Abstract
Nowadays, people increasingly rely on mobile devices (namely, smartphones and tablets) in their daily life. Beside their private use, mobile devices are also used for work. Hence, companies are motivated to integrate mobile devices into their business processes, and they demand mobility and flexibility of their employees. However, in spite of the advances in mobile technologies, security is still the primary concern that slows down the adoption of mobile applications within Small and Medium Enterprises (SMEs). Companies should first know the potential threats in the mobile environments and then the requirements and measures to mitigate the potential risks. Typically, the existing security tools such as frameworks, guidelines and threat catalogues target IT-professionals, but not business users who mostly lack the technical knowledge to navigate through these tools. This chapter presents a mobile security framework that mainly supports SMEs by adopting mobile applications. Potential threats have been included in a risk catalogue, which forms a main component of the presented framework. This catalogue will help business users in extending their awareness of possible mobile security risks. Moreover, this framework guides business users and helps them by mapping between security requirements, threats and measures when adopting mobile enterprise applications.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Abura’ed, N., Otrok, H., Mizouni, R., Bentahar, J.: Mobile phishing attack for Android platform. In: 10th International Conference on Innovations in Information Technology, Al Ain, United Arab Emirates, pp. 18–23 (2014)
Adeel, M., Tokarchuk, L.N.: Analysis of mobile P2P malware detection framework through cabir & commwarrior families. In: IEEE Third International Conference on Privacy, Security, Risk and Trust, Boston, MA, USA, pp. 1335–1343 (2011)
Andriole, S.J., Bojanova, I.: Optimizing operational and strategic IT. IT Prof. 16(5), 12–15 (2014). doi:10.1109/MITP.2014.74
Brown, C., Spike, D., Joshua, M.F., Neil, M., Sharon, V.-N., Michael, P., Bart, S.: Assessing threats to mobile devices & infrastructure. The Mobile Threat Catalogue. Draft NISTIR 8144. NIST (2016). http://csrc.nist.gov/publications/drafts/nistir-8144/nistir8144_draft.pdf
BSI: IT-Grundschutz-Catalogues (2013). https://www.bsi.bund.de/EN/Topics/ITGrundschutz/ITGrundschutzCatalogues/itgrundschutzcatalogues_node.html
Bundesministerium für Wirtschaft und Energie: Ergebnisse des SimoBIT-Arbeitsforums IT-Sicherheit in mobilen Geschäftsprozessen. Leitfaden IT-Sicherheit (2010). http://www.digitale-technologien.de/DT/Redaktion/DE/Downloads/leitfaden-it-sicherheit.pdf
CISCO: Cisco 2016 Annual Security Report (2016). http://www.cisco.com/c/en/us/products/security/annual_security_report.html
Common Criteria: Common Criteria for Information Technology Security Evaluation (2009). http://www.commoncriteriaportal.org/cc/
Damopoulos, D., Kambourakis, G., Anagnostopoulos, M., Gritzalis, S., Park, J.H.: User privacy and modern mobile services. Are they on the same path. Pers. Ubiquit. Comput. 17(7), 1437–1448 (2013). doi:10.1007/s00779-012-0579-1
He, D., Chan, S., Guizani, M.: Mobile application security: malware threats and defenses. IEEE Wireless Commun. 22(1), 138–144 (2015). doi:10.1109/MWC.2015.7054729
Euler, M., Hacke, M., Hartherz, C., Steiner, S., Verclas, S.: Herausforderungen bei der Mobilisierung von Business Applikationen und erste Lösungsansätze. In: Verclas, S., Linnhoff-Popien, C. (eds.) Smart Mobile Apps, pp. 107–121. Springer, Heidelberg (2012). doi:10.1007/978-3-642-22259-7_8
Gartner: Gartner Says 75 Percent of Mobile Security Breaches Will Be the Result of Mobile Application Misconfiguration (2014). http://www.gartner.com/newsroom/id/2753017
Gartner: Gartner Forecasts 59% Mobile Data Growth Worldwide in 2015 (2015). http://www.gartner.com/newsroom/id/3098617
Gartner: Gartner Says Worldwide Smartphone Sales Grew 9.7% in Fourth Quarter of 2015 (2016). http://www.gartner.com/newsroom/id/3215217
Gartner: Magic Quadrant for Enterprise Mobility Management Suites (2016). https://www.gartner.com/doc/reprints?id=1-390IMNG&ct=160608&st=sb
Godber, A., Dasgupta, P.:Secure wireless gateway. In: Maughan, D., Vaidya, N.H. (eds.) The ACM Workshop, Atlanta, GA, USA, pp. 41–46 (2002)
de Gramatica, M., Labunets, K., Massacci, F., Paci, F., Tedeschi, A.: The role of catalogues of threats and security controls in security risk assessment: an empirical study with ATM professionals. In: Fricker, S.A., Schneider, K. (eds.) REFSQ 2015. LNCS, vol. 9013, pp. 98–114. Springer, Cham (2015). doi:10.1007/978-3-319-16101-3_7
Gröger, C., Silcher, S., Westkämper, E., Mitschang, B.: Leveraging apps in manufacturing. A framework for app technology in the enterprise. Procedia CIRP 7, 664–669 (2013). doi:10.1016/j.procir.2013.06.050
Hasan, B., Dmitriyev, V., Marx Gómez, J., Kurzhöfer, J.: A framework along with guidelines for designing secure mobile enterprise applications. In: International Carnahan Conference on Security Technology (ICCST), pp. 1–6. IEEE, Rome (2014)
Hasan, B., Rajski, E., Gómez, J.M., Kurzhöfer, J.: A proposed model for user acceptance of mobile security measures – business context. In: Kim, K.J., Wattanapongsakorn, N., Joukov, N. (eds.) Mobile and Wireless Technologies 2016. LNEE, vol. 391, pp. 97–108. Springer, Singapore (2016). doi:10.1007/978-981-10-1409-3_11
Hasan, B., Schäfer, P., Marx Gómez, J., Kurzhöfer, J.: Risk catalogue for mobile business applications. In: Proceedings of the 13th International Joint Conference on e-Business and Telecommunications, pp. 43–53 (2016)
Hoos, E., Gröger, C., Kramer, S., Mitschang, B.: ValueApping: an analysis method to identify value-adding mobile enterprise apps in business processes. In: Cordeiro, J., Hammoudi, S., Maciaszek, L., Camp, O., Filipe, J. (eds.) ICEIS 2014. LNBIP, vol. 227, pp. 222–243. Springer, Cham (2015). doi:10.1007/978-3-319-22348-3_13
Howard, M., Lipner, S.: The Security Development Lifecycle. SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, Redmond (2006)
IDC: IDC Reveals Worldwide Mobile Enterprise Applications and Solutions Predictions for 2015 (2014). http://www.businesswire.com/news/home/20141218006258/en/IDC-Reveals-Worldwide-Mobile-Enterprise-Applications-Solutions
ISO 31000:2009: Risk Management—Principles and Guidelines. Geneva: International Standards Organisation (2009)
ISO/IEC: ISO/IEC 27002: Information technology – Security techniques – Code of practice for information security controls (2013)
Jain, S.: Security threats in manets. A review. IJIT 3(2), 37–50 (2014). doi:10.5121/ijit.2014.3204
Jermyn, J., Salles-Loustau, G., Zonouz, S.: An analysis of DoS attack strategies against the LTE RAN. J. Cyber Secur. Mob. (JCSM) 3(2), 159–180 (2014). doi:10.13052/jcsm2245-1439.323
Kaspersky: One in Every Six users suffer loss or theft of mobile devices (2013). http://www.kaspersky.com/au/about/news/press/2013/one-in-every-six-users-suffer-loss-or-theft-of-mobile-devices
Kennedy, M., Sulaiman, R.: Following the Wi-Fi breadcrumbs: network based mobile application privacy threats. In: 2015 International Conference on Electrical Engineering and Informatics (ICEEI), Denpasar, Bali, Indonesia, pp 265–270 (2015)
Kizza, J.M.: Mobile Systems and Corresponding Intractable Security Issues. In: Kizza, J.M. (ed.) Guide to Computer Network Security, pp. 491–507. Springer, London (2015)
Lacerda, A., Queiroz, R., Barbosa, M.: A systematic mapping on security threats in mobile devices. In: 2015 Internet Technologies and Applications (ITA), Wrexham, UK, pp. 286–291 (2015)
Levinson, M.: 6 ways to defend against drive-by downloads (2012). http://www.cio.com/article/2448967/security0/6-ways-to-defend-against-drive-by-downloads.html
Lookout: Enterprise Mobile Threat report. The State of iOS and Android Security Threats to Enterprise Mobility [Whitepaper] (2015). https://info.lookout.com/rs/051-ESQ-475/images/Enterprise_MTR.pdf
Lookout: Lookout Mobile Threat report (2011). https://www.lookout.com/img/images/lookout-mobile-threat-report-2011.pdf
Luenendonk: Mobile Enterprise Review. Mehr Strategie wagen (2014). http://www.luenendonk-shop.de/out/pictures/0/mc_mobileenterprisereview_studie_f210214_fl.pdf
Maan, J.: Enterprise mobility – a future transformation strategy for organizations. In: Wyld, D.C., Zizka, J., Nagamalai, D. (eds.) Advances in Computer Science, Engineering & Applications, vol. 167, pp. 559–567. Springer, Heidelberg (2012)
Marble, J.L., Lawless, W.F., Mittu, R., Sibley, C.: The human factor in cybersecurity: robust & intelligent defense. In: Jajodia, S., Shakarian, P., Subrahmanian, V., Swarup, V., Wang, C. (eds.) Cyber Warfare, vol. 56, pp. 173–206. Springer, Cham (2015). doi:10.1007/978-3-319-14039-1_9
Markelj, B., Bernik, I.: Safe use of mobile devices arises from knowing the threats. J. Inf. Secur. Appl. 20, 84–89 (2015). doi:10.1016/j.jisa.2014.11.001
Martin, T., Hsiao, M., Ha, D., Krishnaswami, J.: Denial-of-service attacks on battery-powered mobile computers. In: Proceedings of the Second IEEE International Conference on Pervasive Computing and Communications (PerCom 2004), pp. 309–318. IEEE Computer Society, Washington, DC (2004)
McAfee Labs: McAfee Labs Threats report (2014). http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2014.pdf
Michaelis, P.: Enterprise mobility – a balancing act between security and usability. In: Reimer, H., Pohlmann, N., Schneider, W. (eds.) ISSE 2012 Securing Electronic Business Processes, pp. 75–79. Springer Fachmedien Wiesbaden, Wiesbaden (2012)
Moonsamy, V., Batten, L.: Mitigating man-in-the-middle attacks on smartphones - a discussion of SSL pinning and DNSSec. In: The 12th Australian Information Security Management Conference, pp. 5–13. Edith Cowan University, Perth (2014)
Myagmar, S., Lee, A.J., Yurcik, W.: Threat modeling as a basis for security requirements. In: Symposium on Requirements Engineering for Information Security (SREIS) (2005)
Nikbakhsh, S., Manaf, A.B.A., Zamani, M., Janbeglou, M.: A novel approach for rogue access point detection on the client-side. In: 2012 IEEE Workshops of International Conference on Advanced Information Networking and Applications (WAINA), pp. 684–687. IEEE, Fukuoka (2012)
NIST: Security and Privacy Controls for Federal Information Systems and Organizations (2013). http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
PCI DSS: PCI DSS Risk Assessment Guidelines (2012)
Pu, S., Chen, Z., Huang, C., Liu, Y., Zen, B.: Threat analysis of smart mobile device. In: URSI General Assembly and Scientific Symposium (URSI GASS), pp. 1–3. IEEE, Beijing (2014)
Ramu, S.: Mobile Malware Evolution, Detection and Defense. EECE 571B, Term Survey Paper (2012)
Rao, U.H., Nayak, U.: Malicious software and anti-virus software. In: Rao, U.H., Nayak, U. (eds.) The InfoSec Handbook, pp. 141–161. Apress, Berkeley (2014)
Rhee, K., Won, D., Jang, S.W., Chae, S., Park, S.: Threat modeling of a mobile device management system for secure smart work. Electron. Commer. Res. 13(3), 243–256 (2013). doi:10.1007/s10660-013-9121-4
Eilts, S.: Technische Konzeption und prototypische Umsetzung eines Sicherheitsframeworks für mobile Unternehmensapplikationen. Master thesis, Carl von Ossietzky University of Oldenburg (2016)
Souppaya, M., Scarfone, K.: Guidelines for managing the security of mobile devices in the enterprise. NIST SP- 800-124 (2013). http://dx.doi.org/10.6028/NIST.SP.800-124r1
Srinivasan, A., Wu, J.: SafeCode – safeguarding security and privacy of user data on stolen iOS devices. In: Xiang, Y., Lopez, J., Kuo, C.-C.J., Zhou, W. (eds.) CSS 2012. LNCS, vol. 7672, pp. 11–20. Springer, Heidelberg (2012). doi:10.1007/978-3-642-35362-8_2
Sun, Z., Yang, Y., Zhou, Y., Cruickshank, H.: Agent-based resource management for mobile cloud. In: Rodrigues, J.J., Lin, K., Lloret, J. (eds.) Mobile Networks and Cloud Computing Convergence for Progressive Services and Applications, pp. 118–134. IGI Global (2014)
Symantec: Fraud Alert: Phishing — The Latest Fraud Alert: Phishing — The Latest Tactics and Potential Business Impacts – Phishing [White Paper] (2014). http://www.symantec.com/content/en/us/enterprise/white_papers/b-fraud-alert-phishing-wp.pdf
Unhelkar, B., Murugesan, S.: The enterprise mobile applications development framework. IT Prof. 12(3), 33–39 (2010). doi:10.1109/MITP.2010.45
v Do, T., Lyche, F.B., Lytskjold, J.H., van Thuan, D.: Threat assessment model for mobile malware. In: Kim, K.J. (ed.) Information Science and Applications. LNEE, vol. 339, pp. 467–474. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46578-3_55
Venkatesan, D.: Android ransomware variants created directly on mobile devices (2016). http://www.symantec.com/connect/blogs/android-ransomware-variants-created-directly-mobile-devices
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Hasan, B., Marx Gómez, J. (2017). Security Framework for Adopting Mobile Applications in Small and Medium Enterprises. In: Obaidat, M. (eds) E-Business and Telecommunications. ICETE 2016. Communications in Computer and Information Science, vol 764. Springer, Cham. https://doi.org/10.1007/978-3-319-67876-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-67876-4_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67875-7
Online ISBN: 978-3-319-67876-4
eBook Packages: Computer ScienceComputer Science (R0)