See discussions, stats, and author profiles for this publication at: [Link]

net/publication/260671134

A Survey on Security for Mobile Devices

Article in IEEE Communications Surveys & Tutorials · January 2013

DOI: 10.1109/SURV.2012.013012.00028

CITATIONS READS
583 7,722

3 authors, including:

Mariantonietta Noemi La Polla

Italian National Research Council
12 PUBLICATIONS 778 CITATIONS

SEE PROFILE

All content following this page was uploaded by Mariantonietta Noemi La Polla on 24 May 2016.

The user has requested enhancement of the downloaded file.

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION 1

A Survey on Security for Mobile Devices

Mariantonietta La Polla, Fabio Martinelli, and Daniele Sgandurra

Abstract—Nowadays, mobile devices are an important part of growing number of malware. As an example, as more users
our everyday lives since they enable us to access a large variety download and install third-party applications for smartphones,
of ubiquitous services. In recent years, the availability of these the chances of installing malicious programs increases as well.
ubiquitous and mobile services has significantly increased due
to the different form of connectivity provided by mobile devices, Furthermore, since users increasingly exploit smartphones for
such as GSM, GPRS, Bluetooth and Wi-Fi. In the same trend, the sensitive transactions, such as online shopping and banking,
number and typologies of vulnerabilities exploiting these services there are likely to be more threats designed to generate profits
and communication channels have increased as well. Therefore, for the attackers. As a proof that attackers are starting to focus
smartphones may now represent an ideal target for malware their efforts on mobile platforms, there has been a sharp rise
writers. As the number of vulnerabilities and, hence, of attacks
increase, there has been a corresponding rise of security solutions in the number of reported new mobile OS vulnerabilities [5]:
proposed by researchers. Due to the fact that this research field from 115 in 2009 to 163 in 2010 (42% more vulnerabilities).
is immature and still unexplored in depth, with this paper we In the same trend, there has been an increase in attention to
aim to provide a structured and comprehensive overview of the the security issues from security researchers.
research on security solutions for mobile devices. To help understanding the current security problems affect-
This paper surveys the state of the art on threats, vulnerabili-
ties and security solutions over the period 2004-2011, by focusing ing smartphones, we review threats, vulnerabilities and attacks
on high-level attacks, such those to user applications. We group specific to smartphones and examine several security solutions
existing approaches aimed at protecting mobile devices against to protect them. In particular, we survey the literature over
these classes of attacks into different categories, based upon the the period 2004-2011, by focusing our attention on high-level
detection principles, architectures, collected data and operating attacks.
systems, especially focusing on IDS-based models and tools. With
this categorization we aim to provide an easy and concise view The paper is organized as follows. Section II introduces
of the underlying model adopted by each approach. some background notions on mobile technologies, both for
wireless telecommunication and networking standards. Section
Index Terms—Mobile Security, Intrusion Detection, Mobile
Malware, Trusted Mobile. III describes different types of mobile malware, along with
some predictions on future threats, and outlines the differences
among security solutions for smartphones and traditional PCs.
I. I NTRODUCTION Section IV discusses current threats targeting smartphones:

C URRENT mobile devices (henceforth, called smart-

phones) provide lots of the capabilities of traditional
personal computers (PCs) and, in addition, offer a large selec-
firstly, it analyzes the different methodologies to perform an
attack in a mobile environment; then, it investigates how
these methodologies can be exploited to reach different goals.
tion of connectivity options, such as IEEE 802.11, Bluetooth, In Sec. V we present security solutions, focusing on those
GSM, GPRS, UMTS, and HSPA. This plethora of appealing that exploit intrusion detection systems and trusted platform
features has led to a widespread diffusion of smartphones technologies. Finally, Sec. VI draws some conclusions.
that, as a result, are now an ideal target for attackers. In
the beginning, smartphones came packaged with standardized II. M OBILE T ECHNOLOGIES
Operating System (OS): less heterogeneity in OS allowed In this section, we briefly recall some background notions
attackers to exploit just a single vulnerability to attack a large on wireless and networking technologies that, even if not
number of different kinds of devices by causing major security originally created for a mobile environment, have favored the
outbreaks [1]. Recently, the number of OSes for smartphones increasing usage of smartphones.
(Symbian OS, Windows Mobile, Android and iPhone OS) has
increased [2]: as shown in Table I, each mobile OS has now A. Wireless Telecommunication Technologies
gained a significant market share.
Even if global sales of smartphones will pass 420 million The most important wireless technologies targeted at mobile
devices in 2011 (according to a recent report by IMS research communications are GSM, GPRS, EDGE and UMTS.
[3]), the number of mobile malware is still small compared to 1) GSM: Global System for Mobile communications
that of PC malware [4]. Nonetheless, we can expect malware (GSM) is the first and most popular standard in Europe for
for smartphones to evolve in the same trend as malware mobile telecommunication system and is part of the second-
for PCs: hence, in the next incoming years we will face a generation (2G) wireless telephone technology. Developed in
1990 by Group Special Mobile, a group created in 1982
Manuscript received 17 February 2011; revised 7 November 2011. by Conférence Européenne des administrations des Postes et
The authors are with Istituto di Informatica e Telematica Consiglio des Télécommunications (CEPT), this standard enables the
Nazionale delle Ricerche, Pisa, Italy (e-mail: {[Link]}@iit.
[Link]). creation of cellular networks where mobile phones (called
Digital Object Identifier 10.1109/SURV.2012.013012.00028 mobile station in the standard) communicate with each other
1553-877X/12/$25.00 
c 2012 IEEE
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
2 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION

TABLE I
W ORLDWIDE S MARTPHONE S ALES TO E ND U SERS BY O PERATING S YSTEM IN 3Q10 [2]

Company 3Q10 Units/1k 3Q10 Market Share (%) 3Q09 Units/1k 3Q09 Market Share (%)
Symbian 29,480.1 36.6 18,314.8 44.6
Android 20,500.0 25.5 1,424.5 3.5
iOS 13,484.4 16.7 7,040.4 17.1
Research In Motion 11,908.3 14.8 8,522.7 20.7
Microsoft Windows Mobile 2,247.9 2.8 3,259.9 7.9
Linux 1,697.1 2.1 1,918.5 4.7
Other OS 1,214.8 1.5 612.5 1.5
Total 80,532.6 100.0 41,093.3 100.0

TABLE II
through base stations, networks and switching subsystems. B LUETOOTH C LASSES
Compared to its predecessor (TACS standard), telecommuni-
cation operators can offer new services by exploiting these Class Power (dBm) Distance (m)
Class 1 20 100
technologies: for instance, data transmission, digital fax, e- Class 2 4 10
mail, call forwarding, teleconferencing service and Short Mes- Class 3 0 1
sage Service (SMS).
2) GPRS and EDGE: These standards stem as an evolution TABLE III
802.11 B AND 802.11 G P ROTOCOLS
of GSM; General Packet Radio Service (GPRS), also referred
as 2.5 generation, was developed to improve performances Technology Bandwidth (GHz) Bitrate (Mbit/s) Modulation
of GSM network to enable users to achieve higher data rates 802.11b 2.4 5.5, 11 CCK
2.4 6, 9, 12, 18, OFDM
and lower access time compared with previous GSM standard. 802.11g
24, 26, 48, 54
GPRS uses packet switching mechanism (as in IP protocol)
to enable the exchange of data between users. Moreover,
services such as Wireless Application Protocol (WAP) and at providing communication between devices having these
Multimedia Messaging Service (MMS) are also introduced. In features:
this way, a variety of packet-oriented multimedia applications • lower consumptions;
and services can be offered to mobile users. • short range of communications (1-100 meters);
Enhanced Data rates for GSM Evolution (EDGE) standard • small production costs.
was developed in 2000 to improve the features offered by
As shown in Table II, there are three different classes of
GPRS by supporting higher transmission rate and higher
Bluetooth devices according to the power consumption and
reliability.
range of communication.
3) UMTS: The Universal Mobile Telecommunications Sys-
SIG defines several profiles to indicate different services
tem (UMTS) was introduced in Europe in 2002. This standard
(e.g. Generic Access Profile, GAP, or Headset Profile, HSP)
represents the third-generation (3G) on cellular system. The
and to describe the service’s implementation.
transmission rate is higher than 2G and 2.5G by providing 2) Wireless LAN IEEE 802.11: IEEE 802.11 is a family
a transmission speed up to 2Mbps. Circuit switching con-
of standards for WLAN that includes several protocols for
nections are supported simultaneously with packet switching communicating at different frequencies (2.4, 3.6 and 5 GHz).
connections and users can exploit multiple services and dif-
These standards can be used in two operation mode:
ferent classes of services, such as conversational, streaming,
1) in the infrastructure mode, a device, referred as Access
interactive and background.
Point (AP), plays the role of the referee: an AP regulates
the network access and coordinates the devices that are
B. Networking Technologies part of the network;
During the last few years, due to ease of installation and the 2) in the infrastructure-less mode (ad hoc mode), no referee
increasing popularity of laptop computers, Wireless Local Area exists and devices monitor the spectrum to gain network
Network (WLAN) has become very popular. This technology access.
enables devices to be linked together through wireless distri- The most popular protocols included in this standard are
bution methods and allows users to move in a local coverage defined by the 802.11b and 802.11g protocols. As shown in
area without losing their connection to the network. There are Table III, the differences between these protocols are related to
different standards that regulate communications in a WLAN. bandwidth, bit-rate and type of modulation (Complementary
In the mobile environment, the most popular are Bluetooth Code Keying, CCK, for 802.11b, Orthogonal Frequency-
and IEEE 802.11. Division Multiplexing, OFDM, for 802.11g).
1) Bluetooth: Bluetooth is a standard that enables devices
to exchange data over a small area through short wavelength III. M OBILE M ALWARE
radio transmissions. Bluetooth is a personal networking tech- This section provides a comprehensive overview of mobile
nology that enables the creation of Personal Area Networks malware and some predictions on future threats. Moreover, it
with high levels of security. This standard, developed by describes the differences among security solutions targeting
Bluetooth Special Interest Group (SIG) in 1999, is aimed smartphones and PCs.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LA POLLA et al.: A SURVEY ON SECURITY FOR MOBILE DEVICES 3

Malware is any kind of hostile, intrusive, or annoying results in full root access on the Android device. In this way,
software or program code (e.g. Trojan, rootkit, backdoor) an attacker can read all SMS messages on the device, incur
designed to use a device without the owner’s consent. Malware the owner with long-distance costs or even potentially pinpoint
is often distributed as a spam within a malicious attachment the mobile device’s exact GPS location.
or a link in an infected websites. Malware can be grouped in [8] analyzes three sample rootkits to show how smartphones
the following main categories, according to its features (e.g., are as vulnerable as traditional computers to rootkits. In fact,
the vector that is used to carry the payload): smartphone rootkits can access several distinctive interfaces
• virus; and information that are unique to smartphones, such as GPS,
• worm; battery, voice and messaging, which provide rootkits writers
• Trojan; with new attack vectors to compromise either the privacy or
• rootkits; the security of end users. The first proposed sample rootkit
• botnet. allows a remote attacker to stealthily listen into (or record)
A virus is a piece of code that can replicate itself. Different confidential GSM conversation using the user’s infected smart-
replica of a virus can infect other programs, boot sector, or phone. The second attack aims at compromising the victim’s
files by inserting or attaching itself to them. location privacy by requiring the infected smartphone to send
A worm is a program that makes copies of itself, typically a text message to the remote attacker including the user’s
from one device to another one, using different transport current GPS location. The final sample attack exploits power-
mechanisms through an existing network without any user intensive smartphone services, such as those offered by GPS
intervention. Usually, a worm does not attach to existing pro- and Bluetooth, to exhaust the battery on the smartphone.
grams of the infected host but it may damage and compromise As an example of smart malware, recently a multifarious
the security of the device or consume network bandwidth. malware for iOS devices has been designed and implemented
Malware can also come packaged as a Trojan, a software by [9] (iSAM). iSAM incorporates six different features of
that appears to provide some functionalities but, instead, malware:
contains a malicious program. 1) propagation logic;
Rootkits achieve their malicious goal by infecting the OS: 2) botnet control logic;
usually, they hide malicious user-space processes and files or 3) collect confidential data stealthily;
install Trojans, disable firewalls and anti-virus. Rootkits can 4) send a large number of malicious SMS;
operate stealthily since they directly apply changes to the OS 5) denial of application services;
and, hence, can retain longer control over the infected devices. 6) denial of network services.
Finally, a botnet is a set of devices that are infected by
Moreover, iSAM is able to connect back to its botmaster server
a virus that gives an attacker the ability to remotely control
to update the programming logic, to implement commands,
them. Botnets represent a serious security threat on the Internet
and to perform a synchronized, distributed, attack.
and most of them are developed for organized crime doing
attacks to gain money. Example of such attacks are sending Table IV reports some notable examples of mobile malware.
spam, Denial-of-Service (DoS) or collecting information that
can be exploited for illegal purposes (DoS attacks targeting A. Evolution of Mobile Malware
smartphones are described in detail in Sec. IV-B3).
Mobile malware can spread through several and distinct Several papers discuss the evolution of mobile malware:
vectors, such as an SMS containing a link to a site where a for instance, [10] describes the evolution of malware on
user can download the malicious code, an MMS with infected smartphones from 2004 to 2006. For an overview on the state
attachments, or infected programs received via Bluetooth. The of the art of mobiles viruses and worms up to 2006, see
main goals of malware targeted at smartphones include theft Hypponen [11]. In the period 2004-2008, the number of types
of personal data stored in the phone or the user’s credit. of mobile malware has increased significantly: as of March
Examples: [6] details a Trojan for Android smartphones, 2008, F-Secure has categorized 401 distinct types of mobile
named [Link].b, which masquer- malware worldwide, whereas McAfee has counted 457 kinds
ades as a media player and requires the user to manually install of mobile malware [12]. In the period 2004-2010, 517 families
it. This fake application is downloaded from an infected web- of mobile viruses, worms and Trojans have been categorized
page in order to view adult content videos. The installation file by F-Secure [13]. For a complete list of mobile malware in
is very small in size and during installation the application the period 2000-2008 see [14]; see [15] for mobile malware
asks the user permissions to send SMS messages. Once that spread from January 2009 to June 2011.
the installation has finished, if the user launches the fake The first virus (a Trojan) for mobile phones, developed
application, the Trojan begins sending SMS messages to a for Palm devices [16], was discovered in 2000 by F-Secure
premium rate number without the user’s knowledge. These [17]. In June 2004, the first worm that could spread through
messages result in costly sums being transferred from the mobile phones with Symbian OS appeared: this worm, called
user’s account to that of the cybercriminals. Cabir [18], was only a prototype developed by the 29A
[7] develops a kernel-level Android rootkit in the form of a Eastern European hacker group. Cabir is considered the first
loadable kernel module that can open a shell for the attacker example of malicious code that can spread itself exploiting
(using a reverse TCP connection over 3G/Wi-Fi) upon the the networking technologies on mobile devices (in this case,
reception of an incoming call from a trigger number. This Bluetooth) to infect other devices.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
4 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION

TABLE IV
M OBILE M ALWARE E XAMPLES

Name Time Type Method of Infection Effects OS

Liberty Crack 2000 Trojan Pretend to be a hack Remove third-party software Palm OS
Cabir 2004 Worm Bluetooth connection and copies itself Continuous scan of Bluetooth, drain phone’s battery Symbian OS
Dust 2004 Virus File Infector Infect all executables in root DIR Windows Mobile
Brador 2004 Trojan Copy itself in to the startup folder Open a backdoor Windows Mobile
Mosquitos 2004 Trojan Embedded in a game Send SMS to premium-rate numbers Symbian OS
Skulls 2004 Trojan Vulnerability in overwriting system files DoS Symbian OS
MetalGear 2004 Trojan Vulnerability in overwriting system files Disable virus scanner Symbian OS
CommWarrior 2005 Worm Replicates via Bluetooth and MMS MMS charging Symbian OS
Doomboot 2005 Trojan horse Doom 2 video game Prevents booting and installs Cabir and CommWarrior Symbian OS
Lasco 2005 Virus File infection Add itself to install packages Symbian OS
Locknut 2005 Trojan Vulnerability in OS Create entries for a new application Symbian OS
Feakk 2005 Worm SMS message Send SMS to all contacts Symbian OS
Cardblock 2005 Virus Fake SIS application Encrypt memory card with a random password Symbian OS
CardTrap 2005 Cross-Platform Virus Auto-start of removable storage Copy Wukill on the phone Symbian/Windows OS
Blankfont 2005 Trojan Replace font files Fonts not displayed Symbian OS
Crossover 2006 Cross-Platform Virus CIL vulnerabilities Copy to/from mobile/PC Windows/Mobile OS
Letum 2006 Worm E-Mail spreading Infect registry Windows Mobile
Fontal 2006 Trojan Vulnerability in overwriting system files Device not restart after reboot Symbian OS
Mobler 2006 Cross-Platform Worm Dropping Mechanisms Disable antivirus and infect removable storage Symbian/Windows OS
Redbrowser 2006 Trojan Fake Browser Send SMS continuously OS-Independent (J2ME)
Wesber 2006 Trojan Fake Browser Send SMS to premium-rate numbers (Russia only) OS-Independent (J2ME)
Acallno 2006 Spyware Fake Commercial Software Gather and send information about user’s activities Symbian OS
Lasco 2007 Worm A worm that spreads over Bluetooth networks Searching and infecting other phones Symbian OS
Feak 2007 Worm Proof-of-concept worm Sending SMS to contact list with URL Symbian OS
Flocker 2007 Trojan It claims to be an ICQ application to trick the user Sending SMS to a hard coded phone number Symbian OS
Beselo 2008 Worm Via MMS and Bluetooth fake application MMS charging Symbian OS
InfoJack 2008 Trojan Attach itself to installation packages Disable security settings Windows Mobile
Pmcryptic 2008 Worm Memory card spreading Dialing premium-rate numbers Windows Mobile
Yxe 2009 Worm SMS containing malicious URL Send contact lists to external server Symbian OS
Yxes 2009 Worm/Botnet SMS containing malicious URL Send contact lists to external server Symbian OS
Ikee 2009 Worm Scanning a IP ranges and SSH Alter wallpaper iPhone
FlexiSpy 2009 Spyware Fake Application Tracking/log of device’s usage Symbian
Curse of Silence 2009 SMS Exploit Vulnerabilities in e-mail parsing Disable SMS functionalities Symbian OS
ZeuS MitMo 2010 Worm Fake SMS Steal bank account information Cross-Plafrom
iSAM 2011 Multifarious malware Scanning IP and connecting to SSH Collect private information, send malicious SMS, DoS iPhone

Recently, a growing number of viruses, worms, and Trojans Similar solutions are also proposed in [21], where the authors
that target smartphones have been discovered. As we have remark that the protection from malicious code should be
already pointed out, the reason of the growing number of implemented at every possible entry point to the network.
mobile malware is due to the widespread use of smartphones. For a comprehensive discussion on evolution of mobile
Furthermore, we have to consider that most of the smartphones malware, see [22].
lack any kind of security mechanisms and are not well
prepared against new threats. Within the 2006-2008 period,
security issues exploiting several attack vectors have increased B. Predictions and Future Threats
[19], and there has been a dramatic escalation of complex at- Since the first smartphone, discussions about threats tar-
tacks targeting lower-level device functionality: early security geting these devices have proliferated: the first threat against
threats have turned into sophisticated, profit-oriented, attacks Symbian and Palm (such as Liberty Crack Trojan [23]) never
driven by experienced criminals. became widespread and remained just a proof-of-concept.
A discussion of mobile malware, based on OSes and in- Even if security experts foresee massive attacks to come out
fection routes, is presented in Töyssy and Helenius [20] that at any time, yet they never seem to happen: nonetheless,
describe and cluster mobile malware with respect to: McAfee Labs [24] predicts that 2011 will be a turning point
• the OS: Symbian, Palm OS, Linux, Windows Mobile; for threats to smartphones. In fact, in the last months, several
• the infection routes: MMS, Bluetooth, IP connections via new threats to smartphones have emerged: rootkits for the
GPRS/EDGE/UMTS, WLAN, copying files, removable Android platform, remote jail-breaking exploits for the iPhone,
media. and the arrival of ZeuS [25], a largely distributed banking
Trojan/botnet. The widespread adoption of smartphones into
The authors propose some prevention solutions and counter- business environments combined with these attacks is likely
measures, by considering: to cause the explosion that experts have long anticipated.
• the users, which have to be educated to utilize the device According to [26], in the near future cybercriminals will
in a secure way; focus their attention on iPhone and Android platforms (this
• the software developer, which can develop security pro- is also confirmed by Cisco [27] and Panda [28]). Symantec
tection targeted at smartphone; [5] explains the state of cybercrime on smartphones by its
• the network operator, which can enhance the network return on investment: firstly, the installed base of smartphones
infrastructure with mechanisms to avoid intrusions; has grown to an attractive size and they run sophisticated OSes
• the phone manufacturers, which should update the de- that come with the inevitable vulnerabilities; secondly, Trojans
vices automatically so that for attackers it would be hiding in legitimate applications sold on application stores
harder to exploit security holes; provides a simple and effective propagation method. Hence,
• new epidemiological models, to forecast if an already what is currently missing is the ability to turn all this into a
detected virus can initiate an epidemic. profit center.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LA POLLA et al.: A SURVEY ON SECURITY FOR MOBILE DEVICES 5

In March 2011, Google reported [29] that it had removed a mobile environment may affect different assets, such as:
several malicious Android applications from the Android • personal data;
Market and, in some cases, deleted them from users’ smart- • corporate intellectual property;
phones remotely. The Android marketplace is not very closely • classified information;
monitored, since it adopts the “anything goes” philosophy. • financial assets;
This, combined with the current buzz around new smartphones • device and service availability and functionality;
running Android, may make the platform more attractive to • personal and political reputation.
cybercriminals [30]. Gostev [26] believes there is also a strong
Finally, Milligan and Hutcheson [35] discuss some risks,
probability that malware may soon be found in products
threats and countermeasures for smartphones. Some examples
available through Android Market. As an example, many
of future risks associated with a smartphone include:
legitimate applications can ask for, and typically be granted,
• data leakage resulting from device loss or theft;
access to a user’s personal data and authorization to send
• unintentional disclosure of data;
SMSs and make calls. Hence, this places the reliability of the
• attacks on decommissioned devices;
entire Android security concept in doubt. This is confirmed by
• phishing attacks;
Juniper Networks [31] that reports that, since Summer 2010,
• spyware attacks;
Android malware has increased by 400%.
• network spoofing attacks;
As [26] points out, no significant malware events occurred
• surveillance attacks;
that targeted iPhone and which could be compared to the Ikee
• diallerware attacks;
worm incident of 2009. However, several concept programs
• financial malware attacks;
were created for this platform in 2010 that demonstrated tech-
• network congestion.
niques that could be used by cybercriminals. As an example,
SpyPhone allows unauthorized access to information about the
user’s iPhone device, such as her location, interests, friends, C. Mobile Security Versus Personal Computer Security
preferred activities, passwords and web search history. This
data can then be sent to a remote server without the user’s Despite the similarities between smartphones and PCs, there
knowledge or consent. This functionality can be hidden within are several notable differences concerning security. Firstly,
an innocuous-looking application. we have to consider that malware authors can make money
[27] reveals that in July 2010 the U.S. Library of Congress from their illicit activities more easily on smartphones than in
added jailbreaking to its list of actions that do not violate desktop environments, e.g. due to premium-rate numbers (Felt
copyright protections, hence leaving iPhone users free to et al. [36] classify premium-rate calls/SMS as the second most
unlock their devices and download applications not authorized common behavior found in nearly 50% of recent malware1 ).
by Apple. Only a week after, JailbreakMe 2.0 appeared, a tool Secondly, since any event generated by the smartphone has
that makes it easier for users to jailbreak their phones. The (usually) a cost invoiced by the network operator, from the
advent of this tool also revealed a significant security flaw in point of view of the user, the network operator is considered
the iOS 4 that could leave users with jailbroken phones more responsible of charging costs even if the event is generated by
likely to be attacked by hackers willing to take control of the malware.
smartphones. We also have to consider the user’s point of view in a
As pointed out by [32], another feature to consider is mobile environment: to this end, Botha et al. [37] explore the
the spreading of mobile virus to desktop platforms, e.g. due availability of security mechanisms from the perspective of a
to devices that are already compromised or tampered with user who wishes to use desktop-based security mechanisms
coming off the shelves. As an example, USB devices are in a mobile environment. The authors remark that a main
responsible for the spread of auto-run malware, while the difference between smartphones and PCs is that the former
Conficker/DOWNAD worm contained a propagation capability is usually a personal device and some issues, such as user
that used removable drives to increase spread. authentication, device configuration and content protection,
It is important to underline that evolution of malware is a need to be dealt differently. As an example, in the case of user
continuous race between attackers and defenders: both use the authentication, users face several difficulties when moving
same programming methods, tools and resources either to cre- from desktop to smartphone. Furthermore, there is a trade-
ate a malware or to develop an intelligent malware detection off between security and usability, since many solutions that
mechanism. A further aspect to be considered concerns the are used on PCs cannot be applied on smartphones.
observation of new forms of malware in a testbed environment Compared to common PCs, the basic security principles
to predict their behavior: as an example, [33] presents Mobile of smartphones are quite different. The security problem
Agent Malware Simulator (MAISim), a framework that uses the on smartphones originates particularly from the integration
technology of mobile agents for simulation of various types process: nowadays, a single device hosts multiple technologies
of malicious software (viruses, worms, malicious mobile code) that allow users to access the Internet from any place at any
for smartphones. time. Furthermore, smartphone-specific services often require
Furthermore, since the risks at which smartphones are complex software and infrastructures and expose these devices
exposed depend also on how they are used, we have to 1 Two further common behaviors are stealing/selling users’ information and
distinguish strictly personal use of a device from uses that sending SMS spam, which are found in, respectively, 60% and 17% of the
also involve business. As suggested in [34], future threats in analyzed malware.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
6 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION

to attacks. As described in [38], five key aspects distinguish those used in PC environments, is not appropriate because it
mobile security from conventional computer security: is necessary to take into account also the context in which
• mobility: each device comes with us anywhere we go and; sensors are used. Furthermore, these attacks work even when
therefore, it can be easily stolen or physically tampered; the user is not interacting with the mobile phone.
• strong personalization: usually, the owner of device is Further discussions on the subject can be found in [43].
also its unique user;
• strong connectivity: a smartphone enables a user to send
IV. ATTACKS ON M OBILE D EVICES
e-mails, to check her online banking account, to access
lot of Internet services; in this way, malware can infect In the following sections, we discuss several kinds of
the device, either through SMS or MMS or by exploiting attacks against smartphones. We firstly detail the possible
the Internet connection; methodologies to perform an attack in a mobile environment
• technology convergence: a single device combines differ- and, for each kind of attack, we provide a real example.
ent technologies: this may enable an attacker to exploit Secondly, we show how these methodologies can be exploited
different routes to perform her attacks; to reach different goals.
• reduced capabilities: even if smartphones are like pocket
PCs, there are some characteristic features that lack on
smartphones, e.g. a fully keyboard. A. Methodologies of the Attacks
The limited resources of a smartphone are the most obvious The distinct methodologies to perform attacks against
difference with a PC. The main limiting factors are CPU and smartphones are categorized using the following classes:
memory. These two factors limit the sophistication of possible • wireless;
security solutions: for example, complex intrusion detection • break-in;
algorithms that work for real-life applications on PCs cannot • infrastructure-based;
be easily transferred to smartphones in the near future (see • worm-based;
[39] for a distributed solution that tries to circumvent this • botnet;
problem). In addition, a unique characteristic of smartphones • user-based.
is the battery, which severely limits the resources available
for a security solution; therefore, it is highly important that a 1) Wireless Attacks: There are many different kinds of
security solution does not constantly drain large portions of wireless attacks against smartphones, especially those target-
available CPU time to avoid battery exhaustion [40]. ing personal and sensitive data. The most common attack is
As an example of the limited resources of a smartphone, eavesdropping on wireless transmissions to extract confiden-
according to [41], the ClamAV antivirus engine available for tial information, such as usernames and passwords. Wireless
Nokia device requires about one minute of processing time to attacks can also abuse the unique hardware identification (e.g.,
initialize the signature database and at least 40 MB of memory. wireless LAN MAC address) for tracking or profiling the
To reduce this overhead, the paper proposes a model where owner of the device. Finally, malware often exploits Bluetooth
mobile antivirus functionalities are moved to an off-device as a medium to speed up its propagation.
network service hosting several malware detection engine. [44] discusses security problems in wireless environments
This architecture make it possible to significantly reduce on- and presents the current research activities. A comprehensive
device CPU, memory and, most importantly, power-resource. review of Bluetooth attacks affecting smartphones can be
As [42] points out, since smartphones have strict resource found in [45]. Some studies for preventing this class of attacks
constraints both in computational capabilities and power con- are proposed in [44, 46, 47, 48].
sumption, some computationally expensive algorithms for Example - Cabir: Cabir is a worm that propagates
detecting sophisticated threats, such as those implemented through Bluetooth. This worm consists of a message con-
by behavioral detection engines, are simply infeasible to be taining an application file, [Link], that seems like
deployed on current smartphones due to their heavy-weight a Security Manager utility. If installed, the worm uses the
resource requirements. This means that adapting traditional device’s native Bluetooth functionality to search for other
approaches for malware detection might be infeasible for Bluetooth-discoverable devices. Then, the worm attempts to
mobile environments as they consume a significant amount send infected SIS files to the discovered devices as well.
of resources and power. 2) Break-in Attacks: Break-in attacks enable the attacker
Moreover, a further security threat for smartphones stems to gain control over the targeted device by exploiting either
from the fact that wireless medium is, by nature, prone to programming errors, e.g. to cause buffer overflows, or format
eavesdropping and, therefore, communication confidentiality string vulnerabilities. Typically, these attacks are used as a
cannot be taken for granted. Threats to user privacy in a stepping stone for performing further attacks, such as over-
mobile environment are different from those performed on billing attacks or data/identity theft.
PCs because, on smartphones, sensors (e.g. microphones) are Some studies for preventing this class of attacks are pro-
not optional and can be used illicitly to sniff user’s private posed in [49, 50].
data. In addition, since mobile applications extensively use, Example - Doomboot.A: This Trojan installs corrupted
and depend on, sensors and users carry smartphones wherever system binaries into the C:\ drive of the device. The corrupted
they go, this increase the opportunities to compromise the binaries contain further Trojans, as CommWarrior, which are
privacy of mobile users. Using access control techniques, like also installed on the device.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LA POLLA et al.: A SURVEY ON SECURITY FOR MOBILE DEVICES 7

3) Infrastructure-based Attacks: Since the services pro- user data and signalling information. Once a malicious
vided by the infrastructure are the basis for essential smart- MS gets access to the GPRS network may perform
phone functionalities, such as placing/receiving calls, SMS various attacks, such as DoS, IP spoofing, compromise
and e-mail services, the economic and social impact of these of privacy or send large amounts of data to users;
attacks may be very large, such as the one discussed in [51]. 4) the packet network that connects different operators:
[52] evaluates the security impact of the SMS interface on the the Gp Interface provides connectivity between GPRS
availability of the cellular phone network. As an example, if an networks that belong to different operators and supports
attacker is able to simultaneously send messages through the users roaming. The security targets are the availability
several available portals into the SMS network, the resulting of resources and services, the authentication and au-
aggregate load can saturate the control channels and, therefore, thorization of users and actions, and the integrity and
block legitimate voice and SMS communications. The authors confidentiality of the data transferred;
demonstrate that an attacker that injects text messages from the 5) the Internet: the Gi interface connects the GPRS net-
Internet can deny voice service in a metropolitan area using work to the Internet and service providers that provide
hit-lists containing as few as 2,500 targets with little more services to mobile subscribers. Due to the fact that the
than a cable modem. Gi interface may carry any type of traffic, the GPRS
a) GPRS: Since the GPRS architecture is built on the network elements and the mobile subscribers can be
GSM infrastructure, it uses a security architecture based upon exposed to a variety of threats found on Internet;
the security measures already adopted by GSM (for a review of Another type of attacks against the SIM-cards of GSM/GPRS
DoS attacks and confidentiality threats in GSM networks, see is side-channel attacks that allow an attacker to obtain sensitive
[53]). Attacks against GPRS can target the device, the radio information from side-channels, as described in [55].
access network, the backbone network, and the interfaces con- b) UMTS: The UMTS security architecture defines a set
necting GPRS networks with each other or with the Internet. of procedures to achieve increased message confidentiality
The results of these attacks can be the compromise of end- and integrity during their communication. At the kernel of
users security, over bill users, the disclosure or alteration of its security architecture lies the user authentication mecha-
critical information, the services unavailability, or the network nism, known as Authentication and Key Agreement (AKA).
breakdown. We have also to consider that GPRS is more Authentication in UMTS is based on a 128-bit symmetric
exposed to attackers compared to GSM because it uses the secret key, namely Ki, which is stored in the user’s tamper-
IP technology, which is rather vulnerable. resistant Universal Integrated Circuit Card (UICC) and in the
Attacks against GPRS can be active and passive: active corresponding Home Location Register (HLR) of the user’s
attacks requires a direct intervention of the attacker to listen, Home Network (HN).
modify, and inject data into the communication channel. Fur- [56] discusses several vulnerabilities of the UMTS security
thermore, if the attacker is not part of the GPRS, the attack can architecture that can be exploited by malicious attackers to
be defined external; on the other hand, the attack is defined as launch DoS attacks. Typically, an attacker tries to access
internal. A passive attack happens when an attacker taps on a unprotected control messages in order to manipulate specific
communication channel between two nodes without disturbing procedures. The expected results varies from lower Quality of
the communication to discover some valuable information Service to DoS. Some examples of such an attack are:
about the data or control messages. • dropping ACK signal: an attacker monitors for TMSI

As described in [54], there are five sensitive area in GPRS Allocation Command messages and then drops any fol-
security that can be exploited to perform an attack: lowing TMSI Allocation Complete message to repeatedly
force the creation of new TMSIs that, eventually, will
1) the mobile station (MS) and the SIM-card: the results
cause DoS to all the users in that area;
of these attacks may be the monitoring of the MS
• modification of unprotected Radio Resource Control
usage, the downloading of unwanted files, the placing
(RRC) messages: an attacker substitutes a valid RRC
of unwanted calls. Attacks on the SIM-card are primary
Connection Setup Complete with a RRC Connection
based upon the secret key, which is stored in the SIM-
Reject message to cause a lower Quality of Service or
card of the MS. When an attacker retrieves this key, she
a DoS for the end-users;
can intercept data exchanged, or clone the original SIM
• modification of the initial security capabilities of MS: an
card;
attacker modifies a RRC Connection Request message to
2) the interface between the MS and the SGSN (Serving
trigger the termination of the connection. For example,
GPRS Support Node): an attacker can perform attacks
she can cause a serious damage by creating a very large
like DoS or Man-in-the-Middle2. In DoS a malicious
number of simultaneous connection requests;
third party can jam user data and signaling traffic
• modification of periodic authentication messages: this
using special devices called jammer, or induce specific
happens if the Radio Network Controller (RNC), on
protocol failures, or masquerade as network elements;
receiving a tampered message, releases the connection,
3) the GPRS backbone network: they refer to both IP and
disconnecting the MS;
Signaling System 7 (SS7) technologies, which convey
• SQN synchronization: an attacker can ask for a resyn-

2 In Man-in-the-Middle attacks, an attacker can impersonate both a false

chronization procedure to be executed simultaneously
base station to a victim MS and, at the same time, the victim to the base for large numbers of users, and repeatedly, to greatly
station. overstress the HLR;
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
8 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION

• EAP-ALA originated DoS: an attacker could spoof an Worms that exploit messaging services (SMS/MMS), as
EAP-Response/AKA-Client-Error message and send it to their preferred infection routes, are potentially more virulent,
the EAP-Server to force it into halting the protocol or she in terms of speed and area of propagation, than Bluetooth
could spoof an EAP-Response/AKA-Synchronization- ones. In fact, these worms can be easily sent out using just
Failure notification to force the server to trigger the costly one click and can infect any smartphone in any part of the
resynchronization procedure. world with a larger chance of success of propagation.
Some studies for detecting infrastructures-based attacks are c) User Mobility Models: Compared with the Internet,
discussed in [57, 58, 59]. mobile phone networks have very different characteristics
Examples: [60] describes an attack where a malicious in terms of topologies, services, provisioning and capacity,
user impersonates a valid GSM base station to a UMTS devices and communication patterns. These features also
subscriber and, as a result, she can eavesdrop on all mobile- characterize the way new types of mobile worms propagate:
station-initiated traffic. [61] investigates the feasibility of a the most important one is that they do not require Internet
DoS attack by taking advantage of a particular flow found in connectivity for their propagation and, therefore, can spread
the UMTS security architecture. The proposed attack involves without being detected by existing security systems. Hence,
the modification of the RRC connection Request Message mobile worms can infect several devices using proximity
that includes the user’s equipment security capabilities. This attacks against vulnerable devices that are physically nearby.
message is not integrity-protected: in case of mismatch, the To model the propagation of these worms, two steps are
connection will terminate, but during this process enough required:
resources will have been already consumed at both sides.
[51] characterizes the impact of large scale compromise 1) build a model that precisely describes how devices meet
and coordination of mobile phones in attacks against core each other;
networks, by demonstrating that a botnet composed of about 2) understand how malicious code exploits both the mobil-
12,000 compromised nodes can degrade the service of an area- ity of the users and the capacities of the networks.
code sized regions by 93%. The sample attack attempts to The dynamics of proximity propagation depend upon the
prevent legitimate users of a cellular network from sending or mobility dynamics of a population in a specific geographic
receiving calls or text messages: the attack is carried by an region. Unfortunately, an ideal methodology for modeling user
attacker that can control a set of compromised smartphones mobility does not exist: traces of mobile user’s contacts reflect
and overwhelm a specific HLR with a large volume of traffic, actual behavior, but they are difficult to generalize and only
so that legitimate users relying on the same HLR are unable capture a subset of all contacts due to a lack of geographic
to receive service as their requests are dropped. coverage.
[62] discusses the types of damage that can be caused To model epidemic spreading of malware via proximity-
to smartphones, such as privacy violation, identity theft and based, point-to-point wireless links, Mickens and Noble [63]
emergency call center distributed DoS attacks. introduce a framework called probabilistic queuing to deal
4) Worm-Based Attacks : The main features that character- with node mobility. To capture the skewed connectivity dis-
ize attacks based upon worms are: tributions of mobile networks, the model represents different
• transmission channel; connectivity levels as distinct queues. Each queue represents a
• spreading parameters; separate epidemiological population. A probabilistic queuing
• user mobility models. model is proposed to explicitly account for both node veloc-
a) Transmission Channel: Smartphones are usually ities and the non-homogeneous connectivity patterns induced
equipped with several connectivity options and, hence, offer by mobility of devices.
many possible routes for infection vectors, such as: The problem of proximity attacks of smartphone is also
• downloading infected files while surfing the Internet; discussed in [64] where the authors introduce an individual-
• transferring malicious files between smartphones using based model and build analytical expressions for contact-rate
the Bluetooth interface; calculation and worm transmission. In [65], an event-driven
• synchronizing a smartphone with an infected computer; simulator that captures the characteristics and constraints of
• accessing an infected memory card; mobile phone networks is proposed. The simulator models
• opening infected files attached to MMS messages. realistic topologies and provisioned capacities of the network
In the last years, Bluetooth has become one of the most infrastructure. The goals of this model are:
popular wireless protocols and the class of malware that uses
• model malware propagation in networks under realistic
Bluetooth connection to infect devices is growing. Bluetooth
scenarios to characterize its speed and severity;
worms are different from other classes of worms: the most
• understand how network provisioning impacts propaga-
notable difference is that, to spread the worm, a Bluetooth
tion and how propagation impacts the network;
infection requires that the infection source and the victim are
• highlight the implications for network-based defenses
located very close to each other, i.e. in a diameter of 20/30
against malware.
meters.
b) Spreading Parameters: In addition to infecting the Some further solutions to withstand worm attacks, which are
device, worms can also attack the communication network based upon mobility models for Bluetooth worm propagation,
itself. In this scenario, worms not only compromise users’ are also studied in [66, 67, 68]. See also [69] for analytical
ability to use their smartphones but the networks as well. models for epidemics in mobile networks.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LA POLLA et al.: A SURVEY ON SECURITY FOR MOBILE DEVICES 9

Examples: [70] and [71] investigate whether a large-scale payload to the largest number of infected nodes directly and
Bluetooth worm outbreak is viable in practice. The authors use no interaction with the botmaster is required.
trace-driven simulations to examine the propagation dynamics SMS C&C: [76] proposes the design of a proof-of-
of a Bluetooth worm in a large population, by showing that concept mobile botnet resilient even to disruption. The botnet
the worm outbreak’s start time is very important (e.g., during is built out of three components:
week-end). Their results suggest that a worm exploiting a 1) vectors to spread the bot code to smartphones;
Bluetooth could spread very quickly. As defense solution, 2) a channel to issue commands;
the authors suggest to locate monitoring points in high-traffic 3) a topology to organize the botnet.
locations. Within the testbed mobile botnet, all C&C communications
[72] investigates the effort required to port a smartphone are carried out using SMS messages. To hide the identity
worm for Windows Mobile. The authors were able to build a of the botmaster, there are no central servers dedicated to
prototype worm that could spread autonomously if a vulnera- command dissemination, since they could be easily identified
bility exists in a Windows Mobile service reachable over the and removed. Instead, a P2P topology is exploited to allow
network. The authors state that the lower bound of the time botmasters and bots to publish and search for commands in
required to both build a worm toolkit and find a vulnerability a P2P fashion, making their detection and disruption much
in the network protocol stack of Windows Mobile requires harder.
approximately 14 weeks of full time work. Hybrid C&C: [77] shows that it is easy to create a
[73] analyzes in detail the first polymorphic worm that fully functional mobile phone botnet out of Apple’s jailbroken
affects smartphones running Windows CE platform on ARM iPhone by discussing the design, implementation and evalu-
processors, known as [Link].A. The worm ation of an iPhone-based mobile botnet. The authors firstly
spreads by generating new polymorphic copies of itself each discuss an SMS-based botnet that is then improved with HTTP
time and can execute several unwanted actions on a compro- to reduce the number of SMS messages that need to be sent for
mised smartphone, including calls to toll numbers. controlling the bots. Finally, the authors show how powerful
5) Botnets: Until recently, mobile networks have been such a botnet could be if attackers combine P2P (namely,
relatively isolated from the Internet, so there has been little Kademlia) with SMS-HTTP hybrid approach.
need for protecting them against attackers trying to create bot- Examples: Porras et al. [78] recall how, at the end of
nets. However, this situation is rapidly changing since mobile 2009, some users of jailbroken iPhones began seeing pop-
networks are now well integrated with the Internet. Hence, up windows that redirected the victim to a website where
threats on the Internet will migrate over the mobile networks a ransom payment was demanded to remove the malware
(and vice-versa), including botnets, since smartphones can be infection. The vulnerability affected several jailbroken iPhones
infected by malware they can be turned into a botclient easily that have been configured with a SSH service with a known
[74]. default root password. By scanning some IP addresses from
a) Command-and-Control: The command-and-control the Internet for vulnerable SSH-enabled iPhones, an attacker
(C&C) network, used to remotely propagate messages, tasks, could upload a very simple ransomware application to several
updated payload among the bots and the botmasters (and vice- iPhone users. By exploiting this vulnerability, some weeks
versa), can be built out using Bluetooth, SMS messages, the after, a second iPhone malware (iKee.A) converted the iPhone
Internet (e.g., HTTP), peer-to-peer (P2P) or any combination into a self-propagating worm to infect other iPhones. This
of them. time, the worm succeeded in infecting more than 20,000
Bluetooth C&C: [75] investigates the challenges of con- victims within a week. Some time later, a new malware
structing and maintaining mobile-based botnets communicat- (iKee.B), similar to iKee.A, was found: in addition to self-
ing via Bluetooth. By using simulations on publicly available propagation, the iKee.B bot client application introduces a
Bluetooth traces, the authors demonstrate that C&C messages C&C check-in service that enables the botmaster to upload
can propagate to approximately 66% of infected nodes within and execute shell commands on all infected iPhone bot clients.
24 hours of being issued by the botmaster. To reduce the This service allows the bot to evolve or to redirect infected
amount of traffic observable by the provider to achieve stealth- iPhones to new C&Cs located anywhere on the Internet. The
iness, in the developed framework only a small subset of bots iKee.B also incorporates a feature to exfiltrate the entire SMS
(those with the highest degree) communicate directly with database from the victim’s iPhone.
the botmaster through cellular channels (e.g., SMS, cellular [79] provides an overview of Yxes, one of the first malware
data). These nodes are selected via their relative frequency for Symbian OS 9 and a first step towards a mobile botnet.
of contact with other infected devices: whenever infected Once installed, using a valid signed certificate, the main tasks
smartphones pass within range of each other, they record the of the malware include getting the IMEI and the IMSI of the
identity of the other device. After reaching some threshold set mobile phone, parsing contacts, killing unwanted applications
by the botmaster, nodes with a high degree of connectivity and propagating. To this end, the malware begins its propa-
send their contact logs to the botmaster which is informed gation phase by sending an SMS to each new victim with a
of (i) which devices are under his control (ii) which nodes link to a malicious server where the victim can download the
can help disseminating commands rapidly. The botmaster also malware. One of the main issues concerning Yxes is that its
disseminates commands and updated payloads through this code does not exploit any particular Symbian OS vulnerability,
hierarchical structure by contacting the seed nodes. Due to but only uses functions of its API in a smart way. For this
their high degree of connectivity, these nodes can deliver the reason, the author concludes by remarking that the concept
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
10 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION

of capabilities, introduced by Symbian, fails to stop malicious • privacy;

intents, for two reasons: (i) cybercriminals manage to have • sniffing;
their malware signed whatever capability they request; (ii) • denial of service;
capabilities only grant authorizations for given actions but • overbilling.
cannot take into account a context or an intent. Moreover, for each class of attack we give some pointers to
Attackers have also taken a popular legitimate application related works (which will be discussed in detail in Section V)
and added additional code to it, such as with Pjapps [80]. that propose either a model or a mechanism to defend against
Several users noticed that something was wrong when the these attacks.
application was requesting more permissions than should have 1) Privacy: Privacy attacks of smartphones concern sit-
been necessary: Pjapps attempted to create a bot network out uations in which integrity and confidentiality are corrupted,
of compromised Android devices. This attack clearly demon- e.g. when they get lost or stolen. In fact, due to their small
strates that attackers are definitely considering smartphones as dimensions, smartphones can be stolen or lost more often than
a platform for cybercrime. laptop computers. During the period in which the device is not
6) User as an Attack Vector: User-based attacks contain available for the legal owner, it may be possible that someone
every exploit that is not of technical nature. Many of today’s installs a spyware on the phone; furthermore, someone can
mobile malware samples are not based on a technical vul- read personal data, as contact list or messages.
nerability, but trick the user into overriding technical security [82] announces that a researcher has detailed a proof-of-
mechanisms [40]. This is an important class of vulnerabilities concept method to steal data from an Android smartphone
and several studies have been performed to evaluate the secu- using a combination of cross-site scripting and Javascript. [83]
rity knowledge of the average user; in particular they discuss reports how Apple is being sued for allegedly letting mobile
the purpose of all the security mechanisms implemented by apps on the iPhone and iPad send personal information to
the smartphones if the average user does not understand them. advertising networks without the consent of users. Finally,
Quite often, if the user clearly understands how to use one [84] presents an overview of recent iPhone privacy issues and
specific mechanism, she might find it difficult to understand considers the unmodified devices by examining what sensitive
another, possibly new and updated, mechanism. data may be compromised by an application downloaded from
As [81] points out, very often social engineering attacks the App Store. Next, it explains how a malicious application
trick a user to override technical security mechanisms, as in could be crafted to fool Apple’s mandatory reviews in order
the case of abuse of trust relationships, which might happen to be accepted on the App Store. Finally, it discusses several
when a malware access the address book of the victim and attack scenarios, suggesting improvements and basic recom-
send itself to the contacts that trust the infected user. In another mendations.
scenario, a user cannot distinguish if a feature is a legitimate A further issue, related to Digital Right Manager (DRM)
functionality or an imitated one, e.g. in case of a Bluetooth protection, is discussed in [85]. The authors propose a frame-
message with malicious content. work for personal DRM for Motorola smartphones, where
A survey conducted by Sophos [30] asked users whether the user can place DRM protection and keeps control over
their smartphone was encrypted: 26% percent of users replied her personal content. To this end, the personal DRM system
that their data was encrypted, 50% said they were not protected enables users to define control and generate licenses on custom
in the event of theft or loss of the device, and 24% of users content and to securely transfer them to other smartphones. A
were not sure whether their smartphone was encrypted. These user is then able to define and restrict the intended audience
results show that further education on the security dangers of and ensure expiration of the content as desired. Moreover,
smartphones is required. compatible DRM devices are able to automatically detect each
Examples: [Link].b is a other and exchange credentials.
Trojan for Android that requires the user to manually install Another fundamental topic related to privacy is location
it [6] and asks the user permissions to send SMS messages. awareness, i.e. the ability to determine geographical position.
Hence, the user has to activately participate in the installation Even if this feature has significant benefits, it raises some
process. Once the installation has finished, if the user launches important privacy implications for users of smartphones. A
the fake application, the Trojan begins sending SMS messages comprehensive survey on several privacy issues related to
to a premium rate number without the user’s knowledge. location-aware smartphones is presented in [86].
ZeuS MitMo [25] exploits social engineering to infect Some studies for preventing this class of attacks are pro-
smartphones and performs online banking operations. To this posed in [87, 88]. An approach for designing anti-theft solu-
end, an attacker sends an SMS with a link to a malicious tions for smartphones is described in [89].
mobile application to the user: then, if the user installs it, Examples: The target of the theft performed by ZeuS
the attacker can read the SMS message used as a second MitMo [25] is information about online banking account.
authentication factor by the online banking service to access Exploiting some social engineering techniques and the fact
the user’s account. that many companies use SMS as a second authentication
factor, ZeuS MitMo infects the smartphones and performs
online banking operations in place of the legal owner of the
B. Goals of the Attacks account. To accomplish its tasks, first of all, an SMS with a
In this section, we discuss in detail the goals of the attacker, link to the malicious mobile application is sent to an owner of
which can be: an online banking account. If the user installs the application,
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LA POLLA et al.: A SURVEY ON SECURITY FOR MOBILE DEVICES 11

the attacker gains control of the infected smartphone and can effort; even the traffic generated by only one attacker may
read all the SMS messages that are being delivered. If the user be enough to make a device unusable. Specific DoS could
logs into the online banking account, she is asked to enter quickly drain the batteries, shutdown or dramatically limit the
her mobile number. This number is used by the company to operation time and perform CPU intensive tasks that require
improve verification system: in fact, the customer receives on a lot of energy or force the device to shut-down. Another
her number a text message with the transaction details and a type of DoS sends a huge amount of SMS/MMS to the
code to enter back into the website. Then, the following steps same phone number to either deny users to perform their
performed by this attack are, in order: tasks or degrade the service of an area. [96] shows that by
1) the attacker logs in with the stolen credentials using the using only SMS communications, i.e. messages sent between
user’s device and performs a specific banking operation smartphones, low-end phones can be forced to shut down. To
that needs SMS authentication; this purpose, the SMS protocol can be used to transmit small
2) an SMS with the authentication code is sent to the programs that run on a smartphone. Network operators use
user’s mobile device from the verification system. The these files to change the settings on a device remotely. The
malicious software running in the device forwards the same approach has been exploited to attack smartphones.
SMS to a system controlled by the attacker; Some studies for preventing this class of attacks are pro-
3) the attacker fills in the authentication code and com- posed in [97, 59].
pletes the operation. Examples: In [98], the authors examine current security
[90] discusses a drive-by download attack, i.e. when a user mechanisms on smartphones, by identifying some critical
inadvertently downloads a malware (usually a spyware) on vulnerabilities of existing security models. Moreover, they
visiting a website, against an iPhone 3GS that enables an show how such vulnerabilities can be exploited to launch
attacker to steal the SMS database from the phone. Distributed DoS (DDoS) attacks to public service infrastruc-
2) Sniffing: Sniffing attacks on smartphones are based upon tures by diverting phone calls. This is achieved by injected a
the use of sensors, e.g. microphone, camera, GPS receiver. crafted shell code through a buffer overflow: in fact, in many
These sensors enable a variety of new applications but they Linux-based mobile phone the system single-user can easily
can also seriously compromise users’ privacy. If a smartphone access root privileges to invoke ptrace() to inject code
is compromised, an attacker can access the data stored in the in any other process. The authors demonstrate that, by only
device and also use the sensors to sniff and record all of the leveraging 1% of Linux-based mobile systems, the service
user’s actions. of an emergency-call center, in a region with millions of
A defense system against sniffing attacks is proposed in population, can be disabled.
[91]. The battery exhaustion attacks targets a unique resource
Examples: [92] describes the design and implementation bottleneck in smartphones, namely the battery power. [99]
of Stealthy Video Capturer (SVC), a spyware that can secretly discusses attacks against smartphones that drains the device’s
activate the built-in camera on smartphones to compromise the battery power up to 22 times faster, thus rendering a device
users’ privacy by recording private video information, with useless in short time. To do this, first an attacker has to build
little power consumption and is stealth to commercial anti- a “hit-list” of all the users with an active Internet connection
virus. by taking advantage of the insecure MMS protocol, which
Soundminer [93] is a proof-of-concept Trojan targeting automatically downloads MMS messages upon receiving no-
Android devices that is able to extract private data from tification through HTTP requests. Secondly, the attacker has
the audio sensor. Sensitive data, such as credit card number to periodically send UDP packets to the target smartphone
or PIN number, can be sent out by analyzing both tone and exploit PDP context retention and the paging channel.
and speech-based interaction with the phone menu system. The authors show that if a phone is connected to the Internet
As an example, Soundminer can infer the destination phone continuously, its battery life would be completely drained in
number by analyzing audio and reporting this data remotely less than 7 hours.
to a malicious party. Few permissions are requested by the The water torture attack [100] is another example of battery
Trojan during installation, specifically that it is granted access exhaustion attack that is carried out at the PHY layer. This is
to the microphone. Other permissions, in particular network achieved by forcing the subscriber station (SS) to drain its
connection or intercepting phone calls, are not requested. battery, or consume computing resources, by sending bogus
For this reason, since Soundminer cannot directly access the frames.
Internet, transmissions need to be carried out through a second An example of attack that targets several Symbian S60
application, either a legitimate network application or through smartphones and that prohibits victims from receiving SMS
a program with the networking permission. This allows Sound- messages is called Curse of Silence [101]. This attack tries
miner to circumvent mechanisms aimed at mediating explicit to set the Messages Protocol Identifier to “Internet Electronic
communications between two untrusted applications, such as Mail” so that an SMS can be used to send e-mails. This attack
those proposed in [94, 95]. exploits a vulnerability with some smartphones that cannot
3) Denial-of-Service: With a Denial-of-Service (DoS), an handle correctly e-mail address with more than 32 characters:
attacker denies availability of a service or a device. DoS by exploiting this vulnerability, the attacker sends a crafted
attacks against smartphones are mostly due to strong connec- e-mail in such a way that the device is not able to receive any
tivity and reduced capabilities: due to the limited hardware, other SMS message. At the end of the attack, the smartphone
attacking a smartphone can be accomplished with a small displays a warning reporting that the memory is not enough to
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
12 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION

receive further messages and that some data should be deleted 1) anomaly-based (alternative names: anomaly detection,
first. behavior-based), which compares the “normal” behavior
[102] presents a novel method for vulnerability analysis of with the “real” one;
SMS-implementation by injecting short messages locally into 2) signature-based (alternative names: signature detection,
the smartphone and analyzing and testing all the SMS-based misuse-based, knowledge based, detection by appear-
services implemented in the smartphone software stack. The ance), based upon patterns of well-known attacks.
vulnerability analysis is conducted by fuzzing various fields There exist also hybrid approaches which combine the
in a standard SMS message including elements such as the aforementioned types of detection. With signature-based ap-
sender address, user data and various flags, or by fuzzing the proaches, the advantage is the false alarm rate that is usually
UDH header. Another test concatenates various SMS messages very low. The disadvantage is that they can detect only known
in such a way to force messages to arrive out of order or sends attacks. On the other hand, with an anomaly-based IDS we can
large payloads. The authors state that through the use of the detect variations of known attacks and even new attacks, but
testing tools, they were able to identify several vulnerabilities the amount of false alarms is usually quite high. Some of the
that can be exploited to launch DoS attacks. metrics used to measure their effectiveness are true positive
4) Overbilling: The overbilling attacks charge additional rate, accuracy and response time. [111] provides a general
fees to the victim’s account and may transfer these extra fees introduction to IDSes in cellular mobile networks.
from the victims to the attackers. Since many wireless services In the following, we partition existing IDS solutions using
are regulated by pay-per-use contracts, these attacks are very these features:
specific to wireless smartphones. • detection principles:
Example: A characteristic of GPRS networks is the
– anomaly detection:
“always on” mode: users are billed by the amount of traffic
instead of the usage time. A typical example of overbilling ∗ machine learning;
attack in this network is the one where an attacker, in ∗ power consumption.
cooperation with a malicious server located outside of the – signature-based:
GPRS network, hijacks the IP address of the target device and ∗ automatically-defined;
starts a download session from the malicious server. Hence, ∗ manually.
the legitimate user gets charged for traffic that never requests • architecture:
[110]. – distributed;
– local.
V. S ECURITY S OLUTIONS FOR M OBILE D EVICES • reaction:
In this section we survey existing mechanisms that are – active;
developed to prevent different type of threats for smartphones. – passive.
We present, first of all, intrusion detection systems for smart- • collected data:
phones, then trusted mobile-based solutions. All the solutions – system calls;
are presented in chronological order. – CPU, RAM;
Table V includes some conventional approaches typically – keystrokes;
implemented by off-the-shelf smartphone applications to pro- – SMS, MMS.
vide basic security; instead, table VII lists, in chronological
• OS:
order, the research security solutions (described in the follow-
ing sections) that provides a prototype. These solutions are – Symbian;
classified according to their detection principles, architecture – Android;
(distributed or local), reaction (active or passive), collected – Windows Mobile;
data (OS event, keystrokes), and OS. – Apple iOS.
First of all, we cluster mobile IDSes based upon the
detection principles used to find anomalies: anomaly detection
A. Intrusion Detection Systems (which includes machine learning and power consumption),
In this section, we present the state of the art of models and signature-based (automatically or manually defined) and run-
tools that implement Intrusion Detection Systems (IDSes) on time policy enforcement. Then, we consider both local and dis-
smartphones. tributed architectures. Next, we distinguish tools that perform
IDSes can be based upon two complementary approaches: any kind of reaction from those that only detect anomalies.
1) prevention-based approaches: using cryptographic al- We further classify IDSes by considering what kind of data
gorithms, digital signatures, hash functions, important are used as input and by the OS. For each feature, all the
properties such as confidentiality, authentication or in- solutions discussed are presented in chronological order.
tegrity can be assured; in this scenario, IDSes have to 1) Detection Principles: We partition existing IDSes using
be running online and in real-time; the following detection principles:
2) detection-based approaches: IDSes serve as a first line • anomaly detection;
of defense by effectively identifying malicious activities. • signature-based;

Furthermore, there are two main types of detection: • run-time policy enforcement.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LA POLLA et al.: A SURVEY ON SECURITY FOR MOBILE DEVICES 13

TABLE V
S ECURITY A PPLICATIONS FOR S MARTPHONES

Product Features OS License Reference

Lock and Wipe Android Commercial [103]
Backup and Restore BlackBerry
WaveSecure Localization and SIM Tracking Symbian
Windows Mobile
J2ME
Theft of Private Stuff Android Commercial [104]
Unauthorized Access
Norton Mobile Security Lite
Mobile Viruses Malware and Threats
Harmful Downloads
Parental Control Symbian Free [105]
iCareMobile
Automatic Pornographic Content Detection Android
Antivirus and Anti-spyware Android Commercial [106]
Anti-theft BlackBerry
Parental Control Symbian
BullGuard Mobile Security 10
Firewall Windows Mobile
Spam-filter
Basic Backup
Privacy Protection Android Commercial [107]
Anti-theft BlackBerry
Parental Control Symbian
Kaspersky Mobile Security 9 Encryption Windows Mobile
Anti-Spam
Anti-Malware
Firewall
Antivirus Symbian Commercial [108]
Firewall Windows Mobile
ESET Mobile Security
SMS/MMS Anti-spam
Anti-theft
Lock Wipe Android Free [109]
Backup iPhone
Lookout Mobile Security
Wipe
Privacy of Data

a) Anomaly Detection: An anomaly detection system clusters of similar behavior. The authors present an algorithm
compares the “expected” behavior of the smartphone with that, in the presence of a malicious attack, automatically
the “real” behavior (the actions executed at run-time by the identifies the most vulnerable clients based upon interactions
device). The solutions included in this section either monitor among them. Moreover, they describe a proactive contain-
distinct activities on the mobile, e.g. SMS or MMS services ment framework that applies two commonly-used mechanisms
or Bluetooth connections, or analyze the power consumption (namely, rate-limiting and quarantine) to the dynamically-
model of the phone to detect anomalies. Moreover, we detail generated list of vulnerable clients in a messaging network
frameworks that adopt run-time monitoring of the activities. whenever a worm or virus attack is suspected.
As discussed in [112], we can split the architecture of a Ho and Heng [46] attempt to identify generic behavioral
generic smartphone in the following layers: patterns in mobile malware to build a generic defense model.
• user; To slow down the spread of mobile malware, the authors intro-
• application; duce an extended model (which incorporates the works of [47]
• virtual machine or guest OS; and [48]), which is a Java-based engine that is independent
• hypervisor; from the platform. In addition to previous solutions, this model
• physical. includes a feature for blocking the silent automated transmis-
For each functional layer, the authors propose several distinct sion attempts of virus installation files from a compromised
features that should be collected for measuring the phone’s mobile smartphone via MMS, Bluetooth, Infrared, e-mail and
behavior and used by an anomaly detection IDS. Table VI Instant Messaging.
lists some of the capabilities that can be measured at each Schmidt et al. [48] exploit the monitoring process of smart-
distinct layer. phones to extract features that can be used in a machine learn-
Anomaly-based approaches for smartphones are either ing algorithm to detect anomalies. The framework includes
based upon machine learning techniques or upon monitoring a monitoring client, a Remote Anomaly Detection System
power consumption. (RADS) and a visualization component. The monitoring client,
Machine Learning: The paper [57], from the same au- which represents the main goal of this paper, is a client that
thors of [59], proposes Proactive Group Behavior Contain- runs on a smartphone and includes three main components:
ment (PGBC), a framework aimed at containing malicious • user interface;
software spreading in messaging networks such as IM and • communication module, which manages connection with
SMS/MMS. The primary components of PGBC are service- RADS;
behavior graphs generated from client messaging patterns and • Feature Extractor, which implements measurements and
behavior clusters that partition the service-behavior graph into observation of resources and other components.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
14 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION

TABLE VI
A NOMALY D ETECTION C APABILITIES AT D ISTINCT L AYER

Layer Features
address spaces
data types, data constructors and data fields
system parameters
Hypervisor
virtual registers
system calls
communication protocols
application manager framework
security framework
Application
messaging framework
multimedia framework
SIM/phone password
key-stroke/T9 usage/spelling analysis
top-n called/texted numbers/contacts based on hour, day, week, month
User
frequently executed smartphone applications
smartphone application usage analysis
Bluetooth/Wi-Fi usage analysis

The RADS is a web service that receives, from the monitoring Damopoulos et al. [114] use a large dataset of iPhone
client, the monitored features and exploits this information, users’ data log with four machine learning algorithms, namely
stored in a database, to implement a machine learning algo- Bayesian Networks, Radial Basis Function, K-Nearest Neigh-
rithm. bors and Random Forest, to detect illegal use of a smartphone.
They classify the behavior of users through telephone calls,
Some other solutions use a probabilistic approach to trace SMSs and, differently from earlier research, on Web browsing
behavior’s profiles on smartphones. For example, [49] devises history. To preserve users’ anonymity, each record is hashed
a behavior-based malware detection system (pBMDS) that through SHA-1. Then, the data are examined either indepen-
adopts a probabilistic approach through the correlation of dently or in combination in a Multimodal fashion: in the first
user’s inputs with system calls to detect anomalous activities. case, Random Forest was the most promising classifier with
pBMDS observes unique behaviors of the applications and a true positive rate above 99.8% and accuracy of 98.9%; in
the user’s input and leverages hidden Markov model to learn the second case, the best results were given by K-Nearest
application and users’ behavior through process state transi- Neighbors with 99.8% true positive rate and 99.5% accuracy.
tions and user behavioral patterns. This statistical approach is Andromaly [115] is a general and modular framework for
used to learn the behavioral difference between applications detecting malware on Android smartphones using a supervised
initiated by user and applications initiated by malware. The anomaly detection technique. The framework is based upon a
most distinguishing feature of the proposed solution is that host-based IDS that sample numerous system metrics, such
its malware detection capability focuses on recognizing non- as CPU consumption, number of sent packets, number of
human behavior instead of relying on known attack signa- running processes. The framework is composed of four main
tures to identify malware. Therefore, in the training process, components, namely the feature extractors, processors, main
pBMDS does not require the number of negative samples service and the graphical user interface. The classifiers used to
to be equivalent to that of the positive ones. The system evaluate the framework are k-means, logistic regression, his-
exploits behavior graphs, which reflect intermediate process tograms, decision tree, Bayesian networks and Naı̈ve Bayes;
states towards each key system call based on user operational furthermore, a filter approach has been used for feature selec-
patterns, e.g. keystrokes. tion. A total of 88 features were collected for each monitored
In [113], time-stamped security data are continuously mon- application. Experiment results show that Naı̈ve Bayes and
itored within the target smartphone and then processed by logistic regression were superior over the other classifiers in
the Knowledge-Based Temporal Abstraction (KBTA) method- most of the testbed configurations and fisher score was the
ology. Using KBTA, continuously measured data (e.g., the best setting for feature selection.
number of sent SMSs) and events (e.g., software installation) [116] presents a framework to dynamically analyze applica-
are integrated with a smartphone security domain knowledge- tions behavior to detect malware on Android by collecting sys-
base, which is an ontology for abstracting meaningful patterns tem traces from several real users through crowdsourcing and
from raw and time-oriented security data. These patterns are a central server. An application client, Crowdroid, monitors
used to create higher level, time-oriented concepts and pat- Linux system calls and, after preprocessing, sends them to a
terns, called temporal abstractions. Automatically-generated central server, which then parses data and creates a system call
temporal abstractions are then monitored to detect suspicious vector. Finally, each dataset is clustered through a partitional
temporal patterns and to issue an alert. These patterns are clustering algorithm, namely 2-means.
compatible with a set of predefined classes of malware as Power Consumption: An example of monitoring power
defined by a security expert employing a set of time and value consumption is presented in [117], where the authors propose
constraints. a battery-based IDS. This solution performs the sensing of
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LA POLLA et al.: A SURVEY ON SECURITY FOR MOBILE DEVICES 15

abnormal battery behavior and energy patterns to detect a the occurrence (or not) of each DLL function in the feature
variety of attacks and includes two modules: set.
• Host Intrusion Detection Engine (HIDE), which measures In [121, 122] the authors propose to adopt a twofold
energy consumed over a period of time (established approach to block the spreading of worms on smartphones:
according to an algorithm); • at the terminal level, where a graphic Turing test and
• Host Analyzed Signature Trace Engine (HASTE), which identity-based signatures block unauthorized messages
matches frequency patterns of attacks based upon power from leaving compromised phones;
signature and compares these signatures with a short list • at the network level, where a push-based automated
of know attack signatures. patching scheme clean compromised phone. This means
Similarly to the previous solution, Kim et al. [97] propose that network providers automatically push software
a power-aware malware detection framework that monitors, patches to compromised terminals.
detects, and analyzes energy-greedy malware. The framework In [123] the signatures to be compared are automatically
is composed of a power monitor, to collect power samples generated by analyzing the device’s activities. The authors
and to build a power consumption history from the collected discuss the dynamics of mobile malware that propagate by
samples, and of a data analyzer, to generate a power signature proximity contact and explore three strategies to detect and
from the constructed history. mitigate proximity malware, namely:
Another example of monitoring power consumption is • local detection, in which devices detect when they be-
proposed in [118], which bases its observations on the fact come infected and disable further propagation;
that any malware activity on a smartphone consumes battery • proximity signature dissemination, in which devices cre-
power. Hence, the proposed solution (VirusMeter) performs ate content-based signatures of malware and disseminate
malware detection using state machine and power consump- them via proximity communication as well;
tion model by comparing the actual measured power consump- • broadcast signature dissemination, in which a centralized
tion with the power that could have been consumed, according server aggregates observations from individual devices,
to the predefined power consumption model. The user-centric detects propagating malware, and broadcasts signatures
power model characterizes power consumed as a function of to smartphones.
common user operations and relevant environmental factors Bauckhage et al. [124] present a probabilistic diffusion
(e.g., calls, SMS, MMS). To collect data, for each user scheme for detection anomalies indicating malware, which is
operation a state machine is constructed. This state machine based upon the device’s usage patterns. The basic idea is to
describes the evolution of internal events related to user’s model dependencies of samples and features by means of a
operations. bipartite graph, which then serves as the domain of a Markov
Even if power consumption is often considered as a limita- process. The algorithm is applied to two separate data sets
tion, Yan et al. [119] consider its positive impact on preventing obtained from smartphones during normal daily usage.
and suppressing mobile malware. Even if no specific solutions Manually-Defined: These mechanisms to detect anomaly
are implemented, three potential techniques, based upon lim- extract the signatures of mobile malware by manually analyz-
itations of smartphone, are proposed: ing the malware and its behavior.
• monitoring power consumption, which concerns the abil- Ellis et al. [125] present a new approach for the auto-
ity to detect an attack depending on battery usage on matic detection of worms on smartphones using behavioral
smartphone; signatures, which are manually defined to represent common
• enforcing hardware sandbox, in which all the hardware features across a family of worms. The presented approach
modules that are not used frequently and that can be focuses on detecting patterns at a higher level of abstraction,
used for malware propagation (e.g. GPS or Bluetooth) where a pattern may be:
are switched off; • sending similar data between devices;
• increasing platform diversity, in which different APIs are • tree-like propagation and reconnaissance;
used to develop and execute an application. • changing a server device into a client.
b) Signature-Based: This paragraph discusses mecha- Ideally, a pattern is a specific behavior of a spreading worm
nisms that detect anomaly on smartphones using signatures. and should be distinct from normal network traffic. The
The signature-based approach checks if each signature derived frequency of and interrelationships between behaviors improve
from an application matches any signature in a malware the accuracy of the detection. To evade a behavioral signature
database. The database of malware signature can be automat- requires a fundamental change in the behavior and this task
ically or manually defined. is rather challenging.
Automatically-Defined: Venugopal et al. [120] apply In [47], the authors present a behavioral detection frame-
Bayesian decision theory to the dynamic-link library (DLL) work for viruses, worms and Trojans that extracts key behavior
usage of a program to detect viruses. In fact, since most signatures of mobile malware by applying Temporal Logic
mobile viruses have common functionalities (e.g., deleting of Casual Knowledge (TLCK) on a set of atomic steps. The
system files, sending MMS), these programs need to use authors have generated a database of malware signatures based
DLLs. By exploiting the common patterns of DLL usage upon a review of mobile malware: every signature corresponds
among viruses, the proposed approach can detect old and new to the description of the behavior of a family of malware. The
viruses: a classifier takes as input a binary vector specifying run-time monitoring is implemented on the Symbian emulator
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
16 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION

through a proxy DLL to monitor API calls. To distinguish all the analysis on the activities monitored on the smartphones
malicious behavior from partial signatures, the framework without having problems of:
exploits support vector machines to train a classifier from • power consumption;
normal and malicious data. • small screen size;
c) Run-Time Policy Enforcement: The basic idea of these • limited resource.
models is that mobile code consumers essentially accept the [39] discusses a framework to detect attacks against smart-
code “as-is” and exploit a supporting mechanism to enforce phones using a separate, loosely-synchronized, security server,
the policy associated with the code to detect and stop anoma- which hosts one or more exact replicas of the smartphone
lies. and applies distinct detection mechanisms. In this way, sev-
Nowadays, several smartphones are able to run Java appli- eral expensive detection techniques, which cannot be easily
cations, which can also create Internet connections, send SMS implemented on the smartphone, can be applied on the server
messages, and perform other expensive or dangerous opera- to prevent attacks on the phone software. The architecture
tions on the smartphone. Hence, an adequate security support includes a tracer on the phone itself, to intercept both system
is required to meet the needs of this scenario. To this end, calls and signals of a set of protected processes, whereas a
[126] proposes an approach to enhance the security support of replayer on the security server later replays the execution trace
Java Micro Edition (J2ME), based upon the monitoring of the and looks for anomalies.
usage of the smartphone’s resources performed by MIDlets. 3) Reaction: Passive or Active: In this section, we consider
A process algebra-based language defines the security policy whether existing mechanisms for intrusion detection react or
whereas a reference monitor is exploited to check the resource not whenever a new threat is found, e.g. by trying to prevent
usage. the attacks to damage the smartphone.
Security-by-contract [127, 128] is a run-time policy enforce- A reaction can be a strategy, to contain the virus or malware
ment solution based upon a digital signature that: propagation, or a mechanism, like alerting the user of the
• certifies the origin of the code; infection. An example of a reaction strategy is presented in
• binds the code with a contract. [57], where the alerts about potential attacks are collected
A contract contains a description of the relevant features of an before starting the reaction strategy. The proposed framework
application and the relevant interactions with its host platform. is implemented at the messaging service center where logs of
A mobile platform can specify platform contractual require- client communication are kept. These logs can be analyzed to
ments (a policy), which should be matched by the application’s generate a service-behavior graph for the messaging network:
contract. The authors also propose some algorithms to verify this graph is then further processed to generate behavior
contract-policy matching. clusters, i.e., groups of clients whose behavior patterns are
[129] enhances the security-by-contract architecture by similar with respect to a set of metrics, namely:
adding new modules and configurations for managing con- • interaction frequency;
tracts. At deploy-time, the proposed system selects the run- • attachment and message size distributions;
time configuration depending upon the credentials of the • number of messages;
contract provider; at run-time, the system can both enforce a • number of outgoing connections to other clients;
security policy and monitor the declared contract. According • list of traced contacts.
to the actual behavior of the running programs, the architec- When the number of alerts in a particular behavior cluster
ture can update the trust level associated with the contract reaches a threshold, the messages belonging to that cluster
provider. The main advantage of the proposed architecture is are first rate-limited to slow down a potential malware. When
the automatic management of the level of trust of software the alerts reach a second threshold, the containment algorithm
and contract releasers. applies proactive quarantine, i.e., it blocks messages from sus-
Finally, [94, 95] propose Kirin security service for An- picious clients of these behavior clusters. This step essentially
droid, which performs lightweight certification of applications enables the behavior clusters to enter into a group defense
to mitigate malware at install time. Kirin certification uses mode against the spreading malware.
security rules that match undesirable properties in security In [130], the proposed system detects viruses running on
configuration bundled with applications. smartphones using a proxy that performs the analysis of the
2) Architecture: Local or Distributed: In this section, we phone’s behavior and, when a potential virus is detected, sends
partition mechanisms for intrusion detection that use a local targeted alerts to both infected devices and a subset of the
architecture from solutions that exploit a distributed architec- uninfected devices to prevent the spreading. These devices are
ture. chosen based upon the users’ contact list and mobility profiles,
In a local architecture, both the collecting phase and the to locate those devices they may be in direct contact with an
analysis phase are locally performed on the device and no infected device.
interactions with an external server is required. Examples of A further example of a reaction-strategy is given in [58]
local solutions are presented, for instance, in [130, 118, 94, where, to limit the spread of MMS- and SMS-based worms,
95]. On the other hand, a distributed architecture usually the authors propose a methodology based upon a graph
requires a distinct and separated component (i.e., a server) partitioning approach. The problem is tackled by using a social
to analyze the activities collected and sent by each device. In relationship graph where the devices are divided into multiple
this architecture, the external security component can perform partitions based upon the social relationship among them. Each
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LA POLLA et al.: A SURVEY ON SECURITY FOR MOBILE DEVICES 17

partition includes smartphones that closely interact with each third parties: hence, any tool for intrusion detection should be
other. Communication patterns are extracted using a network run only with the user’s explicit authorization in case it may
trace and, from these patterns, a social relationship graph of access private data. Private data should never be carried out
smartphones is built so that an optimal set of phones to be of the smartphone by any mechanisms, including system that
patched can be located firstly. In this way, the system can have to protect the mobile. Therefore, an intrusion detection
locate the phones that have the capability to infect the highest system should be designed so that:
number of other phones. The authors propose two patching • the private data used during the intrusion detection pro-
schemes, namely: cess are not transferred out of the device;
• balanced partitioning, where the significance level of • the communication of the intrusion detection function-
each partition are chosen to be as similar as possible so alities on the smartphone should be restricted to the
that the worm damage to each partition can be balanced; generated intrusion alarms.
• clustered partitioning, where edges within each partition In [91] the authors focus on threats and attacks that violate
have higher weights compared to the edges between the user’s privacy by sniffing on the sensors on smartphones. The
two partitions, so that smartphones that are socially close authors develop a threat model based upon the use of sensors
to each other are in the same partition and nodes that are and design a general framework for a defense system. This
not close are into different partitions. framework consists of three modules: (i) policy engine, (ii)
Ruitenbeek et al. [131] study the propagation of smart- interceptor, (iii) user interaction. The policy engine, based
phone viruses based upon MMS and propose several response upon the input from user interaction and application moni-
mechanisms to quantify the effectiveness of virus mitigation toring/profiling, determines access: these decisions are based
techniques. The authors present four MMS virus scenarios: in mainly upon application monitoring and profiling without
every scenario the virus on the phone sends MMS messages requiring much user intervention. Several policies are consid-
with an infected attachment file to other phones, which are ered, such as white-listing, blacklisting and information-flow
selected from the contact list of the infected phone or by tracking. The interceptor is interposed between the application
dialing a random phone number. After receiving this new and the sensors, and/or between the application and the
MMS message, if the user accepts the infected attachment network, and it enforces the decision of the policy engine. The
file, the virus is installed, the target phone becomes infected user interaction is not a mandatory component, since it simply
and under control of the attacker. The evaluated response notifies the user by asking her decision. For each module,
mechanisms for each of the four scenarios are: different mechanisms are explored and discussed but no real
• scan of all MMS attachments in MMS gateways to detect
implementations are presented.
viruses; In the following paragraphs, we discuss solutions that
• user education;
analyze different kinds of data available in a smartphone,
• immunization using software patches;
namely:
• monitoring for anomalous behavior; • OS events (e.g., system calls);

• blacklist of phones that are suspected of infection. • measurements (e.g., CPU, RAM, I/O activities);
• keystrokes;
The experimental results revealed that any response mecha-
• communication events (e.g., SMS/MMS).
nism must be agile enough to quickly react to rapidly propa-
gating viruses and discriminating enough to detect stealthier, a) Operating System Events: These events indicate those
slowly propagating, viruses. activities related to the normal functioning of the OS, which
4) Collected Data: As suggested in [132], monitoring data can be used to retrieve relevant information about the behavior
in a mobile environment can be a challenge due to adminis- of the smartphone, and include:
trative, technical and conceptual limitations. The visibility of • system calls;
the data can be limited by explicit agreements on exchange of • function calls;
monitored data because, for example, the call records can be • network operations.
under administrative control. Furthermore, we have to consider Data from these events can be obtained by exploiting some
that due to the integration of several communication interfaces, built-in OS mechanisms. However, in many cases the OS
a smartphone can be connected, at the same time, to different events cannot be monitored because there is no direct access
access points (such as Bluetooth, Wi-Fi) and thus the amount interface. Therefore, in these cases some extensions to the OS
of collected data on the communication interfaces can be huge. are required.
Finally, we have to take into account that there are some The solution presented in [133] monitors the system calls
kinds of attacks, e.g. Trojans, not involved in communication executed by running processes and labels executing code based
activities, so that they are invisible to the network. upon its access to the network interfaces (e.g., wireless, GSM,
Due to the fact that all the solutions based upon intrusion Bluetooth). The labels are then transferred between processes
detection need to access several features of a smartphone, and system resources as a consequence of either access or
we should carefully consider the problem of privacy of the execution. During sensitive operations, the labels collected in
data accessed. By accessing a smartphone, several pieces of this way are compared to a set of rules that allow users to
information can be retrieved, such as the user’s location, specify fine-grained access control to services and data. The
communications, and personal contacts. All these kinds of labeling process, which can involve processes and resources,
information are, obviously, private and should not be shared to as well as the enforcement of the policies, are performed by a
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
18 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION

kernel-level reference monitor. The framework is independent In [137], keylogging is applied to smartphones to detect
of the OS because it uses a policy language that allows users illegal user operations using a scheme that uses a background
to express what actions are allowed by specific classes of process to records keystrokes. Keystrokes are divided into
programs with respect to specific classes of resources. long-term and short-time: using the frequency of long-term
Another mechanism, MobileSandbox [50], monitors the keystrokes, an anomaly detection algorithm constructs a user
system calls issued by the software that a user is going to profile; then, the short-term keystrokes are compared with the
install on its smartphone. MobileSandbox is a background user profile to detect illegal users.
system that samples and translates an operation in a sequence [138] demonstrates that keystroke dynamics of a user can be
of API calls that the program has issued during its execution. translated into a set of features for accurately identifying users.
The proposed system can either use the device emulator or an To this end, keystroke data of twenty-five smartphone users are
actual device. To perform mobile dynamic malware analysis, collected and analyzed: based upon them, six distinguishing
the proposed solution includes three steps, namely: keystroke features are extracted and used for user identifica-
• collecting the software samples as complete as possible; tion. The results show that the proposed user identification
• analyzing the samples as complete as possible; system has an average error rate of 2% after the detection
• taking certain actions as a response to the analysis. mode and the error rate of rejecting legitimate users drops to
zero in the PIN verification mode.
In [134], the authors discuss in details the implementation d) Communication Events: Communication events in-
of system call interception for Windows CE. Two solutions dicate a particular class of events that happen in a device
that analyze these events are proposed: the first one exploits at the application level, such as high-level actions (e.g.
a sandbox approach to analyze malware, whereas the second sending/receiving of SMS, files). Typically these actions are
solution implements the concept of a reference monitor at the composed of several elementary actions that cannot be auto-
OS level. matically generated by the smartphone’s OS. Communication
There are also some solutions to detect anomalies that events include operations such as sending and receiving of
monitor function calls rather than system calls. One of these messages, or file downloads/uploads.
solutions is presented in [135] where the authors apply static [139] discusses threats on smartphones mirrored from PCs
analysis of function calls to detect malicious applications. and proposes a detector application that monitors SMS sent
Centroid Machine is the name of the light-weight algorithm without user authorization. Bose and Shin [59] investigate the
developed according to common clustering methods. The propagation of mobile worms and viruses that spread primarily
algorithm can detect Symbian OS malware on the basis of via SMS/MMS messages and short-range radio interfaces (e.g.
function calls according to the requirements of smartphones, Bluetooth). Each smartphone is modeled as an autonomous
e.g. efficiency, speed and limited resource usage. mobile agent capable of sending SMS messages and of dis-
A similar solution specific to Android platform is presented covering other devices equipped with Bluetooth. To identify a
by Schmidt et al. [136]: the discussed framework performs set of common behavior vectors, and to develop mobile virus
static analysis on the executables to extract their functions detection and containment algorithms, the existing mobile
calls using readelf command. This command returns de- viruses are investigated. The authors study the vulnerabilities
tailed information on relocation and symbol tables of each of Bluetooth and SMS/MMS messaging systems in depth and
Executable and Linking Format (ELF) object file. The output identify the vulnerabilities that may be exploited by future
of this analysis is the static list of referenced function calls for mobile viruses. Finally, they develop the state diagram of
each system command. Then, these calls are compared with a generic mobile virus that can spread via SMS/MMS and
malware executables for classification. Bluetooth. The discovery, infection and replication states of
b) Measurements: A set of measurements includes sev- the generic virus are implemented in an agent-based malware
eral performance indicators of a smartphone, such as CPU modeling framework to study its propagation and containment
activity, memory consumption, file I/O activity and network strategies.
I/O activity. The key idea is that, supposing that changes in the [140] presents a novel approach to the security testing of
usage of a smartphone are gradual, the normal usage remains MMS user agents by taking into account the effects of the
constant over time. Therefore, we can extract behavioral infrastructure on the delivery of MMS messages and then by
profiles and use them for comparison with normal behaviors in using a virtual infrastructure to speed up the testing phase.
order to detect anomalies. Some of these features (e.g., RAM As in [102], the paper exploits fuzzing to deliver fuzzed
free, user inactivity time, process count, CPU usage, SMS sent MMS messages to the user agents, by finding several string-
count), which are used for anomaly detection, are discussed length buffer overflows. SmartSiren [130] is a collaborative
in [48, 115]. virus detection and alert system for smartphones that collects
c) Keystrokes: Some solutions exploit keystroke logging communication activity information and performs analysis to
(keylogging) techniques to detect anomalies. These techniques detect abnormal behaviors. To halt potential virus outbreaks
track the keys struck on a keyboard to monitor the actions of the authors try to minimize the number of smartphones that
the user. Typically, the logging is provided in a covert manner can be infected by a new released virus. A light-weight agent
so that the user is unaware of the monitoring. The conventional runs on each smartphone, while a centralized proxy assists the
technique of behavior-based anomaly detection focuses on virus detection and alert process. Each agent keeps track of
the rhythm of keystroke patterns or transition probability of the communication activities on the device and periodically
commands. reports a summary of these activities to the proxy. The proxy
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LA POLLA et al.: A SURVEY ON SECURITY FOR MOBILE DEVICES 19

performs joint analysis on the reports and detects any single- In [150], the authors provide a security assessment of the
device or system-wide viral behaviors. Android framework: firstly, they discuss the current security
Finally, [141] proposes a lightweight scheme that can detect mechanisms incorporated in Android (namely, Linux mech-
anomalous SMS behaviors with high accuracy. The authors anisms, environmental features and Android-specific mech-
start analyzing an SMS trace collected within a five-month anisms); secondly, they propose some security solutions for
period and, according to the analyzed results, four detection mitigating threats on Android, using five “threat cluster”:
schemes are proposed. Each scheme builds normal social 1) threats that compromise availability, confidentiality, or
behavior profiles for each SMS user and then uses them to integrity by maliciously using the permissions granted
detect SMS anomalies in an on-line and streaming fashion. to an installed application;
Since a scheme stores only a few states in memory for 2) threats that compromise availability, confidentiality, or
each SMS user, it imposes very low overhead during on-line integrity threats that happen when an application ex-
anomaly detection. Finally, the authors evaluate these four ploits a vulnerability in the Linux kernel or system
schemes and also two hybrid approaches with realistic SMS libraries;
traces by showing that the proposed approach can detect more 3) threats that compromise the availability, confidentiality,
than 92% of SMS-based attacks with a false alarm rate of 8.5% or integrity of private or confidential content: e.g., appli-
and 66% of attacks without generating any false alarm. cations that can read the SD card’s contents or attackers
5) Operating Systems: In this section, existing IDSes are eavesdropping on wireless communication remotely;
clustered based upon the OS for which they are developed or 4) attackers draining a smartphone’s resources: e.g., since
studied, namely: applications for Android have neither disk storage nor
• Symbian; memory quotas hogging memory or CPU is possible;
• Android; 5) threats that compromise internal or protected networks:
• Windows Mobile; as an example, attackers can use Android devices to
• iPhone OS. compromise other devices, computers, or networks by
a) Symbian: Symbian is the Nokia’s open source OS running network or port scanners, SMS/MMS/e-mail
and software platform designed for smartphones. The latest worms, and various other attacks.
Symbian platform includes a user interface component based [151] proposes a security solution for Android-based smart-
on S60 5th Edition. Originally developed by Symbian Ltd, phones that exploits Security-Enhanced Linux.
Symbian OS is now at the third version, Symbianˆ3, released TaintDroid [87] is an extension to Android that tracks
in the fourth semester of 2010. Devices based on Symbian the flow of sensitive data through third-party applications.
accounted for 43.5% of worldwide smartphone sales in the TaintDroid assumes that downloaded third-party applications
first two semesters of 2010 [142]. are not trusted, and monitors how these applications access
Schmidt et al. [48] introduces an approach to monitor and manipulate users’ personal data. TaintDroid automatically
Symbian-based smartphones to extract features that can be labels data from sensitive sources and transitively applies
used by a machine learning algorithm to detect anomalies. In labels as sensitive data propagates through program variables,
[143], the authors test vulnerabilities on smartphones based files, and interprocess messages. When tainted data are trans-
upon the Symbian 9.1 OS. Several attacks have been experi- mitted over the network, TaintDroid logs the data’s labels, the
mented to test the stability of the network stack of the Symbian application responsible for transmitting the data, and the data’s
OS. Some vulnerability has been found that can render the destination. The tested performance overhead is 14%.
devices unusable. Enck et al. [152] study 1,100 popular free Android applica-
Further discussions can be found in [144, 145]. tions using a decompiler to recover Java application source
b) Android: Android is a mobile OS based upon a code from its Dalvik installation image and by statically
modified version of the Linux kernel. The applications are analyzing more than 20 million lines of code. The study shows
written by a large community of developers to extend the that several applications misuse privacy sensitive information,
functionality of the devices. in particular phone identifiers (IMES, IMSI and ICC-ID) and
[146] and [147] present a set of results on the evaluation geographic location, such as leaking phone identifiers through
of the security of Android smartphones. Firstly, the authors plaintext requests (such as HTTP GET/POST), tracking users
analyze the Android framework and the Linux Kernel to check through their phone identifier.
security functions, by also surveying some known security c) Windows Mobile: Windows Mobile is an OS devel-
tools and mechanisms to increase the smartphones security. oped by Microsoft for use in smartphones. Based upon the
Then, the authors analyze the possibilities of applying malware Windows CE 5.2 kernel, Windows Mobile was designed to be
detection mechanisms at the kernel-level, i.e. by monitoring similar to desktop versions of Windows and is now superseded
key-kernel events (log file, file system activities). Finally, by Windows Phone 7. Third-party software development is
they apply static function call analysis to detect malware on also available and users can purchase software applications
ELF executables, by exploiting a decision tree for deciding via the Windows Marketplace for Mobile.
if a new application is suspicious compared to previously Windows Mobile Malware Detection system (WMMD)
analyzed applications (both good and bad ones). [148] presents [153] is a behavior-based malware detection system for Win-
a collaborative architecture to detect anomalies on Android dows Mobile platform. WMMD uses API interception tech-
platforms. [149] presents a review of current security solutions niques to dynamic analyze application’s behavior and compare
for Android platforms. it with malicious behavior characteristics library using model
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
20 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION

checking. The results show that it can effectively detect the signatures. These cryptographic primitives can be exploited to
obfuscated or packed malware variants that cannot be detected implement hardware-based security services, such as device
by other main stream anti-virus products. authentication, integrity measurement, secure boot, and remote
An example of anomaly detection system developed for the attestation. The MTM provides a root-of-trust for smartphones
Advanced RISC Machine (ARM) architecture, is discussed in the same way as the TPM does for personal computers. In
in [154]. The proposed system analyze the relation between principle, the MTM is an adaption of the TPM for smartphones
system calls and their return address to describe the software and, hence, its specification is similar to that of the TPM,
behavior on ARM architectures. To this end, during a training which facilitates interoperability within the existing trusted
phase, the system builds a model using an array of system computing framework for personal computers.
calls and return addresses and produces a score. Then, at run- There are two different types of integrity measurement for
time the system freezes the software execution each time a any application binary: load-time and dynamic measurements.
system call is issued, obtains stack information and compares The TCG only specifies load-time integrity measurement,
the software behavior with the model using an anomaly score. when a piece of code or data is measured or when it is
d) iPhone OS: iOS (previously known as iPhone OS) is mapped/loaded into main memory. Dynamic measurements
the Apple’s mobile OS that was originally developed for the refer to the act of measuring the integrity of critical ap-
iPhone, but now it has been extended to support other devices, plications at run-time, i.e. when they are executing. In the
such as iPad. Integrity Measurement Architecture (IMA) framework [161],
To protect its users from malicious applications, Apple measurements are invoked in several system call functions
has introduced a vetting process, which should ensure that when code or kernel modules are loaded but before they are
all applications conform to Apple’s rules before they can executed. After a code is mapped into memory and during run-
be offered via the App Store. Unfortunately, this vetting time, it is very difficult to measure the integrity of the process
process is not well documented, and there have been cases considering very dynamic and nondeterministic behaviors of
where malicious applications had to be removed from the typical applications, such as loading active code, receiving
App Store after user complaints. To this purpose, Egele et al. external inputs, and allocating dynamic memory.
[88] study the privacy threats that applications for Apples In addition to trusted boot and load-time integrity mea-
iOS pose to users. The authors present a novel approach surement, integrity protection for mobile phones raises the
to automatically create comprehensive control-flow graphs following extra requirements [158]:
from binaries compiled from Objective-C code and perform • secure boot: a set of mandatory engines [160] reside on
reachability analysis to identify possible leaks of sensitive a single mobile platform and provide critical and indis-
information from a smartphone to third parties. pensable services that have to be running in known-good
Finally, [155] discusses ten ways to keep user data on states, i.e. their integrity must be verified to assure their
iPhone and Android-based devices safe from insecure apps. trustworthiness. Therefore TCG Mobile Phone Reference
Architecture [159] states that secure boot is mandatory
for MTM;
B. Trusted Mobile • low booting and run-time overhead: most smartphones
Trusted Computing Group (TCG) has published a set of are still limited in computing power. This requires any
specifications to measure, store, and report hardware and security solution to be very efficient and integrity mea-
software integrity through a hardware root-of-trust, which surement during boot and in post-boot state should not
is the Trusted Platform Module (TPM) and Core-Root-of- degrade the performance and user experience too much;
Trust-Measurement (CRTM). On a TPM-enabled platform, the • run-time integrity assurance: although run-time integrity
CRTM measures the bootloader of the system before it is measurement is not practical in both PC and mobile
executed, and then stores the measured value into one of the platforms, there should be some mechanism to preserve
Platform Configuration Registers (PCRs) inside the TPM. The the integrity level of critical applications and resources
bootloader then loads OS image, measures it, stores via PCR during run-time, e.g., phone related services (telephony
extension and then executes it [159]. In turn, the OS measures server) and platform management agents. Both TCG and
the loaded applications and stores their integrity values in IMA do not propose any mechanism for this purpose.
PCRs before executing them. Upon an attestation challenge [156, 158] discuss a framework for mobile integrity mea-
from a third party, the TPM signs a set of PCR values with surement and attestation mechanisms, by proposing a secure
an Attestation Identity Key (AIK) and sends back the result. boot mechanism. The proposed mechanism ensures that a
The challenger then can make decisions on the trust status mobile platform can boot into a secure state by exploiting a
of the platform by verifying the integrity of these values and flow integrity model to achieve high integrity for the system.
comparing with the corresponding known-good values. The solution leverages SELinux MAC mechanisms and adds
There are also specifications for mobile phone platforms some SELinux security policy extensions. The framework
released by the TCG Mobile Phone Working Group, i.e. the requires a root-of-trust, such as the MTM. [157] tries to
Mobile Trusted Module (MTM) [160]. TCG advocates using protect the integrity of critical applications from potentially
MTM to increase the security of smartphones by provid- untrusted functionality and develop a small SELinux policy
ing basic cryptographic capabilities, such as random number to measure the integrity of a mobile phone using the PRIMA
generation, hashing, protected storage of sensitive data (e.g. approach [162]. The resulting SELinux policy enables the
secret keys), asymmetric encryption, as well as generation of phone system to be attested to remote parties and protects
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LA POLLA et al.: A SURVEY ON SECURITY FOR MOBILE DEVICES 21

TABLE VII
C LASSIFICATION OF T HE I MPLEMENTED S OLUTIONS

Reference Year Detection Principles Architecture Reaction Collected Data Operating Systems
[125] 2004 Signatures (Manually) Local Passive All OS-Independent
[139] 2005 Anomaly Detection Local Passive Communication Events Symbian
[117] 2006 Power Consumption Local Passive All OS-Independent
[57] 2006 Machine Learning Distributed Reactive Communication Events OS-Independent
[59] 2006 Machine Learning Local Passive Communication Events OS-Independent
[120] 2006 Signatures (Automatically) Local Passive OS Events Symbian
[133] 2006 Run-Time Policy Enforcement Local Passive OS Events OS-Independent
[127] 2007 Run-Time Policy Enforcement All Active All OS-Independent
[156] 2007 Integrity Verification Local Passive OS Events SELinux
[130] 2007 Machine Learning Local Active All OS-Independent
[47] 2008 Signatures (Manually) Distributed Passive Applications Symbian
[157] 2008 Integrity Verification Local Passive OS Events SELinux
[97] 2008 Power Consumption Distributed Passive Measurements Windows Mobile
[121] 2008 Signatures (Automatically) Distributed Active Communication Events Symbian
[137] 2008 Anomaly Detection Local Passive Keystrokes OS-Independent
[148] 2008 Anomaly Detection Distributed Passive All Android
[154] 2008 Signatures (Automatically) Local Active OS Event Windows Mobile
[58] 2009 Machine Learning Local Passive Communication Events OS-Independent
[46] 2009 Machine Learning Local Active Communication Events OS-Independent
[48] 2009 Machine Learning Distributed Passive Measurements OS-Independent
[118] 2009 Power Consumption Local Passive Communication Events OS-Independent
[123] 2009 Signatures (Automatically) Local Active All OS-Independent
[39] 2009 Machine Learning Distributed Passive OS Events OS-Independent
[138] 2009 Machine Learning Local Passive Keystrokes OS-Independent
[141] 2009 Machine Learning Local Passive Communication Events OS-Independent
[143] 2009 Machine Learning Local Passive All Symbian
[147] 2009 Signatures (Manually) Local Passive OS Events Android
[158] 2009 Integrity Verification Local Passive OS Events LIMO
[122] 2009 Signatures (Manually) Distributed Active Communication Events Linux
[94] 2009 Run-Time Policy Enforcement Local Active All Android
[95] 2009 Run-Time Policy Enforcement Local Active All Android
[134] 2009 Interception Local Passive OS Events Windows Mobile
[135] 2009 Signatures (Manually) Local Passive OS Events Symbian
[136] 2009 Signatures (Manually) Local Passive OS Events Android
[151] 2010 Run-Time Policy Enforcement Local Active OS Event Android + SELinux
[153] 2010 Anomaly Detection Local Passive OS Event Windows Mobile
[124] 2010 Signatures (Automatically) Local Passive Keystrokes OS-Independent
[49] 2010 Machine Learning Local Passive OS Events Linux
[113] 2010 Machine Learning Local Passive All Android
[115] 2011 Machine Learning Local Passive All Android

critical applications from untrusted code, thus allowing users hardware-based solution, which suffers from poor flexibility.
to install and run trusted applications in a safe way: the policy Further solutions can be found in [165].
is 90% smaller than a custom SELinux reference policy.
In [163] the authors propose a practical approach for the VI. C ONCLUSIONS
design and implementation of trusted mobile platform. The With the rapid proliferation of smartphones equipped with
approach, based upon the concept of a trusted platform as a a lot of features, as multiple connections and sensors, the
set of trusted engine, defines a method for the take-ownership number of mobile malware is increasing. Differently from PC
of a device by the user and the migration (i.e., portability) of environment, solutions aimed at preventing the infection and
user credentials between devices. the diffusion of malicious code in smartphone have to consider
[164] identifies three specific problems in the MTM spec- multiple factors: the limited resources available, including the
ification and provides some possible solutions. The first one power and the processing unit, the large number of features
concerns the need of balancing some contrasting goals at the that can be exploited by the attackers, such as different kinds
system-level designs, such as performance and power con- of connections, services, sensors and the privacy of the user.
sumption. A suggested solution integrates some TPM features In this work, first of all we have discussed the current
directly into a processor core as opposed to a monolithic scenario of mobile malware, by summarizing its evolution,
implementation of all the functions in a separate module. The along with some notable examples; we have also outlined
second problem considers which cryptographic algorithms a likely future threats and reported some predictions for the near
MTM must support: some algorithms, namely RSA and SHA- future. Secondly, we have categorized known attacks against
1, can either have bad performances or security weaknesses. smartphones, especially at the application level, focusing on
The suggested solution considers elliptic curve cryptography how the attack is carried out and what is the goal of the
as a viable alternative. Finally, the third problem is related attacker. Finally, we have reviewed current security solutions
to the implementation of cryptographic primitives: the au- for smartphones focusing on existing mechanisms based upon
thors propose a hardware/software solution as opposed to a intrusion detection and trusted mobile platforms.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
22 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION

ACKNOWLEDGEMENT [23] N. Leavitt, “Malicious Code Moves to Mobile Devices,” Computer,

vol. 33, pp. 16–19, December 2000.
The authors would like to thank the anonymous reviewers [24] McAfee Labs, “2011 Threats Predictions,” 2010. [On-
for their valuable comments and suggestions, which have line]. Available: [Link] us/resources/reports/
[Link]
greatly improved the quality of the paper. [25] D. Barroso, “ZeuS Mitmo: Man-in-the-mobile,” Semptember
Work partially supported by EU-funded project FP7-256980 2010. [Online]. Available: http:// [Link]/2010/
NESS O S. 09/zeus-mitmo-man-in- [Link]
[26] A. Gostev, “Kaspersky Security Bulletin. Malware Evo-
lution 2010,” Feb 2011. [Online]. Available: http:
//[Link]/en/analysis/204792161/Kas- persky Security
Bulletin Malware Evolution 2010
R EFERENCES [27] Cisco, “Cisco 2010 Annual Security Report,” Jan 2011.
[1] M. Kotadia, “Major smartphone worm by 2007,” Gartner Study, June [Online]. Available: [Link] en/US/prod/collateral/
2005. vpndevc/security annual report [Link]
[2] Gartner Research, “Gartner Says Worldwide Mobile Phone Sales [28] PandaLabs, “Annual Report,” 2011. [Online]. Avail-
Grew 35 Percent in Third Quarter 2010; Smartphone Sales Increased able: [Link] 05/
96 Percent,” 2010. [Online]. Available: [Link] [Link]
[Link]?id=1466313 [29] Google Mobile Blog, “An Update on Android Market Security,”
[3] IMS Research, “Global Smartphones Sales Will Top 420 Million March 2011. [Online]. Available: [Link]
Devices in 2011, Taking 28 Percent of all Handsets, According to IMS 2011/03/update-on-an- [Link]
Research,” July 2011. [Online]. Available: [Link] [30] Sophos, “Security Threat Report,” 2010. [On-
press-release/Global Smartphones Sales Will Top 420 Million line]. Available: [Link] papers/
Devices in 2011 Taking 28 Percent of all Handsets According [Link]
to IMS Research [31] Juniper Networks Global Threat Center, “Malicious Mobile Threats
[4] Q. Yan, Y. Li, T. Li, and R. Deng, “Insights into Malware: Detection Report 2010/2011,” 2011. [Online]. Available: [Link]
and Prevention on Mobile Phones,” in Security Technology, D. Ślzak, us/en/local/pdf/whitepapers/[Link]
T.-h. Kim, W.-C. Fang, and K. P. Arnett, Eds. Springer Berlin [32] Trend Micro, “The Future of Threats and Threat
Heidelberg, 2009, vol. 58, ch. 30, pp. 242–249. Technologies. How the Landscape Is Changing,” 2011.
[5] S. Coorporation, “Symantec Internet Security Threat Report Volume [Online]. Available: http:// [Link]/imperia/md/content/
XVI,” Whitepaper, vol. 16, Apr 2011. us/trendwatch/ researchandanalysis/trend micro 2010 future threat
[6] Kasperksy Lab, “Popular Porn Sites Distribute a New Trojan report [Link]
Targeting Android Smartphones,” 2010. [Online]. Available: http: [33] R. Leszczyna, I. N. Fovino, and M. Masera, “MAISim: mobile agent
//[Link]/news?id=207576175 malware simulator,” in Proceedings of the 1st international conference
[7] C. Papathanasiou and N. J. Percoco, “This is not the droid you’re on Simulation tools and techniques for communications, networks and
looking for...” in DEFCON 18, July 2010. systems & workshops, ser. Simutools ’08. ICST, Brussels, Belgium,
[8] J. Bickford, R. O’Hare, A. Baliga, V. Ganapathy, and L. Iftode, Belgium: ICST (Institute for Computer Sciences, Social-Informatics
“Rootkits on smart phones: attacks, implications and opportunities,” and Telecommunications Engineering), 2008, pp. 35:1–35:6.
in Proceedings of the Eleventh Workshop on Mobile Computing [34] G. Hogben and M. Dekker, “Smartphones: Information security risks,
Systems & Applications, ser. HotMobile ’10. New York, NY, opportunities and recommendations for users,” European Network and
USA: ACM, 2010, pp. 49–54. Information Security Agency, 710 01 Heraklion - Crete - Greece,
[9] D. Damopoulos, G. Kambourakis, and S. Gritzalis, “iSAM: An Tech. Rep., December 2010.
iPhone Stealth Airborne Malware,” in Future Challenges in Security [35] P. M. Milligan and D. Hutcheson, “Business risks and security
and Privacy for Academia and Industry, ser. IFIP Advances in In- assessment for mobile devices,” in MCBE’07: Proceedings of the 8th
formation and Communication Technology, J. Camenisch, S. Fischer- Conference on 8th WSEAS Int. Conference on Mathematics and Com-
Hübner, Y. Murayama, A. Portmann, and C. Rieder, Eds. Springer puters in Business and Economics. Stevens Point, Wisconsin, USA:
Boston, 2011, vol. 354, ch. 2, pp. 17–28. World Scientific and Engineering Academy and Society (WSEAS),
[10] A. Gostev, “Mobile malware evolution: An overview,” Kaspersky 2007, pp. 189–193.
Labs Report on Mobile Viruses, 2006. [36] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A
[11] M. Hypponen, “Malware Goes Mobile,” Scientific American, vol. 295, survey of mobile malware in the wild,” in Proceedings of the 1st
no. 5, pp. 46–53, 2006. ACM workshop on Security and privacy in smartphones and mobile
[12] G. Lawton, “Is It Finally Time to Worry about Mobile Malware?” devices, ser. SPSM ’11. New York, NY, USA: ACM, 2011, pp. 3–14.
Computer, vol. 41, pp. 12–14, May 2008. [Online]. Available: [Link]
[13] M. Hypponen, “Mobile Security Review September 2010,” F-Secure [37] R. A. Botha, S. M. Furnell, and N. L. Clarke, “From desktop
Labs, HelsinkiFinland, Tech. Rep., September 2010. to mobile: Examining the security experience,” Computers &
[14] A.-D. Schmidt and S. Albayrak, “Malicious Software for Smart- Security, vol. 28, no. 3-4, pp. 130–137, 2009. [Online]. Available:
phones,” Technische Universität Berlin - DAI-Labor, Tech. Rep. TUB- [Link] 4TYJTT6-1/2/
DAI 02/08-01, February 2008, [Link] 335760cc014d6e724fd8d188942025e6
[15] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, [38] C. R. Mulliner, “Security of Smart Phones,” Master’s thesis, Univer-
“Survey of Mobile Malware in the Wild,” 2011. [Online]. Available: sity of California, Santa Barbara, 2006.
[Link] afelt/[Link] [39] G. Portokalidis, P. Homburg, N. FitzRoy-Dale, K. Anagnostakis, and
[16] N. Leavitt, “Mobile Phones: The Next Frontier for Hackers?” Com- H. Bos, “Protecting smart phones by means of execution replication,”
puter, vol. 38, pp. 20–23, April 2005. Vrije Universiteit Amsterdam, Tech. Rep., 2009.
[17] F-Secure, “Liberty (Palm),” Aug 2000. [Online]. Available: http: [40] M. Becher, F. C. Freiling, J. Hoffmann, T. Holz, S. Uellenbeck, and
//[Link]/v-descs/lib [Link] C. Wolf, “Mobile Security Catching Up? Revealing the Nuts and Bolts
[18] , “Bluetooth-Worm:SymbOS/Cabir,” Jun 2004. [Online]. of the Security of Mobile Devices,” in Proceedings IEEE Security and
Available: [Link] [Link] Privacy, May 2011.
[19] McAfee Labs, “Mobile Security Report 2009,” 2009. [41] J. Oberheide, K. Veeraraghavan, E. Cooke, J. Flinn, and F. Jaha-
[Online]. Available: [Link] com/us/resources/reports/ nian, “Virtualized in-cloud security services for mobile devices,”
[Link] in Proceedings of the First Workshop on Virtualization in Mobile
[20] S. Töyssy and M. Helenius, “About malicious software in smart- Computing, ser. MobiVirt ’08. New York, NY, USA: ACM, 2008,
phones,” Journal in Computer Virology, vol. 2, no. 2, pp. 109–119, pp. 31–35.
2006. [42] J. Oberheide and F. Jahanian, “When mobile is harder than fixed
[21] S. Viveros, “The economic impact of malicious code in wireless (and vice versa): demystifying security challenges in mobile en-
mobile networks,” in 3G Mobile Communication Technologies, 2003. vironments,” in Proceedings of the Eleventh Workshop on Mobile
3G 2003. 4th International Conference on (Conf. Publ. No. 494), Jun Computing Systems & Applications, ser. HotMobile ’10. New
2003, pp. 1–6. York, NY, USA: ACM, 2010, pp. 43–48.
[22] K. Dunham, Mobile malware attacks and defense. Syngress, 2008. [43] M. Becher and F. C. Freiling, “Towards dynamic malware analysis
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LA POLLA et al.: A SURVEY ON SECURITY FOR MOBILE DEVICES 23

to increase mobile device security,” in Proc. of SICHERHEIT, 2008. wireless worms between mobile devices,” Physica A: Statistical
[44] A. Makhlouf and N. Boudriga, “Intrusion and anomaly detection in Mechanics and its Applications, vol. 387, no. 27, pp. 6837–6844,
wireless networks,” in Handbook of Research on Wireless Security, 2008. [Online]. Available: [Link] [Link]/science/
Y. Zhan, J. Zheng, and M. Ma, Eds. Information Science Publishing, article/pii/S0378437108007772
2008. [65] C. Fleizach, M. Liljenstam, P. Johansson, G. M. Voelker, and
[45] K. Haataja, “Security threats and countermeasures in Bluetooth- A. Mehes, “Can you infect me now?: malware propagation in mobile
enabled systems,” Ph.D. dissertation, Department of Computer Sci- phone networks,” in WORM ’07: Proceedings of the 2007 ACM
ence, University of Kuopio, 2009. workshop on Recurring malcode. New York, NY, USA: ACM, 2007,
[46] Y. L. Ho and S.-H. Heng, “Mobile and ubiquitous malware,” in pp. 61–68.
MoMM ’09: Proceedings of the 7th International Conference on [66] G. Yan, H. D. Flores, L. Cuellar, N. Hengartner, S. Eidenbenz, and
Advances in Mobile Computing and Multimedia. New York, NY, V. Vu, “Bluetooth worm propagation: mobility pattern matters!” in
USA: ACM, 2009, pp. 559–563. ASIACCS ’07: Proceedings of the 2nd ACM symposium on Informa-
[47] A. Bose, X. Hu, K. G. Shin, and T. Park, “Behavioral detection of tion, computer and communications security. New York, NY, USA:
malware on mobile handsets,” in MobiSys ’08: Proceeding of the ACM, 2007, pp. 32–44.
6th international conference on Mobile systems, applications, and [67] G. Yan and S. Eidenbenz, “Bluetooth Worms: Models, Dynamics,
services. New York, NY, USA: ACM, 2008, pp. 225–238. and Defense Implications,” in ACSAC ’06: Proceedings of the 22nd
[48] A.-D. Schmidt, F. Peters, F. Lamour, C. Scheel, S. A. Çamtepe, and Annual Computer Security Applications Conference. Washington,
S. Albayrak, “Monitoring smartphones for anomaly detection,” Mob. DC, USA: IEEE Computer Society, 2006, pp. 245–256.
Netw. Appl., vol. 14, no. 1, pp. 92–106, 2009. [68] Y. Bulygin, “Epidemics of Mobile Worms,” Performance, Computing,
[49] L. Xie, X. Zhang, J.-P. Seifert, and S. Zhu, “pBMDS: a behavior- and Communications Conference, 2002. 21st IEEE International,
based malware detection system for cellphone devices,” in Proceed- vol. 0, pp. 475–478, 2007.
ings of the Third ACM Conference on Wireless Network Security, [69] J. W. Mickens and B. D. Noble, “Analytical Models for Epidemics
WISEC 2010, Hoboken, New Jersey, USA, March 22-24, 2010. ACM, in Mobile Networks,” in WIMOB ’07: Proceedings of the Third
2010, pp. 37–48. IEEE International Conference on Wireless and Mobile Computing,
[50] M. Becher and F. C. Freiling, “Towards Dynamic Malware Analysis Networking and Communications. Washington, DC, USA: IEEE
to Increase Mobile Device Security,” in Sicherheit 2008: Sicherheit, Computer Society, 2007, p. 77.
Schutz und Zuverlässigkeit. Konferenzband der 4. Jahrestagung des [70] G. Yan and S. Eidenbenz, “Modeling Propagation Dynamics of
Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 2.- Bluetooth Worms (Extended Version),” IEEE Transactions on Mobile
4. April 2008 im Saarbrücker Schloss, ser. LNI, vol. 128. GI, 2008, Computing, vol. 8, pp. 353–368, 2009.
pp. 423–433. [71] J. Su, K. K. W. Chan, A. G. Miklas, K. Po, A. Akhavan, S. Saroiu,
[51] P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, P. McDaniel, and E. de Lara, and A. Goel, “A preliminary investigation of worm
T. La Porta, “On cellular botnets: measuring the impact of malicious infections in a bluetooth environment,” in WORM ’06: Proceedings
devices on a cellular network core,” in CCS ’09: Proceedings of the of the 4th ACM workshop on Recurring malcode. New York, NY,
16th ACM conference on Computer and communications security. USA: ACM, 2006, pp. 9–16.
New York, NY, USA: ACM, 2009, pp. 223–234. [72] M. Becher, F. C. Freiling, and B. Leider, “On the Effort to Create
[52] W. Enck, P. Traynor, P. McDaniel, and T. La Porta, “Exploiting open Smartphone Worms in Windows Mobile,” in Information Assurance
functionality in SMS-capable cellular networks,” in Proceedings of and Security Workshop, 2007. IAW ’07. IEEE SMC, june 2007, pp.
the 12th ACM conference on Computer and communications security, 199–206.
ser. CCS ’05. New York, NY, USA: ACM, 2005, pp. 393–404. [73] A. Lelli, “A Smart Worm for a Smartphone [Link].A,”
[53] V. Bocan and V. Cretu, “Security and Denial of Service Threats in 2009. [Online]. Available: [Link]
GSM Networks,” Periodica Politechnica, Transactions on Automatic smart-worm- smartphone-wincepmcryptica
Control and Computer Science, vol. 49, no. 63, 2004. [74] A. R. Flø and A. Jøsang, “Consequences of botnets spreading to
[54] C. Xenakis, “Malicious actions against the GPRS technology,” Jour- mobile devices,” in 14th Nordic Conference on Secure IT Systems,
nal in Computer Virology, vol. 2, no. 2, pp. 121–133, 2006. 2009, pp. 37–43.
[55] J. R. Rao, P. Rohatgi, H. Scherzer, and S. Tinguely, “Partitioning [75] K. Singh, S. Sangal, N. Jain, P. Traynor, and W. Lee, “Evaluating
Attacks: Or How to Rapidly Clone Some GSM Cards,” in Proceedings Bluetooth as a medium for botnet command and control,” in Proceed-
of the 2002 IEEE Symposium on Security and Privacy. Washington, ings of the 7th international conference on Detection of intrusions
DC, USA: IEEE Computer Society, 2002, pp. 31–. and malware, and vulnerability assessment, ser. DIMVA’10. Berlin,
[56] G. Kambourakis, C. Kolias, S. Gritzalis, and J. H. Park, “DoS attacks Heidelberg: Springer-Verlag, 2010, pp. 61–80.
exploiting signaling in UMTS and IMS,” Computer Communications, [76] K. G. S. Yuanyuan Zeng, Xin Hu, “How to Construct a Mobile
vol. 34, no. 3, pp. 226–235, 2011. Botnet?” in The 40th Annual IEEE/IFIP International Conference
[57] A. Bose and K. G. Shin, “Proactive security for mobile messaging on Dependable Systems and Networks (DSN 2010), 2010.
networks,” in WiSe ’06: Proceedings of the 5th ACM workshop on [77] C. Mulliner and J.-P. Seifert, “Rise of the iBots: Owning a telco
Wireless security. New York, NY, USA: ACM, 2006, pp. 95–104. network,” in Malicious and Unwanted Software (MALWARE), 2010
[58] Z. Zhu, G. Cao, S. Zhu, S. Ranjan, and A. Nucci, “A Social Network 5th International Conference on, Oct 2010, pp. 71–80.
Based Patching Scheme for Worm Containment in Cellular Net- [78] P. A. Porras, H. Saı̈di, and V. Yegneswaran, “An Analysis of the
works,” in INFOCOM 2009. 28th IEEE International Conference on iKee.B iPhone Botnet,” in Security and Privacy in Mobile Information
Computer Communications, Joint Conference of the IEEE Computer and Communication Systems - Second International ICST Conference,
and Communications Societies, 19-25 April 2009, Rio de Janeiro, MobiSec 2010, Catania, Sicily, Italy, May 27-28, 2010, Revised
Brazil, 2009, pp. 1476–1484. Selected Papers, ser. Lecture Notes of the Institute for Computer
[59] A. Bose and K. G. Shin, “On Mobile Viruses Exploiting Messaging Sciences, Social Informatics and Telecommunications Engineering,
and Bluetooth Services,” in Securecomm and Workshops, 2006, Sept A. U. Schmidt, G. Russello, A. Lioy, N. R. Prasad, and S. Lian,
2006, pp. 1–10. Eds., vol. 47. Springer, 2010, pp. 141–152.
[60] U. Meyer and S. Wetzel, “A man-in-the-middle attack on UMTS,” [79] A. Apvrille, “Symbian Worm Yxes: Towards Mobile Botnets?” in
in Proceedings of the 3rd ACM workshop on Wireless security, ser. The 19th EICAR Annual Conference, May 2010, pp. 31–54.
WiSe ’04. New York, NY, USA: ACM, 2004, pp. 90–97. [80] M. Ballano, “Android Threats Getting Steamy,” Feb 2011.
[61] M. Khan, A. Ahmed, and A. R. Cheema, “Vulnerabilities of UMTS [Online]. Available: [Link] com/connect/blogs/
Access Domain Security Architecture,” in Proceedings of the 2008 android-threats-getting-steamy
Ninth ACIS International Conference on Software Engineering, Arti- [81] M. Becher, “Security of Smartphones at the Dawn of their Ubiqui-
ficial Intelligence, Networking, and Parallel/Distributed Computing. tousness,” Ph.D. dissertation, Universität Mannheim, 2009.
Washington, DC, USA: IEEE Computer Society, 2008, pp. 350–355. [82] Techie Buzz, “Android Data Theft Vulnerability Detailed,”
[62] C. Guo, H. J. Wang, and W. Zhu, “Smart-phone attacks and defenses,” 2011. [Online]. Available: [Link]
in HotNets III. Citeseer, 2004. android-data-theft- [Link]
[63] J. W. Mickens and B. D. Noble, “Modeling epidemic spreading in [83] L. Whitney, “Apple sued over privacy in iPhone, iPad
mobile environments,” in WiSe ’05: Proceedings of the 4th ACM apps,” 2011. [Online]. Available: [Link]
workshop on Wireless security. New York, NY, USA: ACM, 2005, [Link]
pp. 77–86. [84] N. Seriot, “iPhone Privacy,” Black Hat DC, 2010. [Online].
[64] C. Rhodes and M. Nekovee, “The opportunistic transmission of Available: [Link] papers/[Link]
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
24 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION

[85] S. Bhatt, R. Sion, and B. Carbunar, “A personal mobile DRM manager Available: [Link] mobile security
for smartphones,” Computers & Security, vol. 28, no. 6, pp. 327–340, [108] ESET, “ESET Mobile Security,” 2011. [Online]. Available: http:
2009. //[Link]/us/home/products/mobile-security/
[86] R. P. Minch, “Privacy Issues in Location-Aware Mobile Devices,” [109] Lookout, “Lookout Mobile Security,” 2011. [Online]. Available:
in Proceedings of the Proceedings of the 37th Annual Hawaii In- [Link]
ternational Conference on System Sciences (HICSS’04) - Track 5 - [110] C. Xenakis and L. Merakos, “Vulnerabilities and Possible Attacks
Volume 5. Washington, DC, USA: IEEE Computer Society, 2004, Against the GPRS Backbone Network,” in Critical Information
pp. 50 127.2–. Infrastructures Security, ser. Lecture Notes in Computer Science,
[87] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, J. Lopez, Ed. Springer Berlin / Heidelberg, 2006, vol. 4347, pp.
and A. N. Sheth, “TaintDroid: an information-flow tracking system 262–272.
for realtime privacy monitoring on smartphones,” in Proceedings [111] B. Sun, Y. Xiao, and K. Wu, “Intrusion Detection in Cellular
of the 9th USENIX conference on Operating systems design and Mobile Networks,” in Wireless Network Security, ser. Signals and
implementation, ser. OSDI’10. Berkeley, CA, USA: USENIX Communication Technology, Y. Xiao, X. S. Shen, and D.-Z. Du, Eds.
Association, 2010, pp. 1–6. Springer US, 2007, pp. 183–210.
[88] M. Egele, C. Kruegel, E. Kirda, and G. Vigna, “PiOS: Detecting [112] G. W. Chow and A. Jones, “A Framework for Anomaly Detection in
Privacy Leaks in iOS Applications,” in Proceedings of the Network OKL4-Linux Based Smartphones,” in Australian Information Security
and Distributed System Security Symposium (NDSS), San Diego, CA, Management Conference, 2008.
February 2011. [113] A. Shabtai, U. Kanonov, and Y. Elovici, “Intrusion detection for
[89] S. Whitehead, J. Mailley, I. Storer, J. McCardle, G. Torrens, and mobile devices using the knowledge-based, temporal abstraction
G. Farrell, “IN SAFE HANDS: A Review of Mobile Phone Anti- method,” J. Syst. Softw., vol. 83, no. 8, pp. 1524–1537, 2010.
theft Designs,” European Journal on Criminal Policy and Research, [114] D. Damopoulos, S. A. Menesidou, G. Kambourakis, M. Papadaki,
vol. 14, pp. 39–60, 2008. N. Clarke, and S. Gritzalis, “Evaluation of anomaly-based IDS for
[90] A. Portnoy, “Pwn2Own 2010,” 2010. [Online]. Available: http: mobile devices using machine learning classifiers,” Security and
//[Link]/blog/2010/ 02/15/pwn2own-2010 Communication Networks, vol. 5, no. 1, pp. 3–14, 2012. [Online].
[91] L. Cai, S. Machiraju, and H. Chen, “Defending against sensor-sniffing Available: [Link]
attacks on mobile phones,” in Proceedings of the 1st ACM workshop [115] A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and Y. Weiss,
on Networking, systems, and applications for mobile handhelds, ser. “”Andromaly”: a behavioral malware detection framework for
MobiHeld ’09. New York, NY, USA: ACM, 2009, pp. 31–36. android devices,” Journal of Intelligent Information Systems,
[92] N. Xu, F. Zhang, Y. Luo, W. Jia, D. Xuan, and J. Teng, “Stealthy pp. 1–30, 2011, 10.1007/s10844-010-0148-x. [Online]. Available:
video capturer: a new video-based spyware in 3G smartphones,” in [Link]
Proceedings of the second ACM conference on Wireless network [116] I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani, “Crowdroid:
security, ser. WiSec ’09. New York, NY, USA: ACM, 2009, pp. behavior-based malware detection system for Android,” in
69–78. Proceedings of the 1st ACM workshop on Security and privacy
[93] R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia, and in smartphones and mobile devices, ser. SPSM ’11. New
X. Wang, “Soundminer: A Stealthy and Context-Aware Sound Trojan York, NY, USA: ACM, 2011, pp. 15–26. [Online]. Available:
for Smartphones,” in Proceedings of the 18th Annual Network & [Link]
Distributed System Security Symposium (NDSS), Feb. 2011. [117] G. A. Jacoby, R. Marchany, and N. J. D. IV, “How Mobile Host
[94] W. Enck, M. Ongtang, and P. McDaniel, “On lightweight mobile Batteries Can Improve Network Security,” IEEE Security and Privacy,
phone application certification,” in CCS ’09: Proceedings of the 16th vol. 4, pp. 40–49, 2006.
ACM conference on Computer and communications security. New [118] L. Liu, G. Yan, X. Zhang, and S. Chen, “VirusMeter: Preventing
York, NY, USA: ACM, 2009, pp. 235–245. Your Cellphone from Spies,” in RAID ’09: Proceedings of the 12th
[95] M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel, “Seman- International Symposium on Recent Advances in Intrusion Detection.
tically Rich Application-Centric Security in Android,” in Computer Berlin, Heidelberg: Springer-Verlag, 2009, pp. 244–264.
Security Applications Conference, 2009. ACSAC ’09. Annual, dec. [119] Q. Yan, R. H. Deng, Y. Li, and T. Li, “On the Potential of Limitation-
2009, pp. 340–349. oriented Malware Detection and Prevention Techniques on Mobile
[96] E. Naone, “SMS of Death Could Crash Many Mobile Phones,” Phones,” International Journal of Security and Its Applications
2011. [Online]. Available: [Link] [Link]/printer (IJSIA), vol. 4(1), pp. 21–30, Jan 2010.
friendly [Link]?id =27021 [120] D. Venugopal, G. Hu, and N. Roman, “Intelligent virus detection on
[97] H. Kim, J. Smith, and K. G. Shin, “Detecting energy-greedy anoma- mobile devices,” in PST ’06: Proceedings of the 2006 International
lies and mobile malware variants,” in MobiSys ’08: Proceeding of Conference on Privacy, Security and Trust. New York, NY, USA:
the 6th international conference on Mobile systems, applications, and ACM, 2006, pp. 1–4.
services. New York, NY, USA: ACM, 2008, pp. 239–252. [121] L. Xie, H. Song, T. Jaeger, and S. Zhu, “A systematic approach for
[98] L. Liu, X. Zhang, G. Yan, and S. Chen, “Exploitation and threat anal- cell-phone worm containment,” in WWW ’08: Proceeding of the 17th
ysis of open mobile devices,” in Proceedings of the 5th ACM/IEEE international conference on World Wide Web. New York, USA:
Symposium on Architectures for Networking and Communications ACM, 2008, pp. 1083–1084.
Systems, ser. ANCS ’09. New York, NY, USA: ACM, 2009, pp. [122] L. Xie, X. Zhang, A. Chaugule, T. Jaeger, and S. Zhu, “Designing
20–29. System-Level Defenses against Cellphone Malware,” in SRDS ’09:
[99] R. Racic, D. Ma, and H. Chen, “Exploiting MMS Vulnerabilities Proceedings of the 2009 28th IEEE International Symposium on Re-
to Stealthily Exhaust Mobile Phone’s Battery,” in Securecomm and liable Distributed Systems. Washington, DC, USA: IEEE Computer
Workshops, 2006, aug. 2006, pp. 1–10. Society, 2009, pp. 83–90.
[100] D. Johnston and J. Walker, “Overview of IEEE 802.16 security,” [123] G. Zyba, G. M. Voelker, M. Liljenstam, A. Méhes, and P. Johansson,
Security Privacy, IEEE, vol. 2, no. 3, pp. 40–48, may-june 2004. “Defending Mobile Phones from Proximity Malware,” in INFOCOM
[101] T. Engel, “Remote SMS/MMS Denial of Service - Curse Of 2009. 28th IEEE International Conference on Computer Communica-
Silence for Nokia S60 phones,” Dec 2008. [Online]. Available: tions, Joint Conference of the IEEE Computer and Communications
[Link] tobias/[Link] Societies, 19-25 April 2009, Rio de Janeiro, Brazil. IEEE, 2009, pp.
[102] C. Mulliner and C. Miller, “Injecting SMS messages into smart 1503–1511.
phones for security analysis,” in WOOT’09: Proceedings of the 3rd [124] C. Bauckhage, T. Alpcan, and A.-D. Schmidt, “A Probabilistic Diffu-
USENIX conference on Offensive technologies. Berkeley, CA, USA: sion Scheme for Anomaly Detection on Smartphones,” in Proceedings
USENIX Association, 2009, pp. 5–5. of the Fourth International Workshop in Information Security Theory
[103] McAfee, “WaveSecure,” 2011. [Online]. Available: [Link] and Practice 2010 (WISTP’10), ser. Lecture Notes in Computer
[Link]/ Science. Springer, 2010, pp. 31–46.
[104] Norton, “Norton Mobile Security Lite,” 2011. [Online]. Available: [125] D. R. Ellis, J. G. Aiken, K. S. Attwood, and S. D. Tenaglia, “A
[Link] behavioral approach to worm detection,” in WORM ’04: Proceedings
[105] IIT-CNR, “iCareMobile,” 2011. [Online]. Available: http: of the 2004 ACM workshop on Rapid malcode. New York, NY,
//[Link]/ USA: ACM, 2004, pp. 43–53.
[106] BullGuard Ltd, “BullGuard Mobile Security 10,” 2011. [Online]. [126] A. Castrucci, F. Martinelli, P. Mori, and F. Roperti, “Enhancing Java
Available: [Link] ME Security Support with Resource Usage Monitoring,” in Informa-
[107] Kaspersky Lab ZAO, “Kaspersky Mobile Security 9,” 2011. [Online]. tion and Communications Security, 10th International Conference,
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LA POLLA et al.: A SURVEY ON SECURITY FOR MOBILE DEVICES 25

ICICS 2008, Birmingham, UK, October 20-22, 2008, Proceedings, 2009. AINA ’09. International Conference on, may 2009, pp. 838–
ser. Lecture Notes in Computer Science, L. Chen, M. D. Ryan, and 844.
G. Wang, Eds., vol. 5308. Springer, 2008, pp. 256–266. [145] J. de Haas, “Symbian phone Security,” 2005. [Online].
[127] N. Dragoni, F. Massacci, K. Naliuka, and I. Siahaan, “Security- Available: [Link] presentations/bh-europe-05/
by-Contract: Toward a Semantics for Digital Signatures on Mobile BH EU [Link]
Code,” in Public Key Infrastructure, 4th European PKI Workshop: [146] A.-D. Schmidt, H.-G. Schmidt, J. Clausen, K. A. Yksel, O. Ki-
Theory and Practice, EuroPKI 2007, Palma de Mallorca, Spain, June raz, A. Camtepe, and S. Albayrak, “Enhancing Security of Linux-
28-30, 2007, Proceedings, ser. Lecture Notes in Computer Science, based Android Devices,” in Proceedings of 15th International Linux
vol. 4582. Springer, 2007, pp. 297–312. Kongress. Lehmann, Oct 2008.
[128] N. Dragoni, F. Martinelli, F. Massacci, P. Mori, C. Schaefer, T. Wal- [147] A.-D. Schmidt, H.-G. Schmidt, L. Batyuk, J. H. Clausen, S. A.
ter, and E. Vetillard, “Security-by-Contract (SxC) for Software and Camtepe, S. Albayrak, and C. Yildizli, “Smartphone Malware Evo-
Services of Mobile Systems,” in At your service: Service Engineering lution Revisited: Android Next Target?” in Proceedings of the 4th
in the Information Society Technologies Program. MIT press, 2008. IEEE International Conference on Malicious and Unwanted Software
[129] G. Costa, N. Dragoni, A. Lazouski, F. Martinelli, F. Massacci, and (Malware 2009). IEEE, 2009, pp. 1–7.
I. Matteucci, “Extending Security-by-Contract with Quantitative Trust [148] A.-D. Schmidt, R. Bye, H.-G. Schmidt, K. A. Yksel, O. Kiraz,
on Mobile Devices,” Complex, Intelligent and Software Intensive J. Clausen, K. Raddatz, A. Camtepe, and S. Albayrak, “Monitoring
Systems, International Conference, vol. 0, pp. 872–877, 2010. Android for Collaborative Anomaly Detection: A First Architectural
[130] J. Cheng, S. H. Wong, H. Yang, and S. Lu, “SmartSiren: virus Draft,” Technische Universität Berlin - DAI-Labor, Tech. Rep.
detection and alert for smartphones,” in MobiSys ’07: Proceedings TUB-DAI 08/08-02, Aug 2008. [Online]. Available: [Link]
of the 5th international conference on Mobile systems, applications [Link]/fileadmin/files/publications/080 8-02 DAI TechReport
and services. New York, NY, USA: ACM, 2007, pp. 258–271. Monitoring [Link]
[131] E. V. Ruitenbeek, T. Courtney, W. H. Sanders, and F. Stevens, [149] W. Enck, M. Ongtang, and P. McDaniel, “Understanding Android
“Quantifying the Effectiveness of Mobile Phone Virus Response Security,” IEEE Security and Privacy, vol. 7, pp. 50–57, January
Mechanisms,” in DSN ’07: Proceedings of the 37th Annual IEEE/IFIP 2009.
International Conference on Dependable Systems and Networks. [150] A. Shabtai, Y. Fledel, U. Kanonov, Y. Elovici, S. Dolev, and C. Glezer,
Washington, DC, USA: IEEE Computer Society, 2007, pp. 790–800. “Google Android: A Comprehensive Security Assessment,” IEEE
[132] M. Miettinen and P. Halonen, “Host-Based Intrusion Detection for Security and Privacy, vol. 8, pp. 35–44, 2010.
Advanced Mobile Devices,” in AINA ’06: Proceedings of the 20th [151] A. Shabtai, Y. Fledel, and Y. Elovici, “Securing Android-Powered
International Conference on Advanced Information Networking and Mobile Devices Using SELinux,” IEEE Security and Privacy, vol. 8,
Applications. Washington, DC, USA: IEEE Computer Society, 2006, pp. 36–44, May 2010.
pp. 72–76. [152] W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri, “A study
[133] C. Mulliner, G. Vigna, D. Dagon, and W. Lee, “Using Labeling to of Android application security,” in Proceedings of the 20th
Prevent Cross-Service Attacks Against Smart Phones,” in Proceedings USENIX conference on Security, ser. SEC’11. Berkeley, CA,
of the Conference on Detection of Intrusions and Malware, and USA: USENIX Association, 2011, pp. 21–21. [Online]. Available:
Vulnerability Assessment (DIMVA), ser. LNCS, vol. 4064. Berlin, [Link]
Germany: Springer, July 2006, pp. 91–108. [153] S. Dai, Y. Liu, T. Wang, T. Wei, and W. Zou, “Behavior-Based
[134] M. Becher and R. Hund, “Kernel-Level Interception and Applications Malware Detection on Mobile Phone,” in Wireless Communications
on Mobile Devices,” Department for Mathematics and Computer Networking and Mobile Computing (WiCOM), 2010 6th International
Science, University of Mannheim, Tech. Rep. TR-2008-003, 2009. Conference on, Sept 2010, pp. 1–4.
[135] A.-D. Schmidt, J. H. Clausen, S. A. Camtepe, and S. Albayrak, “De- [154] Y. Ikebe, T. Nakayama, M. Katagiri, S. Kawasaki, H. Abe, T. Shina-
tecting Symbian OS Malware through Static Function Call Analysis,” gawa, and K. Kato, “Efficient Anomaly Detection System for Mobile
in Proceedings of the 4th IEEE International Conference on Malicious Handsets,” in SECURWARE ’08: Proceedings of the 2008 Second
and Unwanted Software (Malware 2009). IEEE, 2009, pp. 15–22. International Conference on Emerging Security Information, Systems
[136] A.-D. Schmidt, R. Bye, H.-G. Schmidt, J. H. Clausen, O. Kiraz, and Technologies. Washington, DC, USA: IEEE Computer Society,
K. A. Yüksel, S. A. Çamtepe, and S. Albayrak, “Static Analysis 2008, pp. 154–160.
of Executables for Collaborative Malware Detection on Android,” in [155] D. Reisinger, “Android, iPhone Security: 10 Ways to Avoid Personal
Proceedings of IEEE International Conference on Communications, Data Theft,” 2011. [Online]. Available: [Link]
ICC 2009, Dresden, Germany, 14-18 June 2009. IEEE, 2009, pp. [156] X. Zhang, O. Aciiçmez, and J.-P. Seifert, “A trusted mobile phone
1–5. reference architecture via secure kernel,” in STC ’07: Proceedings of
[137] T. Isohara, K. Takemori, and I. Sasase, “Anomaly Detection on the 2007 ACM workshop on Scalable trusted computing. New York,
Mobile Phone Based Operational Behavior,” IPSJ Digital Courier, NY, USA: ACM, 2007, pp. 7–14.
vol. 4, no. 0, pp. 9–17, 2008. [157] D. Muthukumaran, A. Sawani, J. Schiffman, B. M. Jung, and
[138] S. Zahid, M. Shahzad, S. Khayam, and M. Farooq, “Keystroke-Based T. Jaeger, “Measuring integrity on mobile phone systems,” in SAC-
User Identification on Smart Phones,” in Recent Advances in Intrusion MAT ’08: Proceedings of the 13th ACM symposium on Access control
Detection, ser. Lecture Notes in Computer Science, E. Kirda, S. Jha, models and technologies. New York, NY, USA: ACM, 2008, pp.
and D. Balzarotti, Eds. Springer Berlin / Heidelberg, 2009, vol. 155–164.
5758, pp. 224–243. [158] X. Zhang, O. Aciiçmez, and J.-P. Seifert, “Building Efficient Integrity
[139] T. S. Yap and H. T. Ewe, “A Mobile Phone Malicious Software Measurement and Attestation for Mobile Phone Platforms,” in Secu-
Detection Model with Behavior Checker,” in Web and Communication rity and Privacy in Mobile Information and Communication Systems,
Technologies and Internet-Related Social Issues - HSI 2005, 3rd First International ICST Conference, MobiSec 2009, Turin, Italy, June
International Conference on [Link]@Internet, Tokyo, Japan, 3-5, 2009, Revised Selected Papers, ser. Lecture Notes of the Institute
July 27-29, 2005, Proceedings, ser. Lecture Notes in Computer for Computer Sciences, Social Informatics and Telecommunications
Science, vol. 3597. Springer, 2005, pp. 57–65. Engineering, vol. 17. Springer, 2009, pp. 71–82.
[140] C. Mulliner and G. Vigna, “Vulnerability Analysis of MMS User [159] Trusted Computing Group, “TCG TPM Main Part 1 Design Principles
Agents,” in Computer Security Applications Conference, 2006. AC- Specification Version 1.2, revision 62,” Oct 2003.
SAC ’06. 22nd Annual, dec. 2006, pp. 77–88. [160] , “TCG Mobile Reference Architecture Specification Version 1.0,
[141] G. Yan, S. Eidenbenz, and E. Galli, “SMS-Watchdog: Profiling Social Revision 1,” Jun 2007.
Behaviors of SMS Users for Anomaly Detection,” in RAID ’09: [161] R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn, “Design and
Proceedings of the 12th International Symposium on Recent Advances implementation of a TCG-based integrity measurement architecture,”
in Intrusion Detection. Berlin, Heidelberg: Springer-Verlag, 2009, in Proceedings of the 13th conference on USENIX Security Sympo-
pp. 202–223. sium - Volume 13, ser. SSYM’04. Berkeley, CA, USA: USENIX
[142] D. S. Troy Vennon, “Threat Analysis of the Android Market,” Association, 2004, pp. 16–16.
SMobile Systems, Tech. Rep., June 2010. [162] T. Jaeger, R. Sailer, and U. Shankar, “PRIMA: policy-reduced
[143] S. M. Habib, C. Jacob, and T. Olovsson, “An Analysis of the integrity measurement architecture,” in SACMAT ’06: Proceedings
Robustness and Stability of the Network Stack in Symbian-based of the eleventh ACM symposium on Access control models and
Smartphones,” Journal of Networks, vol. 4, no. 10, pp. 968–975, 2009. technologies. New York, NY, USA: ACM, 2006, pp. 19–28.
[144] T. Badura and M. Becher, “Testing the Symbian OS Platform Security [163] A. U. Schmidt, N. Kuntze, and M. Kasper, “On the Deployment of
Architecture,” in Advanced Information Networking and Applications, Mobile Trusted Modules,” in Wireless Communications and Network-
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
26 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION

ing Conference, 2008. WCNC 2008. IEEE, mar. 2008, pp. 3169–3174. Fabio Martinelli ([Link]. 1994, Ph.D. 1999) is a senior researcher of IIT-
[164] J. Grossschadl, T. Vejda, and D. Page, “Reassessing the TCG speci- CNR, Pisa, where he is the scientific coordinator of the security group. His
fications for trusted computing in mobile and embedded systems,” in main research interests involve security and privacy in distributed and mobile
Proceedings of the 2008 IEEE International Workshop on Hardware- systems and foundations of security and trust. He serves as PC-chair/organizer
Oriented Security and Trust. Washington, DC, USA: IEEE Computer in several international conferences/workshops. He is the co-initiator of the
Society, 2008, pp. 84–90. International Workshop series on Formal Aspects in Security and Trust
[165] O. Aciiçmez, A. Latifi, J.-P. Seifert, and X. Zhang, “A Trusted Mobile (FAST). He is serving as scientific co-director of the international research
Phone Prototype,” in Consumer Communications and Networking school on Foundations of Security Analysis and Design (FOSAD) since 2004
Conference, 2008. CCNC 2008. 5th IEEE, jan. 2008, pp. 1208–1209. edition. He chairs the WG on security and trust management (STM) of the
European Research Consortium in Informatics and Mathematics (ERCIM). He
usually manages R&D projects on information and communication security
and he is involved in several FP6/7 EU projects.

Mariantonietta La Polla received her Bachelor’s and Master’s degrees in

Computer Engineering from University of Pisa respectively in 2006 and
2010. Currently she is a Research Fellow at IIT-CNR, Pisa. She is also a
Ph.D. student in Information Engineering at the Engineering Ph.D. School Daniele Sgandurra received his [Link]. degree in Computer Science in 2006,
“Leonardo da Vinci”, University of Pisa. Her research interests include the and a Ph.D in Computer Science in 2010, both from the University of Pisa. He
study of techniques for Web acquisition and Web data analysis. is currently a PostDoc Researcher at IIT-CNR, Pisa, where his main research
fields include virtualization security, intrusion detection systems, critical
infrastructures and risk management, cloud security and mobile security.

View publication stats