ExecutiveSummary Mobile devices such as smartphones have replaced Personal Computers(PCs) to become the primary computing devices for many users due to the rapidadvance of mobile computing technology and wireless networks.
However, smartphones have limited capabilitiesthat can be effectively mitigated through the use of cloud computing. Thiscombination of mobile computing, cloud computing and wireless networks, hasgiven rise to a new paradigm: Mobile Cloud Computing (MCC).MobileCloud Computing integrates mobile computing and cloud computing aiming toextend mobile devices capabilities. This brings great research and businessopportunity for applications developers, mobile networks operators (MNOs),cloud service providers (CSPs) and smartphones manufacturers. Unfortunately, being in a very nascentstage, mobile cloud computing has some privacy and security issues which deterthe users from adopting this technology. This paper addresses the security andprivacy challenges in mobile cloud computing with a special focus on enhancingthe end-user cybersecurity awareness. Our approach is as follows; we will firstgive a succinct overview of mobile cloud computing, then present the securityand privacy requirements for mobile cloud computing, outline the security andprivacy threats for each component of this technology and, finally, makesuggestions to mitigate these vulnerabilities.
In addition, we will provide acybersecurity checklist for mobile cloud users in order to enhance theircybersecurity awareness through self-assessment as well as initiate someguidance for applications developers, MNOs and CSPs. Keywords: mobile cloudcomputing, cloud computing, wireless networks, security and privacy, mobiledevices, end-users. I. Introduction Smartphonesare becoming an essential part of human life as the most effective andconvenient communication tools. Users now prefer smartphones compared to thetraditional cell phones and personal computers. As per the Mobility Report of November,2015 from Ericsson, by 2021, the number of smartphones users will reach 6.
4billion .The rapid expansion of mobile computing becomes a powerful trend in thedevelopment of Information Technology (IT) in general. However, the users ofmobile devices face many challenges in their storage and processingcapabilities. The limited resources significantly impede the improvement ofquality of services. Nevertheless, these limited capabilities are mitigated byintegrating mobile computing into cloud computing and hence a new paradigm ofcomputing called mobile cloud computing (MCC) emerges.
MobileCloud Computing (MCC) combines cloud computing, mobile computing and wirelessnetworks to bring rich computational resources to mobile users. The ultimategoal of Mobile Cloud Computing is to enrich mobile users’ experience. MobileCloud Computing provides also business opportunities for mobile networkoperators as well as cloud providers.However,mobile cloud computing suffers from several security and privacy challengesthat deter mobile users from effectively adopting this new and interestingtechnology. This paper addresses the security and privacy challenges in mobilecloud computing with a special focus on mobile users’ cybersecurity awareness.The remainder of this paper is organized as follows: section II provides abrief overview of MCC; section III considers the security and privacyrequirements in mobile cloud computing; section IV details the security andprivacy threats in mobile cloud computing for mobile users and suggest somesolutions to mitigate these issues and finally propose a security and privacychecklist for mobile users and section V concludes the paper.II. Overviewof Mobile Cloud Computing (MCC)1.
DefinitionTheterm “mobile cloud computing” was introduced in 2009 after the concept of“cloud computing” had been launched in mid-2007. The Mobile Cloud ComputingForum defines MCC as follows: “Mobile Cloud Computing at its simplest refers toan infrastructure where both the data storage and the data processing happenoutside of the mobile device. Mobile cloud applications move the computingpower and data storage away from mobile phones and into the cloud, bringingapplications and mobile computing to not just smartphone users but a muchbroader range of mobile subscribers”. To simplify we have this expression: MCC =mobile devices + wireless networks + cloud computing 2. Architecture This MCC architecture shows thatmobile devices are connected to the mobile networks via base stations (e.g.,base transceiver station (BTS), access point, or satellite) that establish andcontrol the connections (air interface) and functional interfaces between thenetworks and mobile devices. Users have access to internet through mobilenetworks and then benefit from the wide range of advantages offered by thecloud (storage, processing servers, and virtualization)III.
Security and privacy requirements for MCC The security and privacyrequirements for MCC may be categorized in the following way: · Confidentiality: In MCC, confidentiality is afundamental requirement that refers to keep mobile users’ data secret either intransit or at rest. Users do not want their personal data use or access byunauthorized parties.· Integrity: In MCC, the data storage andprocessing reside on the service provider’s end. Here, the integrity needs toensure the accuracy and consistency of users’ data. In other words, theintegrity prevents data tampering by any unauthorized users or systems.
· Availability: For MCC, the availabilityensures that all services (Mobile networks and cloud) remain constantlyavailable for users. Ensuring availability includes preventing different kindsof availability attacks, which may delay, alter or interrupt the availabilityof services. IV. Contributions Security and privacy threats to mobile cloud computingSecurityand privacy in MCC are intrinsically linked since security vulnerabilities inthe mobile cloud computing paradigm will surely lead to a privacy breach.
Security and privacy risks in mobile cloudcomputing are inherited from cloud computing threats. Moreover mobile cloudcomputing users are exposed to additional threats related to mobile devices andmobile networks. In this section, we will present the threats to each componentof the mobile cloud computing paradigm: mobile devices, mobile networks andcloud computing. Mobile devicesIntoday’s “always-stay-connected” world, smartphones are used for wider range ofactivities such as banking, storing sensitive and valuable data.
This extendedrange of functionalities leads to new security threats. Physical threatsSmartphonesrun programs and store sensitive and valuable data; thus these devices aretargeted by adversaries who want to steal them in order to access sensitivedata, e.g., personal messages in online social networking application, accessthe contacts list and get the smartphone itself as a valuable device. Further,the loss of mobile devices may lead to data loss and breach of personal datafor their users and for companies as well.
For instance, McAfee reports that“Four in 10 organizations have had mobile devices lost or stolen and half oflost/stolen devices contained business critical data”. Therefore physicalthreats to mobile devices should be taken very seriously. Malware Malicious Software (Malware) always operatesin a way that is unknown to the user. By this means the malware gets theillegal access to the personal information and can even lead to certain actionswithout user’s interaction. Because of this, the user of the mobile terminalcould suffer from many risks such as information leakage.
This illegal softwareinstalled not by the user is used for all attacks coming from the outsidetaking advantage of the vulnerabilities in smartphone’s system. The currentplatforms ask users to make the decision about access. For example, iOS asksusers to give minimum permissions to the application at the installation time,and later it asks whether an application may access other feature such aslocation, and Android asks them to grant all the permissions before at theinstallation time. Unfortunately, such permission-granting create some criticalthreats to mobile users.
The majority of these permissions is often ignored ornot understood by users and permission prompts are disruptive to the user’sexperience. As a consequence users unintentionally grant applications morepermissions than necessary and become vulnerable to applications that use thepermissions in malicious or questionable ways (i.e., secretly sending SMSmessages or leaking location information). The major ones of malware areTrojans, Worms, Virus and Spyware. Mobile applications vulnerabilitiesMostapplications installed on the user’s mobile device are third partyapplications. These applications if they are not checked and patched regularlycould be vulnerable to malicious attacks such us code injections, which in turncould lead to sensitive data leakage and even cause more damage to mobileusers.
Moreover, security teams for both Google and Apple have been quietlyremoving an undisclosed but increasing number of applications from theirstores, but they haven’t revealed a list of the removed applications or offeredany reason for their removal. OthersBesidesthe aforementioned security issues in the mobile terminal, mobile users may becontributing to other security issues. First of all, there is the lack ofsecurity awareness and good security hygiene from the mobile users. Forinstance, they could install unlicensed applications on their smartphoneswithout a prior assessment of the risks these applications could pose to thevaluable information stored on their devices. Mobile networksMobilenetwork-based security threats usually target the Radio Access Network (RAN)which is the interface between mobile devices and the cloud.
This interface isgenerally composed of Radio Base station (RBS) and Base Station Controller(BSC) in the case of 2G networks, or NodeB/eNodeB in the case of 3G/4G mobilenetworks for example. This may also refer to traditional Wi-Fi. Major Attacksin this category include Wi-Fi sniffing, Denial of Service (DoS) attacks,man-in-the-middle attack, and Distributed Denial of Service using compromisedmobile devices (Botnets).
Cloud computingThreatsto the cloud can be grouped regarding the impact they have on Confidentiality,Integrity and Availability (CIA triad) of users data. The cloud platform issusceptible to being attacked because of its high concentration of informationresources of users. First of all, major threats to confidentiality are achievedby insiders and external attackers. The ultimate goal of the malicious attackeris to steal valuable information or sabotage service. These attacks perhapscome from malicious outside, legal cloud computing user, or inside staff of thecloud computing operators. Second, data integrity in the cloud is an imperativebecause it is frequently targeted by malicious attackers. For instance, theimplementation of poor access control procedures creates risks to dataintegrity since any individual who can manage to break into the system cantamper with the data or even worst delete the data.
Third, Availability isreally vital given how dependent on users have become to cloud services. Thistenet is also targeted by attackers who are seeking to interrupt the service tousers. For example, Distributed Denial of Service (DDoS) and Denial of Service(DoS) attacks will destroy the platform availability and close the service ofthe cloud to legitimate cloud users. When users deliver all their data to thecloud service providers without selecting the expensive backup and disasterrecovery service, they will have to cope with the risks of the data loss.Further, the fact that cloud service providers store users data all over theworld and that users do not know exactly where their data is located posesserious concerns regarding privacy. Suggestions Mobile devicesThe outlined threats to mobile devices especially smartphones willnegatively impact mobile users if they are not addressed seriously.
First ofall, users need to be educated about security, not at the security expertslevel but at least they should get the basics. They should never leave theirdevices unattended. However, devices can be lost, misplaced or stolen so usersshould activate lock screen and protect their phones with strong passwords suchas 10+ characters passwords with uppercase, lowercase letters, numbers andspecial characters. Further, they should use biometrics authentication on theirdevices. Second, users should install only applications available on storeslike App store and Play store; they should be careful about the permissionsthey will grant to the applications as well as grant only minimum permissionsto the applications in order to ensure their security and protect theirprivacy; it is vital for users to do some research before installing anyapplication on their phone. Additionally, they should always update theirapplications and uninstall the ones that they don’t use anymore. Third, theyshould install anti-malware on their phones and keep them up to date.
Bewarealso of phishing attacks and do not trust spam emails, link from anadvertisers, messages from friend’s social account that could probably behacked etc., because by clicking on a link it will redirect you to an infectedwebsite. Thus it is very important to not click on short, suspicious links forwhich you did not request. Attackers can use phishing techniques to steal yourmoney, your identity and open credit card accounts in your name and much more.
Even the strongest antivirus will not protect you from phishing and allmalicious software. They should be sure that they are connected only to securewireless connection, which means to not use free or public Wi-Fi, especiallywhen they are accessing and/or transmitting sensitive data because informationsent via public networks can be easily accessed by attackers since they aresent in plain text. Mobile networksThethreats to mobile networks can be mitigated by engaging mobile networksoperators to enhance the security of their networks. However, as this paper ismainly focuses on the end-users, therefore the suggested solutions are to helpthem prevent some attacks mentioned previously. The mobile users shouldmaintain a good security hygiene of their devices; this security hygiene startsby keeping their operating systems and applications up to date and by beingcautious and skeptical regarding applications and links suspicious or not thatthey receive on their devices, that will prevent some attacks such asDistributed Denial of Service (DDoS) on mobile networks using compromisedmobile devices to launch botnets attacks. For threats such as man-in-the-middleattacks, eavesdropping and Wi-Fi-sniffing, the suggested mitigations in theliterature advise the implementation of encryption to the air interface,authentication and digital signatures by the mobile networks operators in orderto ensure the privacy and security of the mobile users. Additionally, forDenial of service Attacks it is required that the mobile networks operators strictly apply the security bestpractices such as patches installation, vulnerability scanning, intrusiondetection and prevention systems, authentication etc.
Finally, with theupcoming 5G (5th Generation of mobile networks), some researchers areinvestigating the C-RAN and chances are that it will both enhance theend-to-end security and quality of service (QoS) in mobile networks thusimpacting the mobile cloud computing users. Cloud ComputingLikemobile networks operators, cloud service providers (CSP) have to implement thesecurity best practices in order to ensure the confidentiality, integrity, andthe availability of the mobile users’ data. These best practices includekeeping systems patched, implementing prevention and detection techniques tomitigate DoS attacks, also the implementation of strong authenticationmechanisms incorporating multi-factor authentication (MFA) to avoid somemalicious activities from intruders. The users data should be encrypted atrest, in process and in transit to ensure both the integrity and theconfidentiality of the data. Moreover, cloud services providers should clearlyinform the mobile users concerning the exact location(s) of their data as wellas the mechanisms put in place to protect them. Mobile users for their part,should always maintain a good cybersecurity hygiene i.e.
install patches offirmware and applications. Regarding security savvy end-users, there is a dataintegrity mechanism called the Merkle Tree, which they could use to verify theintegrity of the data they stored in the cloud. Security and privacy checklist for mobile cloud computing usersThissection will provide a security and privacy checklist for mobile cloud users.Our expectation is that based on this checklist mobile users would instillmobile networks operators, cloud service providers and also applicationsdevelopers to provide a sort ofminimum accepted service level based onusers’ security and privacy requirements. This checklist also responds to thesecurity and privacy requirements in mobile cloud computing: Confidentiality,Integrity, and Availability described in section III.We alsothink that this checklist would have a great impact on the way things areapproached in the realm of mobile cloud computing because it will developusers’ cybersecurity awareness. Obviously, this list of questions is notexhaustive; it is based on some telecommunications engineers and cybersecurityexperts’ experiences on the matter.
(3) Encryption of users data (transit/at rest)(4) Data integrity verification mechanisms(5) Permissions.Otherwise, onlyone “No” will bring users to the “Red Light” meaning that their securityand privacy is at great risk. ß Privacy and Security at great risk V. Conclusion MobileCloud computing is a very interesting technology that has changed the way usersbehave; they don’t need to have traditional Personal Computers (PCs) to performmultiple activities such as online banking, storing videos and photos etc.However, privacy and security constitute a challenge for mobile users becausethey would like to benefit from advantages offered by mobile cloud computingwhile preserving the confidentiality, integrity and availability of their data.Thispaper outlines the security and privacy requirements of mobile cloud computing.
It also provides a cybersecurity checklist for mobile users. This checklist isfor mobile users’ self-assessment before opting for mobile cloud computingservices. Additionally, this checklist will enhance mobile users’ cybersecurityawareness and foster the establishment of thresholds regarding users’ privacyand security to be met by mobile networks operators, cloud service providersand applications developers, which hopefully would make a more privacy andsecurity oriented technology.Thisstudy could be extended to other mobile devices such as medical devices thatare really sensitive to confidentiality and integrity since when we talk abouthealth accuracy and consistency are crucial because a simple modification ofhealth data can cause people death.