Abstract
Smartphones are multi-purpose ubiquitous devices, which face both, smartphone-specific and typical security threats. This paper describes a method for risk assessment that is tailored for smartphones. The method does not treat this kind of device as a single entity. Instead, it identifies smartphone assets and provides a detailed list of specific applicable threats. For threats that use application permissions as the attack vector, risk triplets are facilitated. The triplets associate assets to threats and permission combinations. Then, risk is assessed as a combination of asset impact and threat likelihood. The method utilizes user input, with respect to impact valuation, coupled with statistics for threat likelihood calculation. Finally, the paper provides a case study, which demonstrates the risk assessment method in the Android platform.
Chapter PDF
Similar content being viewed by others
References
Becher, M., Freiling, F., Hoffmann, J., Holz, T., Uellenbeck, S., Wolf, C.: Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices. In: Proc. of the 2011 IEEE Symposium on Security and Privacy (SP 2011), pp. 96–111. IEEE Computer Society, USA (2011)
Caldwell, T.: Smart security. Network Security 2011(4), 5–9 (2011)
Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.: Quire: lightweight provenance for smart phone operating systems. In: 20th USENIX Security Symposium, USA (2011)
Dlamini, M., Eloff, J., Eloff, M.: Information security: The moving target. Computers & Security 28(3-4), 189–198 (2009)
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proc. of the 20th USENIX Conference on Security (SEC 2011), USA, p. 21 (2011)
Hogben, G., Dekker, M.: Smartphones: Information security risks, opportunities and recommendations for users. Technical Report, ENISA (2010)
Felt, A.P., Greenwood, K., Wagner, D.: The effectiveness of application permissions. In: 2nd USENIX Conference on Web Application Development (WebApps 2011), pp. 75–86 (2011)
Gartner: Market Share: Mobile Communication Devices by Region and Country, 3Q11. Technical Report (2011)
Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic Detection of Capability Leaks in Stock Android Smartphones. In: Proc. of the 19th Network and Distributed System Security Symposium, NDSS 2012 (2012)
ISO/IEC: Information technology – Security techniques - Information security risk management. ISO/IEC 27005:2008, 1st edn. (2008)
Jansen, W., Scarfone, K.: Guidelines on Cell Phone and PDA Security. Recommendations of the National Institute of Standards and Technology, Special Publication 800-124 (2008)
Jeon, W., Kim, J., Lee, Y., Won, D.: A Practical Analysis of Smartphone Security. In: Smith, M.J., Salvendy, G. (eds.) HCII 2011, Part I. LNCS, vol. 6771, pp. 311–320. Springer, Heidelberg (2011)
Kaspersky Labs: IT Threat Evolution: Q3 (2011), http://www.securelist.com/en/analysis/204792201/IT_Threat_Evolution_Q3_2011
Ledermüller, T., Clarke, N.L.: Risk Assessment for Mobile Devices. In: Furnell, S., Lambrinoudakis, C., Pernul, G. (eds.) TrustBus 2011. LNCS, vol. 6863, pp. 210–221. Springer, Heidelberg (2011)
Mylonas, A.: Smartphone spying tools. MSc Thesis, Royal Holloway, University of London (2008)
Mylonas, A., Dritsas, S., Tsoumas, B., Gritzalis, D.: Smartphone Security Evaluation: The Malware Attack Case. In: Samarati, P., Lopez, J. (eds.) International Conference on Security and Cryptography (SECRYPT 2011), pp. 25–36. SciTePress (2011)
Nachenberg, C.: A Window Into Mobile Device Security. Technical Report, Symantec Security Response (2011)
Oppliger, R.: Security and Privacy in an Online World. Computer 44(9), 21–22 (2011)
OWASP: Top 10 Mobile Risks http://www.owasp.org/index.php/WASP_Mobile_Security_Project
Redman, P.: John Girard, L.: Magic quadrant for mobile device management software. Technical Report G00211101, Gartner (2011)
Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google Android: A Comprehensive Security Assessment. IEEE Security and Privacy 8(2), 35–44 (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Theoharidou, M., Mylonas, A., Gritzalis, D. (2012). A Risk Assessment Method for Smartphones. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds) Information Security and Privacy Research. SEC 2012. IFIP Advances in Information and Communication Technology, vol 376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30436-1_36
Download citation
DOI: https://doi.org/10.1007/978-3-642-30436-1_36
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30435-4
Online ISBN: 978-3-642-30436-1
eBook Packages: Computer ScienceComputer Science (R0)