Secure cloud-based mobile apps: attack taxonomy, requirements, mechanisms, tests and automation

The adoption and popularization of mobile devices, such as smartphones and tablets, accentuated after the second decade of this century, has been motivated by the growing number of mobile applications, which can solve problems in different areas of contemporary societies. Conversely, the software development industry is motivated by the increasing number and quality of resources that mobile devices possess nowadays (e.g., memory, sensors, processing power or battery). While powerful mobile devices do exist, one of the main driving factors behind the increase of resources is the usage of Cloud technology, which strongly complement mobile computing. As expected, the adoption of measures to mitigate security issues has not accompanied the growth and speed of development for Cloud and Mobile software, to ensure that these are resilient to attacks by design. Aiming to contribute to decrease the gap between software and security engineering, this paper presents a deep approach to attack taxonomy, security mechanisms, and security test specification for the Cloud and Mobile ecosystem of applications. This is also the first time an encompassing and conjoined approach is provided for attack taxonomy and specification of security tests automation tools for this ecosystem.


Introduction
The intersection between Cloud computing and Mobile computing resulted in the emergence of the Cloud  ecosystem. The emergence of this ecosystem was motivated by the shortage of resources on mobile devices (smartphones and tablets), e.g., processing, low battery autonomy, storage, the ease of transport for mobile devices and the possibility to obtain additional resources to mobile devices (storage and execution of apps, data storage, processing, as well as from the need to process increasingly large amounts of data) from the Cloud.
Additionally, widespread adoption of mobile devices by end users, making them ubiquitous in their lives has been fueling the development of mobile applications. For example, the Statista website predicted that, in 2021, the number of users of mobile devices was approximately of 4.3 billion [161]. China, USA and India are the countries with the largest smartphone userbases, with an estimate of each having over 100 million users [161]. Cisco estimates that over 70% of the global population will have mobile connectivity by 2023 [30].
Cloud computing, also known simply by the Cloud [15], is based in having centralized computational resources that can be remotely accessed, while being virtually inexhaustible, capable of adapting computational power to the preferred dimension, storage and easily accessible, without user interaction. Resources are provided in the pay-per-use paradigm, an attractive business model, removing complexity and acquisition cost from the equation. Cloud resources are provided via different models, typically segregated into [12]: (i) Software-as-a-Service (SaaS), which is the use of the Cloud to execute software applications that can be accessed through a browser or web application; (ii) Platformas-a-Service (PaaS), which relates to using the Cloud as a platform for developing, building and maintain applications and services, with PaaS providers offering a predefined combination of application servers, such as LAMP (Linux, Apache, MySQL and PHP) software stacks, J2EE and Ruby; and (iii), Infrastructure-as-a-Service (IaaS), a service model related to the provisioning of hardware resources, with the user controlling a virtualized operating system (OS), storage, network, etc. Cloud resources are typically provided through three main deployment models, whose characteristics are presented in [152]. One of the key drivers for using Cloud services is cost efficiency, as individual and business users have no need to significantly invest in Information & Technology (IT) infrastructure, given the inherent elasticity and scalability characteristics, enabling the scaling of resources as needed [152]. On the other hand, mobile computing is more focused on mobile consumer technology and ensuring its convenience to users, given its ubiquity characteristic. Considering that this technology has a strong focus on connectivity (e.g., to allow communication at a distance), increasing its attack surface, it is clearly necessary to have frameworks that generate a set of security engineering principles that allow software engineers and professionals in related areas to develop systems and applications that are secure by design or construction. This approach is the only allowing cost efficiency and trust in technology in the long run, since it allows avoiding vulnerabilities from the beginning, i.e., security issues are not left to the end and also allows decreasing the development and deployment time of the applications of the ecosystem considered in this study, which are key aspects of the technology market.
For the purpose of this paper, the Cloud and Mobile ecosystem is defined as being the one incorporating all mobile applications (i.e., those that run on mobile devices) that, in some way, make use of a remote computing resource, such as processing, network or storage, through the use of wireless access technologies (e.g., access points or satellite), as well as mobile networking technologies such as Third Generation (3 G), Fourth Generation (4 G) or Fifth Generation (5 G). Additionally, these applications depend on Cloud resources to offer a significant or important part of their functionalities. Figure 1 schematizes the macro ecosystem resulting from the combination of the Cloud and Mobile ecosystems, emphasizing connection-related technologies [50]. A user accessing data stored or processed in one or several Clouds through a mobile application comprises a typical scenario in this ecosystem. Many of their characteristics are complementary, and communication between them for different purposes can occur [50]. Different communication patterns and technologies (e.g., Wi-Fi, Bluetooth, Near-Field Communication (NFC), General Packet Radio Service (GPRS), Radio-Frequency Identification (RFID), 3 G, 4 G, 5 G, Zig-Bee, etc.) can be used for communication [7], with different security measures needing to be ensured, according to each situation [156]. Finally, Mobile Device Manager (MDM), blank listed apps, untrusted apps and managed apps are other features or resources of a mobile device as described in [35].
Considering the peculiarities and different focuses of the technologies involving such a rich ecosystem, along with the fact that communications at a distance are involved, it is a huge challenge to develop systems or applications for the Cloud and mobile ecosystem, specially due to the heterogeneity and complexity of the various technologies (networks, programming languages, platforms, attack surfaces, taxonomy of attacks, Cloud, mobile devices) involved in the process of developing, deploying and using these applications, notably in terms of security and privacy [64,127,168]. This situation is aggravated by the short-time companies that have to deliver new products to the market, neglecting or leaving behind the security and privacy of the sensitive data of the systems and their end users. The immediate consequence of this neglect is the existence of a large number of vulnerabilities, resulting in security and privacy problems in mobile devices and services. Hence, the increased use of Cloudbased mobile applications has to be accompanied with the adoption of secure development paradigms, keeping security and privacy issues in mind from the beginning and not leaving them for a later stage. The main contributions of the work presented herein can be described as follows: -A exhaustive attack taxonomy for the Cloud and Mobile ecosystem is proposed and discussed, sourced from over 150 references from the specialized literature and following a systematic well consolidated approach; -The taxonomy is complemented by the inclusion of a mapping between mitigation techniques and the attacks; -A deep approach on security requirements, mechanisms and tests for the Cloud and Mobile ecosystem is also included, to provide closure to security requirements engineering in this ecosystem.
In addition to the introduction, this article is organized as follows: Sect. 2 presents the taxonomy of attacks in Cloud and Mobile ecosystem. Section 3 presents the mechanisms and countermeasures to attacks on the Cloud and Mobile ecosystem. Security tests are covered in Sect. 4. Research challenges are discussed in Sect. 5. Finally, conclusions are presented in Sect. 6.

Attack taxonomy
This section converges to an attack taxonomy for the Cloud and mobile ecosystem. To get to that output, it first briefly discusses the methodology used for this purpose; to then present a revision on works related with, or including taxonomies of attack to the sub-ecosystems under study; to finally presenting the proposed taxonomy.

Research methodology
In this subsection, the methodology of this research is presented, aiming to elaborate and present a new and more in-depth taxonomy of attacks or threats to Cloud-based mobile applications and their corresponding countermeasures. It aims to provide a common classification scheme that can be shared among security experts and mobile application developers.
The main drivers behind this work is to propose a very comprehensive taxonomy that addresses shortcomings of existing ones, while fully meeting the requirements of a classification scheme, typically defined as the properties of being Unambiguous, Useful, Approved, Understandable, Exhaustive, Deterministic, Mutually exclusive, Reproducible, Conforming to standards, and Having well-defined terms/clear criteria [62,70,103]. The first step of the method was thus to analyze the already existing taxonomies applicable to the Cloud or and mobile ecosystems.
At this stage, we resorted to the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) [120,131] methodology to identify relevant publications. In the scope of this work, PRISMA was driven by the following Research Questions (RQs) and motives: RQ1 What is a taxonomy and what are the requirements that need to be fulfilled in the specific cybersecurity domain, so as to be effective and useful tool? RQ2 What are the current limitations of existing Cloudbased mobile application security attacks classification schemes?
The RQ1 guides the research in the direction of the aforementioned objectives and reflects the main motivation of this part of work.
The formulation of RQ2 provided an underlying assurance that existing taxonomies were analyzed while taking into account known satisfactory requirements. Only those specific to the Cloud and Mobile ecosystem were included in this analysis.
PRISMA methodology also requires the definition of the Time Interval, the Keywords, the Results and the Selection Process or Inclusion/Exclusion Criteria. Each of these phases is described in detail below.

Time interval
The search took place between November 2021 and March 2022. Articles published between 2007 and 2022 obtained from the most significant digital libraries on these subjects were included, namely IEEE Xplore, ACM Digital Library, Elsevier, Taylor & Francis and Springer Link.

Keywords
This phase was aimed at selecting the most appropriate keywords in terms filtering the relevant articles for review. Synonyms, alternative spellings of the main elements of the field of taxonomies of threats or attacks in the context of Cloud-based mobile application, i.e., Cloud and Mobile ecosystem were also included to find relevant articles. For this purpose, the key words used for this research process are mirrored in Table 1. Table 2 presents the results of the first search, and this is the data used for the research process.

Results
As previously mentioned, the PRISMA methodology was used aiming at a refined, effective and efficient selection of the publications included in this study, given the fact that this is widely accepted and quite preferred in the world of scientific research. Table 3 shows the inclusion/exclusion criteria used in selection process.

Selection process
Using these criteria and based on the PRISMA methodology and its associated flow diagram, all its 164 articles were read thoroughly, from which resulted 90 publications that were included in the present review. Figure 2 illustrates the PRISMA flow diagram.

Review of existing mobile cloud-based application security attacks taxonomies
This section focuses on the analysis of five publications related to the theme under study obtained from the 90 publications included in this review, as detailed in Sect. 2.1. All of them are taxonomies described in scientific papers sourcing from research in academia.

Wu et al. taxonomy
Wu et al. [180]   ical and multi-layer) of the Open Systems Interconnection (OSI) model. This is a very interesting approach and comes as an asset for researchers and system engineers. However, the approach taken at that time does not take into account (and had no way of doing so) the technological advances that have occurred since the emergence of smartphones and tablets.

Zou et al. taxonomy
Zou et al. [193]   securing wireless networks. The classification of threats and attacks is made according to the layers of the OSI model of wireless networks and is a good source for researchers and developers of mobile applications that make use of mobile networks. However, it does not include a specific classification for Cloud-based mobile applications nor does it take into account threats to the back-end.

Bhatia and Verma taxonomy
Bhatia and Verma [21] presented their work in this area in a paper titled Data security in the mobile cloud computing paradigm: a survey, taxonomy and open research questions in 2017. Their main aim was to conduct a comprehensive state-of-the-art study on several related topics, among which are biometric and soft multifactor cipher solutions for data security and privacy assurance, as well as security issues and data security frameworks in the mobile cloud. Their study also presents a classification of Cloud and Mobile ecosystem security issues based on three categories, namely architecture, privacy and compliance. This [21] taxonomy is very useful for obtaining information for those who wish to develop secure Cloud-based mobile applications and for researchers. Furthermore, it respects the requirements of a taxonomy. However, the clas-sification still has gaps regarding some security problems, e.g., the ones that have the components of the Cloud and Mobile ecosystem, such as network, transport and communications, as the attack vector. The same happens in relation to security problems deriving from the human factor or social engineering.

Moorthy et al. taxonomy
In 2020, Moorthy et al. [122] published the results of their study in a survey titled Security and privacy attacks during data communication in Software-Defined Mobile Clouds. This study aimed at providing an in-depth analysis of possible attacks and threats to data privacy Software-Defined Mobile Clouds. Firstly, the research presents a new architecture for Cloud and mobile ecosystem. Secondly, it presents the various threats and vulnerabilities according to five categories, namely application, protocol, source, network and control-based security faced by Software-Defined Mobile Cloud in its different architectural layers. Finally, the study presents countermeasures to the threats and vulnerabilities in the Cloud and Mobile ecosystem. This research has the advantage of presenting one of the most in-depth taxonomies of attack for the Cloud and Mobile ecosystem, as well as the respective countermeasures. However, it presents a gap regarding the lack of reference to threats and vulnerabilities of mobile Web applications and other Cloud-related applications.

Almaiah et al. taxonomy
In the paper titled Classification of Cyber Security Threats in Mobile Devices and Applications, Almaiah et al. [9] presented, in 2021, a comprehensive framework of mobile device and application-cybersecurity threat classifications, being at that date the most extensive classification scheme of security threats for the mobile ecosystem. The main goal of the framework was to systematically identify cybersecurity threats, showing their potential impacts and to bring the attention of mobile users to these threats in order to take protective measures as appropriate. This work presents one of the most profound approaches regarding the taxonomy of attacks to the Cloud and Mobile ecosystem, constituting an added value in terms of a source of consultation for all those involved in the process of secure development of secure applications for this ecosystem. However, the classification does not take into account all threats on the server side or back-end. Furthermore, the framework presented does not provide information (nor is focused) on threat countermeasures.

Others
Although they are not part of the online libraries selected for the sample of this study, the publications of Taleby et. al [169] and Friedman, & Hoffman [54], are herein included for their number of citations and impact. The first publication analyses the state-of-the-art on security solutions, threats and vulnerabilities during the period between 2011 and 2017, focusing on software attacks, such as smartphone applications. It also proposes a set of some countermeasures against those attacks. The second publication presents a taxonomy of attacks in seven categories, namely malware, phishing and social engineering, direct attack by hackers, data communications interception and spoofing, loss and theft of devices, malicious insider actions and user policy violations. The aforementioned study also presents a set of countermeasures against those threats. However, the first article is not as deep in terms of approach and is limited to the mobile ecosystem, while the second one veers toward not being as specific in terms of the mobile ecosystem, as it considers all mobile devices (laptop and notebook personal computers, handheld computers, cell phones, PDAs, BlackBerry devices and iPod mobile digital devices) as mobile. Table 4 compares the different works reviewed in the previous sections based on seven aspects, namely: topics addressed, Cloud and Mobile attacks landscape, mitigation landscape and research challenges. Several symbols are used for this comparison on the table:

Comparison of related works
is used to denote that the description of a subject is addressed on the document, + or ++ are used to emphasize special attention given to a specific aspect (there is a difference with regard to the degree of emphasis, that is, the greater the emphasis, the symbol ++ is used), Ś are used to denote the absence of the subject. The approach presented in the following section differs from the aforementioned ones in several aspects, starting with the depth and extension of the approach, since it aims at covering all sub-ecosystems that compose the Cloud and Mobile ecosystem as a whole, namely the Cloud, mobile Computing and the Internet in between. Also, the approach taken presents a taxonomy according to five domains of the Common Attack Pattern Enumerations and Classifications (CAPEC 1 ) [119] classification, namely application, communication, hardware, physical security and social engineering. In addition, a set of mechanisms to mitigate each of the attacks is also presented. Furthermore, research challenges are presented, which can be used as a basis for future research. 1 CAPEC is only a catalog of attacks organized according to different criteria (domain, mechanism, etc.).

The proposed taxonomy
As the Cloud and Mobile ecosystem results from the intersection of Cloud, mobile and Internet technologies, it became heir to many of the problems and threats of each of them. While Internet technologies, and therefore their related threats, do not fit directly in the scope of this study, which focuses on Cloud and mobile threats, they are nonetheless an integral part, due to, as previously mentioned, Internet technologies being closely intertwined with both Cloud and Mobile ecosystems. Figure 3 presents the taxonomy of attacks on the Cloud and Mobile ecosystem proposed herein, with many of those attacks steaming from the aforementioned three sub-ecosystems, also as a function of the CAPEC attack domains (note that the domain Supply Chain was omitted here; this was a deliberate decision, taking into consideration that many of the attacks that could be classified in that domain can also be classified as physical, hardware or social engineering attacks; therefore, this was a conscious decision, taken for the sake of simplifying the taxonomy). As discussed in Sect. 2.2, the classification of threats or attacks is done precisely according to the five domains of CAPEC. The next subsections focus on each one of the sub-types of attacks at a time.

Software-based attacks
The Software-based attacks category all have in common that they exploit application weaknesses resulting from vulnerabilities in the coding, construction or implementation of software applications, with the aim of causing a negative technical impact. Potential attacks on this category are described below.
Session fixation: this attack aims to achieve account hijacking, so as to subsequently and fraudulently enable access to areas restricted to legitimate users of a web app or a hybrid mobile app [98,172]. The success of this attack depends on prior login, as it requires the session ID of a legitimate user of the target application, impersonating the victim, which grants privileges and results in the violation of confidentiality, access control and authorization of sensitive user data, or theft of money from mobile banking app or mobile interbank application.
Cross-Site Request Forgery (CSRF): CSRF is an attack that forces the user to execute unintended actions in an application for which it is already authenticated in a given moment [39,102,138]. These attacks target unrequested status changes, and not directly data theft, as the attacker cannot see the answer to the forged request. According to [138], CSRF attacks occur when a website allows changes to be made through GET requests. There are two mains approaches to this type of attack, stored CSRF attacks and reflected CSRF attacks. Cross-Site Scripting (XSS): this attack exploits vulnerabilities in Web applications in order to execute code in the victims end (most of the times in the browser or in a webkit of a mobile application). It takes advantage of improper data validation or the possibility to store contents that may become active when a web resource is visited [90,107]. Motivations for the attack vary, but are often related with compromising the user machine to obtain privileged access or exfiltrate data. The most well-known sub-types of XSS are: i) stored XSS (saving the malicious code ininterruptibly in a web application managed resource) and ii) reflected XSS (in which the malicious code or attack script are sent directly toward the user, e.g., in the URL, and not stored it in a lasting manner) [12,176].
SQL Injection (SQLi): SQLi is a command injection technique used to attack applications that use database management systems supporting Structured Query Language (SQL), in which the attacker attempts to introduce characters or keywords of a SQL instruction in an attempt of altering the original underlying programming logic [12,14,61,154]. The attack is often perpetrated to access, alter or remove information, inject accounts or bypass access control mechanisms. SQLi is one of the most commonplace and severe attacks, being classified as high risk, and an entry validation vulnerability [130].
Spoofing attacks: according to Bhatia et al. [21], spoofing attacks are a fraudulent act in which an entity fakes its identity to attempt to access resources and critical data. There are four variants of the spoofing attack, namely content spoofing, identity spoofing, resource location spoofing and action spoofing. There are several means to perform this type of attacks.
Buffer overflow attacks: a buffer overflow is an anomaly on a program occurring during a write operation to a buffer in memory, exceeding its limits and writing in adjacent or deliberate memory blocks. Their malicious effect can be maximized when non-validated inputs are projected to execute code after the overflow. Buffer overflows can cause irregular program behavior, including memory access errors, incorrect results or system security breaches [99].
Code inclusion attacks: in this type of attack, an adversary focuses on exploiting a weakness for the purpose of forcing arbitrary code to be retrieved (remotely or locally) and executed [18,73]. Inclusion differs from code injection by the mode of operation (in this case, the weakness is used to obtain the code that is to be executed).
Brute force attacks: This type of attack consists in trying a potentially large number of possibilities until one grants access or achieves an operation on a system [29,66]. The success of the attack depends on the domain of the variables and on attenuating factors that might make guessing easier. The motivations behind this attack are mainly to access, destroy, leak and steal sensitive information from the sys-tem and its legitimate users. There are several custom made and well-known tools available for different types of brute force attacks, namely hashcat, 2 Hashtopolis, 3 Aircrack-ng 4 or John the Ripper. 5 Cache Poisoning Attacks: cache poisoning is the act of introducing false information into a Domain Name System (DNS) cache in order to cause DNS queries to return an incorrect response and, e.g., redirect users to malicious websites. This type of attack can target the cache of an application (e.g., a web browser cache) or a public cache (e.g., a DNS or Address Resolution Protocol (ARP) cache), exposing the application to a variety of attacks, such as redirection to malicious websites and malware injection [118].
Code injection attacks: This type of attack targets injecting malicious code into user inputs from the interface (web application forms or hybrid mobile applications) of applications written in HTML5. These types of applications are vulnerable to code injection attacks because of the possibility of merging the application's data and implementation code. In case of hybrid mobile applications based on HTLM5, it has increased the attack vectors or channels such as, Contacts, SMS, Wi-Fi, NFC, QR Code, etc [128]. This allows the attacker to inject malicious code to exhaust all the victim's resources. A clear example of such an attack is XSS, already described above. In addition to XSS, there are other techniques of carrying out a code injection attack.
Command injection attacks: this is a class of attacks to which web applications are susceptible, resulting from the semantic gap existing between database interpretation and web application interpretation, as well as from the inappropriate handling of user input [162]. The potential technical impact of this type of attack is the execution of unauthorized commands, thus affecting the confidentiality, integrity and availability of the system. Given the sheer amount of technologies composing web applications, there are several variants of this type of attack, namely LDAP Injection, IMAP/SMTP Command Injection, XML Injection, Manipulating Writeable Terminal Devices, JavaScript Command Injection, NoSQL Injection and OS Command Injection. Some SQLi are part of this type of attacks too.
Cryptanalysis attacks: Cryptanalysis focuses on finding vulnerabilities in cryptographic algorithms and using these weaknesses to decrypt the ciphertext without knowing the secret key. In addition, this can have other purposes such as Total Breach, Global Deduction, Information Deduction and Algorithm Distinguishing [119].
Audit log manipulation attacks (ALM): This type of attack targets log files for the purpose of manipulating (deleting, reading, and altering) them. In a log file audit manipulation attack scenario, an attacker injects, manipulates or deletes information in the log file in an attempt to deceive a potential audit of an attack. The success of this type of attack depends on the insufficiency of log file access controls mechanisms [119].
Session hijacking attacks: this type of attack involves an adversary exploiting weaknesses in the use of an application's authentication sessions. Put another way, this type of attack results from the successful exploitation of improper authentication [36,125]. Its main purpose is account hijacking. The attacker may be able to steal or manipulate an active session and use it to gain unauthorized access to the application. Finally, this type of attack can be executed through four techniques, namely Reusing Session IDs (also known as Session Replay), Session Fixation, Session Sidejacking and Cross-Site Tracing.
Side-channel attacks: a side-channel attack is typically defined [60] as the activities targeting the leakage of information from a physical system while exploiting timing, power consumption, and electromagnetic and acoustic emissions. Side-channel attacks can be carried out either locally, through physical access or at a short distance from the target device, or remotely, from malware hosted in the target cloud environment. Regarding smartphones/tablets, sophisticated side-channel attacks that target the built-in sensors of these devices have been developed, allowing their exploitation to infer keyboard input on touchscreens through sensor readings of native applications and websites, infer the location of the user by the power consumption available in the proc file system (procfs), and even infer the identity, location and diseases of the user through procfs [159].
Virtual machine (VM) escape attacks: a VM escape occurs whenever an application escapes the VM environment in which it is running and obtains control over the VMM, as it escalates its VM privileges to root level. Attackers usually try to break the guest operating system (OS) to access the hypervisor, or penetrate functionalities of another guest OS and its host OS. A single security breach on the hypervisor (e.g., a defective implementation of a virtualized resource) can lead to a compromise. By controlling the hypervisor, the attac-kers can do anything with the VMs it is hosting [1,41,149].
VM migration attacks: VM migration is one of the typical operations of virtualization, where VMs can be transferred between physical machines if needed. Therefore, during this process, VMs need to be protected against insecure networks or attacks. In such an attack scenario, an adversary can, among other things, initiate or redirect the migration process to a malicious network from which the VM can be accessed, cloned and generally compromised [1].
Malware-as-a-service attacks: Malicious code, or simply malware, are scripts or programs that can be injected in the Cloud and mobile ecosystem [74,163]. Malware are traditionally mainly classified based on two main factors: propagation strategy (e.g., virus or worm) and malicious activity (Trojan Horse, spyware, adware, rootkits, botnets, ransomware, backdoors and keyloggers) [142]. Malware injection allows attackers to exploit system (or human) vulnerabilities and manage authorizations, allowing unauthorized accesses to the system. For the Cloud and Mobile ecosystem, malware has a strong impact on user privacy and confidentiality, as they often provide system access to attackers. Additionally, invaders can execute actions such as stealing confidential user data [85,163].
Malicious QR code: in such an attack scenario, an attacker uses malicious QR codes to direct users to fraudulent websites, disguised as legitimate ones, with the objective of stealing sensitive personal information. This type of attack exploits human vulnerabilities and the fact that QR codes are becoming increasingly popular and often seen as trusted.
Server side request forgery (SSRF): a SSRF attack consists of abusing a functionality on the server in order to read or update internal resources. In an SSRF attack scenario, a malicious entity, among many actions, is able to provide or modify a URL that code running on the back-end will read or submit data to. Furthermore, the attacker can read the server configuration, connect to internal services such as http-enabled databases [24,75]. In case the vulnerable server is hosted on a remote server in the Cloud, SSRF attacks require less effort from attackers, causing a higher impact in terms of dangerousness in terms of data leakage or theft.

Communications-based attacks
Attacks in this major category target the exploitation of communications artifacts and related protocols for the purpose of blocking communication, manipulating and stealing data, causing a negative technical impact.
Man-in-the-middle (MitM) attacks: in MitM attacks, an attacker positions itself somewhere in between the sender and receiver of a communication, in this case between two users or clients of a Cloud-based mobile app (client and server). MiTMs can be either passive or active. If the attacker only eavesdrops or decrypts the message, it is a passive attack; if (s)he also has the means to change the message, violating its integrity, then it is an active attack. According to Ferrag et al. [51], in a MitM attack scenario, an attacker can intersect, modify and secretly relay the communication between two entities, without them realizing it. MitM are often an intermediate step toward more complex attacks or intrusions. An example of MitM attacks is presented in Kampourakis et al. [81], where the authors show how MitM attacks over HTTPS can be carried out in commonplace browsers.
Sniffing: Sniffing is the act of obtaining data in real time from data transmitted between smartphones (or tablets) and Cloud and Mobile ecosystem security threats the Cloud, through a network (Bluetooth, Wireless Sensor Network (WSN), Wi-Fi, 3 G/4 G/5 G, etc.). These attacks allow hackers to intercept and monitor user data, while it is in transit in the network, without interfering with the transmission process, to hinder detection. If strong cryptographic schemes are not used, data can be read or interpreted [20,51,85]. Also, an attacker can capture data from the different sensors available on a mobile device (accelerometer, Global Positioning System (GPS), compass, gyroscope, microphone, camera and headset) without user knowledge or consent [164].
Eavesdropping attacks: Eavesdropping 6 is a type of attack where the attacker tries to gain access to sensitive information of legitimate users from the messages (text, voice and video) exchanged between two or more users, e.g., of Instant Messaging (IM) applications. The same applies to recorded calls, call logs and multimedia stored in clear text in memory cards. Generally, fraudulently gaining access to the critical information of targets, either for political, financial and other gains, is the goal of the eavesdropping attack. The traditional eavesdropping attack affects mainly the communications layer of the mobile phone network and can be legitimate and legal (done by a government entity authorized by justice, to investigate suspicions of corruption or terrorist acts) or not. They can also be done through an outof-band device (a voice recorder, a hidden micro-camera or by intercepting and listening to voice conversations (calls) or text conversations (SMS) from the mobile phone service provider). According [9], for this case, there is Eavesdropping on non-encrypted message content and Eavesdropping on calling.
Flooding attacks: when flooding, the attacker attempts to negatively impact of the service or resource availability from authorized users, by exploiting specific vulnerabilities or by sending overwhelming amounts of messages (e.g., SYN flooding attacks, User Datagram Protocol (UDP) flooding, Internet Control Message Protocol (ICMP) flooding) on the server. In a DoS scenario, the attacker often attempts to disable the network or services by uninterruptedly sending data packets to the target server from only one device. On the other hand, DDoS amplify that activity by using multiple nodes and even different networks that were compromised beforehand. DDoSs generate more traffic than a traditional DoS attacks, and from different sources, many of them are legitimate (infected) users [12,37,58]. As can easily be seen, this type of attack falls well into both the communications category and the software category, as it targets the network, transport and data connection and Cloud-based mobile applications whose architecture is client-server, the main consequence being the unavailability of software whose paradigm is SaaS.
Botnets attacks: a botnet is a set of devices (PC, smartphone, tablet, IoT) compromised by a malicious entity (i.e., the bot master) that can remotely control such devices for the purpose of conducting other types of attacks (e.g., denial of service, malware or SPAM distribution). Traynor et al. [173] are considered to be the pioneer in the study of the theoretical potential impact of mobile device botnets in telephone networks, in 2009. In a mobile botnet scenario, the objectives of an attacker are to execute commands, disseminate malware code and expand the bot network [84].
Byzantine attacks: Byzantine attacks target routing protocols, where two or more routers collude in order to download, fabricate, modify or divert packets, aiming to disrupt the routing service in a Mobile Ad Hoc Network [190]. Furthermore, given its nature as a wireless and decentralized transmission medium, most routing protocols are vulnerable to other types of attacks besides Byzantine, namely gray hole attack, sinkhole attack, wormhole attack, sleep deprivation attack and black hole attack [76]. Byzantine attacks are critical in the use of mobile devices in military operations scenarios and in clinical fields.
DoS (cellular) jamming attack: the purpose of the DoS Jamming attack is to disrupt mobile network communications by blocking, interrupting, or making unavailable communications between mobile devices and BST. This results in the unavailability of services provided by the mobile telephony and Internet service provider. In addition to DoS, it can also cause rapid discharge of the battery of mobile devices [122]. In the latter case, we would be in the presence of a resource depletion attack.
Bluejacking and bluesnarfing attacks: DDoS-type attacks that target a Bluetooth wireless network in order to render it useless or near useless. It usually occurs through an attack coming from a connection of malicious entities in a target network. If the attacker is able to send unsolicited messages to the target devices via the Bluetooth connection, then we are in the presence of Bluejacking. In a scenario where the attacker gains unauthorized access to information from Bluetooth-enabled mobile devices using the OBject EXchange (OBEX) protocol, we would be in the presence of the Bluesnarfing attack [134]. Through the Bluejacking attack, attackers can send unwanted sounds, videos to other Bluetooth-enabled devices. Bluesnarfing attack consists of using Bluetooth connection for the purpose of stealing sensitive information (contacts, e-mails, passwords, photographs and other useful data) from wireless devices such as smartphones, tablets and IoT devices.
On-off attacks: this type of attack targets a wireless sensor network (WSN), aiming to disrupt a trust redemption scheme, behaving alternately as a good or bad entity, in order to ensure immediate trust redemption before another attack occurs. The on-off attack can result in the disruption or DoS and the consumption of node power in a WSN by means of fake injection attacks, capable of injecting huge amounts of fake data packets [112]. Finally, since there is a vulnerability that results from aggressive attacker behavior, which when exploited makes the system unable to distinguish a bad behavior from a temporary error, malicious nodes have more opportunities to attack the WSN by virtue of them staying active most of the time [26,65,72,189,192].
Cellular rogue base station (CRBST) attacks: A CRBST attack is a security threat aiming exploit the radio interface between smartphones and base stations, potentially launching passive or active attacks against user equipment. Such attacks range from acquiring the International Mobile Subscriber Identifier (IMSI) of subscribers, DoS, leaking private information on 4 G networks and eavesdropping [83].
Rogue access points: The access points (AP) in a Wi-Fi networks might be subject to the attack of AP spoofing, usually called Rogue Access Point (RAP) [10]. This attack consists of cloning the Media Access Control (MAC) address and Service Set IDentifier (SSID) of an AP, leading to the appearance of a fake access point posing as a genuine one, leading users to connect to this new network as if they were connecting to the genuine network. If the attack is successful, an attacker has the ability to eavesdrop on communications and hijack a communication of a given target user, redirect them to malicious websites, and steal their login credentials.
Access point hijacking attacks: This type of attack is a variant of the session hijacking attack and targets the AP access credentials of legitimate administrators [80]. These credentials can be extracted, e.g., through a sniffing, brute force or MitM attack. After this, the attacker is able to carry out other types of attacks, such as DoS and RAP.
NFC payment replay attacks: This type of attack targets the exploitation of vulnerabilities in the Europay Mastercard Visa (EMV) wireless communication protocol between the smartcard and the payment terminal, namely the authenticity of the payment terminal is not guaranteed to the payment device of the costumer and the banking data exchanged between the payment device (smartcard) and the point of sale terminal are not encrypted [110,140]. Such an attack occurs when an attacker re-transmits authentication-related communication between a payment device, VISA smartcard or Mastercard (RFID) and an automated payment terminal. Since the relay attack is stealthy, both the smartcard and the payment terminal are unaware of it. In such scenario, provided the attacker has knowledge and skills in radioelectronics, (s)he might be able to use an NFC reader (or an NFC smartphone) equipped with a special antenna in order to steal the victim sensitive smartcard data within a safe distance of a few meters from the payment terminal, even if it is in a briefcase, by falsifying the distance between the victim and the automatic payment terminal.
Wi-Fi SSID tracking attacks: This type of attack aims to obtain sensitive data (location, routine, trajectory, etc.) of users of mobile devices using Wi-Fi networks to access the Internet. Furthermore, it consists of using sophisticated sniffing devices to bypass authentication (for closed networks), extract and identify the MAC address of the mobile device and establish a match with its potential owner. In practice, this type of attack (which can be passive or active) exploits the vulnerability of constant radio signal emission from smartphones, tablets and IoT devices [113].
Wi-Fi jamming attacks: This is a denial-of-service attack that blocks the radio frequency, making access to the Wi-Fi network and consequently to the Internet unavailable [27,136]. Generally, two techniques are used to carry out this type of attack, namely: (1) Wi-Fi AP Flooding with deauthentication frames; (2) transmit high levels of noise in the radio frequency band of the Wi-Fi network.
GPS spoofing attacks: With the adoption and widespread use of mobile devices and their applications, many emerging technologies have gained notoriety and became ubiquitous. One of these is GPS, providing positioning, navigation and timing services. However, such adoption has brought several security challenges, most notably, the existence, in the civilian version of GPS, of the possibility of GPS spoofing. According [101], GPS spoofing attack consists of breaking authentication by forging satellite signals in order to provide incorrect location and timing data to the user, putting the user security at risk for several reasons.
GPS jamming attacks: This attack aims to interrupt or obstruct the communication between the emitting satellite and the device (smartphone/tablet) receiving the GPS signal. Normally, the attack consists of blocking the signal to the receiver, since the receiving signal is weaker compared to the broadcasting signal, and can be carried out in two different ways, namely blanket jamming and deception jamming [71].
Orbital jamming attacks: Low-orbit satellites came into existence in order to increase the quality of communications, as they decrease latency during message exchanges between two or more entities. However, they are susceptible to interference attacks in particular situations. Since the radio frequency of the front-end of a low-orbit satellite can easily be saturated with the use of a powerful jammer, this would result in disabling the link in the entire frequency band [179].

Social engineering-based attacks
Attacks in this category target the manipulation and exploitation of the human factor, i.e., human weaknesses of behavioral nature, inducing them to perform actions or disclose confidential information that benefit the adversary. They also have the particularity of not requiring physical contact between the adversary and the victim.
Phishing attacks: a phishing attack is performed via manipulation and dissemination of a web link to attempt to redirect users to a site controlled by the malicious entity, e.g., designed to capture user information and account access, with the final objective of stealing sensitive data. Main attacks vectors are e-mail keyloggers through Trojan horses and man-in-the-middle attack of data proxies. The most common targets are Internet banking and online payment (e.g., Paypal or VISA) users [56]. On mobile devices, attackers can also use, e.g., Short Message System (SMS) or Multimedia Message System (MMS) to steal one-time passwords or change DNS resolution on the device.
Pharming attacks: Pharming is a special type of phishing attack or DNS poisoning attack in which the user is redirected to a fake website by changing the IP address on the DNS server [57,86]. The objective of the attack is the same as the phishing attack, i.e., theft of sensitive data and money from legitimate users of the applications.
Malicious QR code: Although this type of attack also affects the category or application layer, it also falls under the category of Social Engineering attacks as it mainly relies on human behavior [89]. For example, the victim may be tricked into reading a malicious QR code advertising a fake promotional campaign for a product from a supermarket car park, being redirected to a malicious site.
Malware-as-a-service: Social engineering is also a form of delivery of malware as a service, as many users of mobile social networking and instant messaging applications are not cyber-secure and exhibit risky behaviors when using these platforms. They are then easily tricked into clicking on malicious, supposedly well-intentioned links that appear as an advertisement or game, resulting in the stealthy installation of malware on the victim's mobile device.

Hardware-based attacks
Attacks in this category focus on exploiting the physical hardware (the chips, circuit boards, device ports, etc.) used in computer systems, aiming to replace, destroy, modify and exploit the hardware components that make up a system.
Reverse engineering attacks: REA attacks were previously mentioned as software-based attacks, but they also can apply to hardware. The purpose of reverse engineering attacks is maintained, as the purpose of gaining access to sensitive information from systems and users, e.g., how the system is built hardware-wise, usage of fixed function hardware, or retrieval of embedded cipher keys [16]. The two main approaches, White Box Reverse Engineering and Black Box Reverse Engineering, are also kept in terms of hardware-based reverse engineering.
Mobile SIM swapping attack: This attack is typically performed via the swapping of the SIM card of a victim. In such scenario, a cybercriminal, with a few important details about the life of the target, can potentially and correctly answer security questions, impersonate the victim, and convince the mobile carrier to reassign your phone number to a new SIM card. Notice that SIM swapping can happen remotely. At that point, the criminal can get access to some of the data associated with that SIM card, change account passwords to lock the victim out of online banking profiles, e-mail, etc.
Side-channel attacks: This type of attack, extensively described in Sect. 2.3.1 also targets hardware and has the particularity of being difficult to stop, given its stealth characteristics, in terms of operationalisation. According to Montasary et al. [121], there are three variants for this type of attack, namely Prime+Probe Attacks, Time-Driven Attacks and Access-Driven Attacks. Moreover, these attacks are aimed at leaking sensitive data from encrypted digital devices and electronic circuits. Finally this type of attack can be operationalized locally (physical access to the device) or remotely.
Rowhammer attacks: This type of attack targets Dynamic Random-Access Memory (DRAM), as it is vulnerable to memory perturbation errors-a high rate of accesses to the same address in DRAM reverses bits in data stored at nearby addresses. Furthermore, mobile devices and the Cloud are also vulnerable to such attacks [175,184]. Rowhammer attacks generate adversarial workloads that exploit perturbation errors for the purpose of inverting the value of safety-critical bits. And considered an attack with a high degree of dangerousness, given the fact that it is easy to mount and easy to scale [31]. A Rowhammer attack can result in the pollution of the system memory, accessing and altering sensitive data and obtaining total control of the system [121].
Hardware integrity attacks: This type of attack results from the corruption, counterfeiting or cloning of one or more physical components of a computer system by a malicious entity, leading to other types of attacks or threats, such as denial of service and leakage of the victim's sensitive data [157,177].
Spectre attacks: Spectre attacks are part of a class of microarchitectural attacks. Spectre attacks trick the processor into speculative execution of sequences of instructions that should not have been executed under correct program execution [93]. Such instructions are called transient instructions, because their effects can be reversed. In a scenario of a successful Spectre attack, the attacker is able to leak information from within the address space of the victim's memory.
Meltdown attacks: The is a microarchitectural attack that exploits out-of-order execution to leak core memory. Differs from a Spectre attack in terms of targeting and modus operandi [93,104].

Physical security-based attacks
In this category, attacks target physical security, aiming to exploit weaknesses in the physical parts of a system in an attempt to compromise it.
Bypassing physical security (BPS): These attacks consist of techniques aiming at circumventing or avoiding detection by physical security and building surveillance systems or methods to bypass electronic or physical locks protecting entry points [143]. It may be part of more complex attacks aimed at accessing, altering or destroying sensitive user information, or making a service or resource unavailable [11,143].
Device theft or loss: The main distinctive characteristic of this attack is that it consists of trying access and steal a physical target device in order to perform malicious actions, such as altering, deleting, leaking, inserting and destroying data, as well as stealing money through banking transactions, posing as the rightful owner [32]. Some specific instances of some attacks, such as, e.g., Man-in-the-Disk attack [42], where the physical external storage can be physically taken from the device after being compromised or used to divert sensitive data, can also be categorized here. The attacker can also simply destroy the device, preventing the user from accessing their data and the services provided in the form of an application as a service.
Malicious insider: This type of attack occurs when a malicious entity (e.g., client, employee, hypervisor, Cloud provider/corrector, etc.) takes advantage of its legitimate inside privileges to secretly perform malicious activities, such as information theft and data or physical infrastructure destruction. This type of attack also occurs from client to server, when the person, employee or team with insider knowledge on how the system is built can implant malicious code to fully destroy the software solution [4,74].
The taxonomy proposed in this paper revolves around five main domains: application, communication, social engineering, physical security and hardware. Figure 4 presents an illustration of it in the context in which each of the attacks occurs. It allows extracting a mental picture of the stage of security threats in the Cloud and Mobile ecosystem and the identification of the main attack vectors in the different layers that constitute the considered ecosystem. Moreover, it also addresses threats or attacks on mobile telecommunications infrastructures. To the best of our knowledge, the proposed taxonomy is the most comprehensive ever developed, as it covers all ecosystems or technologies that give rise to the Cloud and Mobile ecosystem considered as a whole, namely the Internet, the Cloud and mobile.

Mechanisms against attacks and vulnerabilities in the Cloud and Mobile ecosystem
This section presents algorithms and mechanisms that can be used for countering the various threats and attacks on the Cloud and Mobile ecosystem. A general perspective over the mapping is provided in Table 5, following the proposals of various researchers. The idea is that these mechanisms are guaranteed by design of the applications of this ecosystem, thus embedded right from the inception.

Application-based attacks countermeasures
The following are brief descriptions of countermeasures that can be applied to prevent the aforementioned applicationbased attacks: -Session Fixation Attacks Countermeasures: preventing these type of attacks can be achieved by (1)  the vulnerability of code injection and prevent its corresponding attack, the following can be adopted as countermeasures: defensive coding, sanitation of all client entries (e.g., using XSS Auditor [17], Bek [68], CSAS [146]) and ScriptGard [148] frameworks/mechanisms), validation of all content entries, force regular application of software patches, use safe APIs and limit the damage caused by the code injection attack using CSP, ConScript [117] and Escudo [78] frameworks; -Command Injection Attacks Countermeasures: countering command injection attacks and eliminate the respective vulnerability can be achieved by validating and filtering all input provided by the user. Additionally, all the entries must be parameterized; -ALM Attacks Countermeasures: mitigation techniques for ALM include using input and output validation mechanisms, implement secure and strong access control mechanisms, use synchronization, use security testing by static analysis to identify log forging vulnerabilities, avoid viewing logs with command-line shells, use of Trusted Platform Module (TPM) [141] and Mobile Trusted Module (MTM) [170]; -Session Hijacking Attacks Countermeasures: one-time cookie stateless method can be used with HTTPS to prevent session hijacking attacks; additionally, the use of encryption, authentication, session management mechanisms and access control mechanism all contribute as attenuation measures. Moreover, for native mobile applications, the use of authentication protocols resistant to session hijacking attacks, such as chaotic hash-based biometrics, asymmetric encryption function, elliptic curve cryptosystem, bilinear pairings, hashing function-based techniques and self-certified public keys, mutual authentication, hash-based remote fingerprint authentication scheme, and pattern recognition approaches are very best practices to apply in this context; -Malware-as-a-Service Attacks Countermeasures: implementing network defenses such as firewalls, IDS, IPS, VPN, AVs, Anti-malware system, Anti-Spam system, application signing, authenticated, authorized remote management, Cloud-based crowdsourcing [133] and use of TPM should help attenuate Malware-as-a-Service attacks; -REA Countermeasures: obfuscation tools and techniques are designed specifically to prevent reverse engineering attacks, but their effectiveness should be tested using tools such as IDA Pro and Hopper. At the time of writing, the most recommended obfuscation tools/techniques are Proguard, Dexguard, Android NDK and Google Play Licensing Check, code obfuscation [38] and hybrid obfuscation [8]. Additionally, the use of TPM is also recommended in order to mitigate REA in the Cloud environment; -SSRF Attacks Countermeasures: mitigating SSRF attacks requires setting up and deploying controls and technologies such as segmentation of remote resource access functionality into separate networks, firewalls, network access control mechanisms, sanitization and validation of all user input data, and disable HTTP redirects [123]; -VM Escape Attacks Countermeasures: correct guest machine configuration, correct configuration of the interaction rules between host and guest machines, keeping flexibility to a minimum [77], use of HyperSafe, adherence or subscription to Trusted Cloud Computing Platforms (TCCPs) (e.g., TPM) [1], use of virtual trusted data centers (TVDs) [63], use of security frameworks and architectures [165], and restriction of access to VM resources through accessing control policies like Discretionary Access Control (DAC), Mandatory Access Control, Role-Based Access Control (RBA) [187], Object-Based Access Control (OBAC) and Task-Based Access Control (TBAC) [181] are all countermeasures to VM escape; -Side-Channel Attacks Countermeasures: to mitigate sidechannel attacks, [182] proposes deploying elliptic curve cryptosystem as well as a public key infrastructure (PKI). Protecting cryptographic implementations, protecting user input, preventing network traffic analysis, permissions, keyboard layout randomization, limiting Access or sampling frequency, noise injection and preventing microarchitectural attacks [159] are also proposed counters for these attacks. For this purpose, the use of the App Guardian [191], Slogger [155], SEAndroid [158], SemaDroid [185], FlaskDroid [25], PINPOINT [144], AuDroid [135], AppVeto [129] frameworks are recommended. In addition, S-Box access and SGX & ARM TrustZone, TPM are highlighted countermeasures against cache-based side-channel attack [33].

Communication-based attacks countermeasures
The following are descriptions of countermeasures and mitigation techniques that can be applied to prevent the communication-based attacks: -MitM attacks countermeasures: preventing MITM attacks [28,79,87,166,183] include using a myriad of techniques such as hash-key-based fingerprinting remote authentication scheme, using Diffie-Hellman (DH) with a co-location verification phase, using a correctly configured Transport Layer Security (e.g., TLS v1.2 or TLS v1.3), using cryptography tools, e.g., Dsniff, Ettercap, Wsniff, Airjack and End-to-End Encryption (E2EE), using strong cryptographic algorithms (e.g., AES, Rivest-Shamir-Adleman (RSA), Secure Hash Algorithm (SHA), Elliptic Curve Cryptography (ECC)) that can ensure data integrity and confidentiality, i.e., data origin authentication through digital signature and Hash-based Message Authentication Codes (HMACs), and using strong mutual authentication to always fully authenticate both ends of any communications channel; -Sniffing Attacks Countermeasures: using sniffer detection techniques, e.g., based on Round-Trip Time (RTT), using access control and authorization and encryption mechanisms can aid in detecting (and mitigating) sniffing attacks; -Eavesdropping Attacks Countermeasures: several technological or human centric techniques can help attenuate or mitigate the effects of eavesdropping attacks, and a panoply of those techniques should often be combined in order to be effective. They include secure authentication, authorization and access control mechanisms, applying patches on installed applications as soon as new updates become available, encrypt local and remote storage, use E2EE scheme for every message exchanged between two or more entities, do not disclose confidential data in conversations in public places, physically disable the microphone and camera on the devices if not in use, use of anti-virus and other security monitoring and detecting tools, and remain alert to unusual behavior or activity of installed applications; -Spoofing Attacks Countermeasures: strong remote authentication and authorization mechanisms that must be applied to control the access to confidential information stored in the Cloud, such as those described to mitigate MitM attacks, can also be applied to prevent spoofing attacks; -Botnet Attacks Countermeasures: using the best authentication and authorization paradigms, such as multifactor authentication, using a HIDS, NIDS and IPS integrated into a single Framework, and implementing the best cryptographic schemes that ensure authentication and authorization are countermeasures that can mitigate a botnet attack; -Byzantine Attacks Countermeasures: ensuring that communications are encrypted, correct and authentic is an effective means to counter Byzantine Attacks. To this end, it is necessary to implement security mechanisms that guarantee these properties, namely secure encryption schemes and protocols, use of HMAC or digital signature to guarantee data integrity, and secure authentication schemes (e.g., hybrid multifactor authentication). Additionally, the use of technologies/techniques such as REST, PKI, Universally Unique Identifier (UUID) authentication, TLS and Security Enhanced (SE) -Floodlight [137] is also recommended; -VM Migration Attacks Countermeasures: countermeasures include the application of network security mechanisms, such as remote attestation and security cryptography in the communication channel [108], or the use of secure VM migration frameworks, such as PALM 7 [106], is a potential solution to counter On-Off attacks; -CRBS Attacks Countermeasures: the best strategy to counter CRBS attacks is to implement a mechanism that identifies a fake BS from an authentic one. To this end, three approaches can be followed. Firstly, making the provision of a database of reliable base stations by mobile Internet service providers for reference. Next, the mobile device would determine the relative position of the BS through the received signal strength. Finally, the reliability of the BS would be assessed by comparison to others. On other hand, Shaik et al. [153] proposed a solution that fits into two categories, namely Fixing LTE protocols and Self-Organizing Network (SON) with intelligence.
-RAP Attacks Countermeasures: to counter this type of attack, a combination of several techniques or mechanisms can be used, such as hybrid RAP detection framework, Elimination [109], Multi-agent [160], Distributed Wireless Security Auditor (DWSA) [109] and RogueAP-Detector 9 ; -AP Hijacking Attacks Countermeasures: strong encryption with authentication schemes or cipher modes (e.g., AES-GCM-256), secure encryption protocols, authentication (WPA2) and access control mechanisms are countermeasures against AP hijacking attacks; -NFC Payment Replay Attacks Countermeasures: countermeasures to NFC payment replay attack consist of proximity verification and mutual authentication of the communication between the payment device (smartcard or smartphone) and the payment terminal through proximity tokens and key exchange protocol [126]. Furthermore, data shared between the smart card and the payment terminal and between the smartphone and the mobile phone operator must be encrypted using secure cryptographic schemes; -Wi-Fi SSID Tracking Attacks Countermeasures: to counter this type of attack, privacy preservation must be guaranteed using hybrid cryptographic schemes, anonymous identity-based encryption, full 802.11 link-layer protocol that obfuscates all transmitted bits, including identifiers, mixing zones, silence periods and dynamic modification of signal strength [113]; -Wi-Fi Jamming Attacks Countermeasures: among the various solutions proposed to mitigate Wi-Fi Jamming Attacks, the channel hopping scheme is known as the most practical approach. Moreover, it can allow packet delivery even in the presence of jammers [44]. This scheme has been improved and its new version has been presented by [43]; -GPS Spoofing Attacks Countermeasures: countermeasures to GPS spoofing attacks are divided into two main categories, namely detection and mitigation. For detection, methods based on power monitoring of signals, spatial processing for spoofing detection, spoofing discrimination using time of arrival (TOA), spoofing discrimination using signal quality monitoring (SQM),  [145] and BEACON filter based on optimal bounding ellipsoid (OBE) criterion [111] are GPS Jamming mitigation techniques; -Orbital Jamming Attacks Countermeasures: blind source separation (BSS)-based approach [188] and Satellite Diversity [179] are mitigation measures against Orbital Jamming attacks.

Hardware-based attacks countermeasures
Below are countermeasures against hardware-based attacks: -Mobile SIM Swapping Countermeasures: several countermeasures can be applied to mitigate SIM Swapping, namely (i) establish two-factor authentication (2FA) using authentication applications instead of codes sent by e-mail or SMS; (ii) be aware of phishing attempts, being careful with messages from people and organizations you do not know, even if the sender seems familiar (e.g., there may be typos in the name of the sender, company logo and throughout the message that are a good warning that the message should be delete); (iv) instigate people to never click on links in suspicious messages; and (iv), endorsing the usage of a password manager; -Side-Channel Attacks Countermeasures: Countermeasures to side-channel attacks consist of combining hardware partitioning and a secure and efficient implementation of the AES algorithm, the AES New Instruction (AES-NI); -Rowhammer Attacks Countermeasures: To counter Rowhammer attacks, Rowhammer-induced bit reversals should be blocked by modifying DRAM memory controllers and by using a high-bandwidth oscilloscope to physically probe the memory bus [121]. -Spectre Attacks Countermeasures: To counter Spectre attacks, the use of the following mitigations or methods is recommended: Dynamically Allocated Way Guard (DAWG) [47,91], SafeSpec [88], InvisiSpec [186], ConTExT [151], SpecCFI [96] and run-time detection of Spectre attacks on Intel's architecture using hardware/software events and machine learning [

Social engineering-based attacks countermeasures
The following are descriptions of countermeasures and mitigation techniques that can be applied to prevent the attacks based on social engineering: -Phishing Attacks Countermeasures: utilizing authentication (e.g., using PhishPreventer [23] Authentication Protocol) and immunity by incorporating verification technologies (e.g., Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM)) [67], implementing access control mechanisms, implementing cryptography schemes, e.g., symmetric, asymmetric or hybrid ciphers that use standard encryption algorithms, and data sanitization are mitigations to this type of attacks. Additionally, good cyber hygiene practices should be taught and applied by users when using cyberspace; -Malicious QR Code Attacks Countermeasures: according to [97], potential countermeasures against Malicious QR Code include using visual QR codes, standardizing DS in QR codes, masking (as the black and white QR code module distribution compatible with specifications follows a specific pattern determined by a mask), using a framework or security mechanisms that allow the detection of malign and benign URLs, blacklist malicious URLs susceptible to a phishing attack using Google Safe Browsing (GSB), OpenPhish (OP), and PhishTank (PT), as QR code URLs are usually shortened [19,48,49].

Physical security-based attacks countermeasures
Brief descriptions of countermeasures and mitigation techniques that can be applied to prevent the attacks targeting physical security mentioned in the literature are as follows: -BPS: implement intelligent access control mechanisms that are resistant to circumvention attempts, such as smart locks with a multifactor authentication system that combines two or more authentication paradigms, with biometrics being mandatory, are countermeasures against BPS; -Device Theft or Loss: physical access control mechanisms, as well as intelligent monitoring and surveillance solutions are effective against this type of attack; -Malicious Insider Attacks Countermeasures: mitigation techniques for this type of attack include implementing intelligent physical access and electronic surveillance mechanisms on data centers, implementing remote access control mechanisms to VMs, that ensure the minimal privilege principle, using cryptography and key management secure techniques that ensure sensitive data and key generation protection, and risk management and administration that guarantee policy execution and risk evaluation. Finally, it is recommended to adopt PSO, an ontological framework, proposed by Mavroeidis et al. [115] and TPM.
Finally, regardless of the countermeasures proposed by researchers and expert organizations in the form of best practices, we believe that security problems will only be effectively eradicated if Cloud and Mobile ecosystem applications are resistant to attacks or threats by design, and this will only occur when they are free from security vulnerabilities. This will only be possible when the security and privacy of the data of the users of the Cloud and system-based mobile applications are considered from the very beginning, even before the implementation of the applications, i.e., the data of the end users of the applications will only be secure as long as security mechanisms are incorporated during the entire engineering process of building systems and applications.

Tests and automation tools
This section presents the security tests for the Cloud and Mobile ecosystem, beginning with a general overview on security tests, and finishing with a specification of these tests for the specific ecosystem.

Security tests
With the widespread adoption of smartphones and tablets, software development has become more complex and certainly more distributed than ever, which in turn results in more software security issues. Embedding security into software means assuring that the software behaves correctly even if under a malicious attack, though software failures spontaneously occur in the real world-that is, without intentional prejudice [139]. There is a growing concern with security tests, given their preponderant role in software security.
Software security testing is the process used to identify if security resources implemented in software are consistent with their specification and construction. Software security tests can be divided in functional security tests and vulnerability security tests. This first ensures that security functions were correctly implemented, and are consistent with the security requirements. Software security requirements mainly include confidentiality, integrity, availability, authentication, authorization, access control, auditing, privacy protection or security management. Security vulnerability testing [171], on the other hand, attempts to discover vulnerabilities, often mimicking what an attacker would do. Vulnerabilities span from conception, implementation, operation and management faults or flows.
The difference between software security and secure software concerns thus the presence of an intelligent adversary that is attempting to attack the system [139]. Security is related to the information and services that are being protected, the abilities and resources of an attacker and the costs of potential solutions. It is an exercise in risk management. Risk analysis, particularly on the concept level, can help identify security problems and their impact. Once identified and classified, software risks can guide the software security testing process [139].
A vulnerability is an error or fault an attacker can exploit. There are different types of vulnerability, which lead to the creation of different taxonomies [100]. Security vulnerabilities in software systems can vary from local implementation errors (e.g., calling the get() function in C/C++) to much larger construction errors (e.g., a recovery system that, when failing, enters in an unsecure mode). Vulnerabilities can then be fitted into the implementation-level and project-level categories [116].
Project-level vulnerabilities are the hardest to address, while being the most prevalent and critical. The process of verifying if a given program has a vulnerability of this type is not an easy task neither for developers nor attackers, and requires experience, making their discovery harder to automate [139].

Security tests techniques
Security tests for the Cloud and Mobile ecosystem have gained a strong traction in the academic and business communities, as the adoption of smartphones, tablets and Cloud computing has been growing in popularity. There are several works in this direction, with emphasis on Gao et al. [55], Murugesan et al. [124], Kong et al. [95], Knorr et al. [92] and Wang et al. [178]. An interesting characteristic of the majority of these papers is that they mainly refer to application security tests for the Android platform (explained by the prevalence of the mobile operating system). In terms of the type of analysis, tests are often segregated into static or dynamic analysis. Static analysis or testing does not require the execution of the program, contrary to dynamic analysis [178]. In terms of the knowledge of the system, tests can generally be of three types [95] namely: (i) Black Box Testing, which derives from an external description of the software, e.g., a description of its attack surface, and is used by individuals dedicated to finding vulnerabilities; (ii) White Box Testing, a more demanding approach derived from the source code of the software, which allows for a better coverage than Black Box Testing, typically used by application development companies; and (iii) Grey Box Testing, which results from combining White and Black Box Testing, trying to combine the best of both approaches, as some parts are derived from the general description, while others are based from the source code.
In terms of attacking, penetration testing or vulnerability testing techniques or method, tests can be classified as follows: 1. Attack Injection: a form of negative testing 10 that consists of the idea of purposely injecting faults in the security domain [53]. An intrusion results from combining an attack with one or more vulnerabilities. An attack is a failure that leads the system to an erroneous state or behavior and a security breach. So, the idea of injecting attacks consists in performing a large amount of attacks, and monitoring the status of the target software to detect if there are errors or faults. In case one of these conditions is detected, a vulnerability becomes known and tagged as the target for the injection attacks [53]. The project Attack Injection on Software Components (AJECT) 11 is an interesting work on the definition of an architecture of components for this type of injection. Its main components are the attack injector and the monitor. The first component per-forms the injection, while the second observes the target application so as to detect errors or faults [53]. 2. Penetration Testing: experimental security tests done to identify invisible vulnerabilities in applications. Mainly used with permission to test cryptographic properties (e.g., authentication or confidentiality), to find vulnerabilities in the test environment and examine the performance of a system under extreme conditions [22]. There are two approaches for this type of test. The first relates to tests done by a team which is often external to the corporation-known as red team-and specializes in this type of tests, and has as its main purpose to demonstrate that the system has vulnerabilities. In this case, the team behaves as an attacker, as it does not possess knowledge of the system. This is known as ethical hacking [132]. On the other hand, when this task is performed systematically in an attempt to find the highest possible amount of vulnerabilities, usually with knowledge of the system, we are in the presence of the second approach. There are several tools that aid in performing penetration testing, most of which are specific for each category and objective of the test, platform or attack surface, as illustrated in Table 6. 3. Vulnerability Sweepers: applications or scripts that search for known vulnerabilities, e.g., a set of CVE 12 or OSVDB 13 vulnerabilities. The difference between a sweeper and an injector or fuzzer is tenuous, with the main difference being that the latter also search for unknown vulnerabilities. They are then used for different purposes.
Sweepers are used to check that known vulnerabilities are not present, while fuzzers and injectors search for known and new vulnerabilities, either by developers, bounty hunters, or hackers. Sweepers require the existence of a vulnerability database, where the attacks are clearly defined; injectors and fuzzers insert semi-random inputs into interfaces, and contain heuristics to help guide the injection process. 4. Proxies: contrary to the previously mentioned tools, proxies allow performing security tests without any knowledge of the system or application. The modus operandi is based on modifying communications in and out of the application, instead of directly injecting inputs in the target. A simple example of this type of a tool is the Interactive TCP Relay (ITR), which enables the interception and modification of TCP/IP communications in a clientserver setting [13]. WebScarab, 14 22 is an advanced fuzzer, used to discover SQL injection vulnerabilities in web applications. Sqlmap also allows the user to attack the discovered vulnerabilities, being considered an automatic SQL injection and database takeover tool.

Security testing tools
In this survey, security tests on the Cloud and Mobile ecosystem are organized according to parameter, approach, method and test tool, and the two main mobile device platforms. Table 6 presents the main security test tools taxonomy for attacks on the Cloud and Mobile ecosystem. It also contains the vulnerabilities or parameters to be tested, the potential attacks in case the vulnerability is not eliminated, the type of test, the type of analysis, the test method and the mobile platform to which it applies, serving as a wrap up for the above discussion.
For an application of the Android platform, the testing process is simpler to implement, given the nature of the security paradigm of this platform. Thus, there are some assumptions that must be taken into account, namely Host Device (Windows, Linux, MacOS), Android Studio (which comes with the Android SDK), Android NDK, Scrcpy (to display or control devices from the computer) and at least one Android mobile device. In the case of the iOS platform, the test can only be carried out from a MacOS, while considering the following five assumptions, namely MacOS host computer with admin rights, Xcode and Xcode Command Line Tools installed, Wi-Fi network that permits client-to-client traffic, at least one jailbroken iOS device (of the desired iOS version) and Burp Suite or other interception proxy tool.
It is increasingly important to emphasize security test automation in this context, mainly when trying to analyze complex projects (which is typically the case in the Cloud and Mobile ecosystem). This process is usually done resorting to static or dynamic analysis, in which case there are some parameters that need to be taken into account and should first answer the "what to test?" question. The target is defined as the security vulnerabilities in the application. Furthermore, it is a good practice to structure the test in parts, e.g., as proposed by OWASP [123], which argues that a penetration test is composed of five phases, namely Preparation, Intelligence Gathering, Mapping the Application, Exploitation and Reporting. According to [92], static analysis is based in information contained in system files (e.g., in the Android platform, these are contained in the APK file, including manifest and compiled code). Tests are usually performed in a personal computer or in the mobile device. In general, testing should be performed for the following vulnerabilities: V1-Proper SSL usage and Insecure TLS Protection, V2-Dynamic binary analysis: debugging, tracing, V3-Content providers, V4-Use of encryption, V5-Poor use of certificate parameters, V6-Code quality, 7-Add-ons, V8-Input Validation, V9-Malware and Privacy Scanners, V10-Data leakage, V11-Secure backup, logging and Insecure Data Storage, V12-Web Server connection, V13-Web Server Authentication, V14-Interception of network, V15-Authentication and Authorization, V16-Access Control, V17-Exploit Database Vulnerabilities, V18-Database frangibility scanner, V19-Find Bugs, V20-Input validation of user SID, V21-Mobile decryption, unpacking & conversion, V22-Data leakage and Breach, V23-DoS and DDoS Attacks, V24-Run-time manipulation: code injection, patching, V25-Static binary analysis: disassembly, decompilation. These vulnerabilities were chosen taking into consideration  [22,92] and the OWASP Mobile Security Application Testing Guide [123], from where this list of 25 vulnerabilities was compiled and adapted toward the purpose of aiding the definition of the taxonomy proposed herein.

Research challenges
History has been proving that security related problems and challenges are here to stay for many years, and several can be identified or deduced from the discussion in this survey. Most challenges concern the creation of mobile applications that are both secure and resilient to attacks and security threats. Tackling this challenge requires many others to be addressed in the meanwhile, namely the following two: 1. Lack of a specific tool that allows software developers to incorporate security by construction for the Cloud and Mobile ecosystem-in the digital realm, utility has been the main driver for progress, and security is typically left for the second plane. The consequence is that, nowadays, developers and practitioners might have a set of good, yet generic security practices, and some frameworks that focus on each of the subset ecosystems that compose the Cloud and Mobile ecosystem, but no specific frameworks that contemplates it as a whole, so as to eliminate the gap between security engineering and software engineering, to guarantee user security and data privacy by construction, i.e., during the software development process, given the component complexity of this ecosystem, and the heterogeneity of the technologies that compose it, such as platform (OS, data structure, programming language), hardware, characteristics (detection tools, multimedia tools, interaction means, network technology) or APIs. The same is applicable to the Cloud and its service delivery models (SaaS, PaaS, and Iaas). 2. Heterogeneity of attack vectors-as the Cloud and Mobile ecosystem lives of the combination of a wide panoply of different and complex technologies, it motivates the search for, and aggravates the existence of, several attack vectors, which makes the development of applicable and scalable security mechanisms difficult for a given architecture. The development of countermeasures is also conditioned by OS, platform, communication protocols, network technology, hardware resources and even secondary support services.
A future research direction includes another in-depth approach to attack modeling in the Cloud and Mobile ecosystem, given its importance in the secure application development process, and the construction and presentation of a prototype of a framework that guarantees the building security of mobile applications based on the Cloud. It is intended that the framework is made up of five main modules, namely security requirements, good security practices, security mechanisms, attack models, tests and automation tools. The framework should be targeted at developers which are not necessarily specialized in cybersecurity, guiding them via a series of questions into providing inputs regarding the functional and security requirements and specifications of the system being developed or to be developed. The purpose of the framework is to automate and guarantee that security modeling and engineering are fully integrated into the software engineering processes. It will also enable developing domain-specific knowledge that allows for more reliable environments.

Conclusion
The exponential growth of mobile devices and applications has not been accompanied by significant achievements concerning security issues or challenges. The lack of single standardization for mobile and Cloud platforms is one such problem. Furthermore, gaps between software engineering and security engineering continue to exist, with immediate consequences in the inability of incorporating security mechanisms in the development process of software specifically designed for the Cloud and Mobile ecosystem. This issue is further aggravated by the fact that developers involved in the development processes are not necessarily computer security experts. A survey over more than one hundred references from the specialized literature was used to build up a concise taxonomy for the security issues affecting this ecosystem, presented herein as a main contribution. The taxonomy is then the basis for the comprehensive description of practical security issues and for the extensive identification of tools or approaches to detect or mitigate them.
Supported by the contributions of these survey, we believe that the aforementioned gaps, or open issues, can be overcome through the adoption of automated tools (frameworks) that are easy to use in the sense that security skills are not essential or mandatory in the process of using and interpreting the results obtained through the framework. Considering each phase of the software development process, these frameworks should generate security requirements, attack models, specification of security tests and mapping of security mechanisms to ensure that Cloud-based mobile applications are secure by design. em Cloud Computing, co-financed by the European Regional Development Fund (ERDF) through the Programa Operacional Regional do Centro (Centro 2020), in the scope of the Sistema de Apoio à Investigação Científica e Tecnológica -Programas Integrados de IC&DT.

Funding Open access funding provided by FCT|FCCN (b-on).
Data availability Data sharing is not applicable to this article as no datasets were generated or analyzed during the current study.

Declarations
Conflict of interest All the authors of this paper declare that he/she has no conflict of interest.
Ethical approval This article does not contain any studies with human participants or animals performed by any of the authors.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/.