 2-28.
S. Hartwig et al., Mobile Multimedia - Challenges and Opportunities, IEEE Trans. Consumer Electronics, vol. 46, no. 4, Nov. 2000, pp. 1167-78.
S. Abu-Nimeh, D. Nappa, X. Wang and S. Nair, A distributed architecture for phishing detection using Bayesian Additive Regression Trees, eCrime Researchers Summit, pp. 1-10, 2008.
M. Wu, R.C Miller and S.L Garfinkel, Do security toolbars actually prevent phishing attacks?, Proceedings of the SIGCHI conference on Human Factors in computing systems, pp. 601-610, 2006.
J. Oberheide, K. Veeraraghavan, E. Cooke, J. Flinn and F. Jahania. Virtualized in-cloud security services for mobile devices. In Proc. of MobiVirt, Breckenridge, CO, June 2008.
H. Yang, H. Luo, F. Ye, S. Lu, and L. Zhang, Security in Mobile Ad Hoc Networks: Challenges and Solutions. IEEE Wireless Communications, pp. 38- 47, 2004.
M.S. Corson, J.P. Maker, and J.H. Cerincione, "Internet-Based Mobile Ad hoc Networking," Internet Computing, pp. 63-70, July - Aug. 1999.