Enterprise Application Security in Android Devices ...

UIC-ATC-ScalCom-CBDCom-IoP 2015

Enterprise Application Security in Android Devices Using Short Messaging Service under Unified Communication Framework Souvik Chowdhury, Prasun Ghosal Indian Institute of Engineering Science and Technology, Shibpur, Howrah 711103, India {souvikcho, prasung}@gmail.com Abstract— In this present era of IoT (Internet of Things) where billions of devices are to be connected and operated under a single communication framework, Unified communication is evolving with each passing day, by making its presence felt in several user scenarios like display of presence information of email recipients, text and video chat through IM etc. User can avail information through various video channels. It enables customers to get data through various information channel thus provides a faster message delivery. However this technology is widely used in laptops/computers. Recent study shows the scope of developing this technology in mobile based environments is on upper side. However there are two major security concerns during using mobile devices for work purpose. First, preventing data theft / data corruption during data flow through the network, and second, preventing data theft when the mobile device is lost / misplaced. First one may easily be resolved by using cryptography APIs, Encryption-Decryption algorithm etc. This paper focuses on the second aspect and tried to provide a unique way to solve the problem by using unified communication technologies and thereby minimizing the effect of losing mobile phones or other computing devices. This work tried to reduce the window time for stealing confidential data from mobile phone. The idea is to develop a Short Messaging Service (SMS) based system and a web based application that interacts with database and remotely wipe out the access rights to enterprise application of a mobile phone and minimize the data theft window.

So we require a proper way to prevent this confidential data so as to reduce the cost incurred due to loss of a mobile phone. The overall organization of the paper is as follows. Section II describes the existing available solution of the above mentioned problem and thereby establishing the depth and significance of the present problem. Drawbacks of existing solution methodologies are pointed out in section III. Primary objectives of the present work have been described in section IV. Proposed solution method is described and illustrated in section V. Section VI establishes the advantages of proposed solution compared to existing methods. Finally sections VII and VIII conclude the paper with possible future direction of research. II. EXISTING AVAILABLE SOLUTION Currently following approach for safeguarding from this loss is available. 1. User can wipe off/reset device to factory settings from some website. 2. User can call telecom customer care to block their SIM. 3. User can send a request for revoking access to administrator through some media like telephone or by email. 4. User can access their enterprises website to provision/de provision mobile access [3][4]. Below is the list of some available solution in the market and their demerits .

I. INTRODUCTION Due to the recent advent of Internet of things (IoT) over unified communication system use of mobile phones and/or other different types of handheld computing devices in various areas of business has increased day by day. A recent survey suggests that 7 out of 10 organizations rely more on mobile than they used to 12 months prior. Another survey conducted by Vanson and Bourne on behalf of Carneige Mellon University and McAfee between senior IT person and business leaders that 48% people uses phone on their work. So we can see there is an upward trend for number of mobile users. But there is one problem of using mobile phone in work [1]. As per UK Govt. almost 5100 mobile phones reportedly lost causing $2 billion financial loss to that company as those company confidential data [2]. As per a recent study by Vanson Bourne it is confirmed that almost 40% of enterprises employees lost their mobile phones which contains business critical information.

978-1-4673-7211-4/15 $31.00 © 2015 IEEE DOI 10.1109/UIC-ATC-ScalCom-CBDCom-IoP.2015.140

TABLE I. AVAILABLE SOLUTION IN MARKET Solution Provider YouGetItBack. com

Microsoft

694

Features

Demerits

1.SMS lock code from another mobile to lock the device 2.Lock lost device from their website Lock and Erase using email account deployed on Microsoft Exchange Server

1. Does not work for phones powered by Android iOS. 2.Accessing their website and lock the device is time consuming 1.Accessing email and then lock gives larger data theft window 2. Can`t work on email account configured on other server (e.g. IBM Lotus Notes, Zimbra

Solution Provider

Features

1. For setting up an Interactive Voice Response System (IVRS) incurs a huge cost. 2. For Interactive Voice Response System (IVRS) setup one needs to allocate a different machine for Interactive Voice Response System (IVRS). 3. Also Interactive Voice Response System (IVRS) provides larger theft window than SMS since user needs to call a toll free number and then needs to authenticate them and then access right can be revoked [7]. Setting up an SMS based system provides advantages over Interactive Voice Response System (IVRS) based system. Also it is cheap, reliable, simple, non voice based. SMS connects many people around the world through text messaging, social networking website, and SMS is more reliable than mobile instant messenger. And also SMS is good for hearing impaired people since they feel comfortable in SMS than Interactive Voice Response System (IVRS).SMS can work in lower network availability where it is tough for Interactive Voice Response System (IVRS) work in lower network availability since user need to call toll free number [8].

Demerits etc.)

Lookout Mobile Security

Lock and erase data on mobile device

1.It works only for android and ios devices 2. It works on GPS method. However in mobile phones GPS tracking can be switched off. In that case it won`t work.

III. DRAWBACKS OF EXISTING AVAILABLE SOLUTION Drawbacks of existing available solutions may be summarized as follows. 1. It is time consuming for a user to access computer to go to internet site and reset device to factory settings. It provides enough to miscreant to steal confidential information.

V. SUGGESTED SOLUTION The solution provided here overcomes the drawbacks mentioned by providing an easy way to prevent access from enterprise application portal though android devices. The solution works without involvement of any human intervention. It is the most optimum solution for security of enterprise confidential information from lost/misplaced mobile device The solution is to develop a web and SMS based application that can revoke access right from android smart phones. Web based application is chosen since it has several advantages. Web based application can be accessed from any mobile browser without changing the codes. No need to develop application based on mobile platform. Now latest advances of HTML5 technology provides local storage facility that provides rich content support [9] [10]. Authors have developed entirely packaged software that can be interfaced with any existing application. This software can’t work independently and needs to be interfaced with existing application where it will pull data. So thereby the service of remote wipe off access rights is provided using both internet and SMS setup by dividing it into three parts. A. Device provisioning method B. Serving Mobile Request C. Device de provisioning method

2. It is time consuming even to block data traffic from device even if telecom operator is informed immediately which also provides large window for data theft. And moreover even if data traffic is blocked miscreant can use new SIM and access enterprise application since access to enterprise application does not depend on SIM. 3. Deploying administrator 24 X 7 is costly. 4. Approach given in the paper has also disadvantage. Suppose a user goes to a remote place where his phone has been lost and he does not have internet access there [5]. IV. PROPOSED OBJECTIVE From the above discussion it is clear that the need to develop a proper framework to get rid of such losses has increased. Now there is an existing system where if user has lost a phone then the user can call customer care and they can lock the SIM (Subscribers Identity Module). But this provides miscreants a huge window that will cause considerable loss. Another option is that there exists some websites where user can wipe off the confidential information from your phone. But that also causes a great window for the other persons to steal data since it requires an internet support and a computer. So the objective of this work is to develop a Short Messaging Service (SMS) based system and a web based application that can interact with database and remotely wipe out the access rights to enterprise application of a mobile phone and minimize the data theft window [6]. Initially authors have tried for setting up an Interactive Voice Response System (IVRS) based system. However Interactive Voice Response System (IVRS) has several disadvantages like

A. Device provisioning method There will be some portal where user needs to seek permission for accessing some applications from users phone by giving some input like name of owner, email id, mobile no, IMEI no of handset, alternate no etc. User need to register through their android device only from predefined android app. User can access only if it is approved by administrator.

695

Fig. 3 .Device de provisioning through Android app/portal Fig. 1. Provisioning though Android App

2. If he/she does not have the option then he/she can send SMS to a predefined number and SMS content will be his/her SMS id generated during approval process as shown in Fig 4.

So whenever an end user registers his/her mobile through Device Provisioning portal an access request will be generated which is subject to approval from owner of this app. After approval his/her device information will be stored in database and automatic SMS PIN will be generated and sent to user profile. And Access Available entry will be updated as Y as shown in Fig 1.

Some approach is already there for first option but second approach not only reduces window time for stealing

B. Serving Mobile Requests When a web request is coming it is checked whether the device has access right or not. Based on the data proper response is given back to user as shown in Fig 2. However to enhance performance the above table can be stored in database cache. Since all user requests are hitting this table

Fig. 4.Device de provisioning through SMS

confidential data but also adds a new dimension in the flexibility provided to the end users. The architecture is shown in Figure 4. VI. ER DIAGRAM OF PACKAGED SOFTWARE ER diagram of the packaged software may be represented as shown in Figure 5. Fig. 2. Serving Mobile Request

C. Device de provisioning method Once a User`s mobile is lost he/she has two options as follows. 1. Login in to web portal using internet connectivity and then wipe off data and revoke access to the apps from the mobile as shown in Fig. 3.

Fig.5. ER Diagram

696

data flowing through network. Different standard encryptiondecryption techniques those are already in use may be integrated to construct a strong as well as robust secured system.

VII. ADVANTAGES OF PROPOSED SOLUTION Advantages of the proposed solution method may be summarized as follows. The novelty of the proposed approach lies in manifold. 1.

REFERENCES 1.

Reduction in Data Theft Window

Data theft window may be defined as the phase between enterprise user losing the device and access to that device is revoked from enterprise application portal. And this may incur loss if any miscreant finds the device within the data theft window. All other existing approaches are having larger window for data theft which is not acceptable. Using a telephone to revoke access to the application from device takes much less time and is the only option when you do not have internet access. 2.

2.

3.

4. 5.

Decrease in Operational Cost 6.

This solution suggests to having a fully automatic system and no manual intervention is required. So lesser operational cost is required since process between user and application is fully automated.

7.

8.

Therefore, based on the above discussions, conclusive remarks may be put as follows. 1. In this paper an overview of contemporary available solutions have been given. All the existing solutions lag in minimizing data theft window. 2. The solution described in this paper not only reduces data theft window but also reduces the operational cost by removing human intervention required etc. 3. The solution ensures that access to enterprise portal is revoked from lost mobile devices just after sending a SMS. 4. SMS method is chosen since it is cost effective, very efficient and optimized [10].

9.

10.

11.

In this proposed work the implementation has been done on Android environment only. However this can be extended for other mobile devices like iOS, Symbian, Windows enabled smart phones as well as other different smart and portable computing devices too.

12.

13. 2. The application can currently support 9000 devices. However this can be extended later for increased demand. Keeping in mind the IoT scenario, scalability issue needs to be addressed in depth to extend this pioneering solution applicable in real IoT world.

14.

3. Biometric security can be applied to enhance the security prospect. 4. In this work the main emphasis has been given on minimizing data theft window and not on security aspect of

697

N. Meghanathan et al. (eds.) Advances in Computing & Inform. Technology, ASIC 177,pp. 135-143 springerlink.com Cost of lost mobile device http://theemf.org/2010/12/03/whats-the-cost-of-lostmobile-device.html Remote Wipe a mobile device. http://support.google.com/a/bin/answer.py?hl=en&answer =173390 Remote wipe using mobileme http://support.apple.com/kb/TS2734 Benefits of SMS based system http://www.mvaayoo.com/Sms_Based_Informationsystem _Advantages.html Advantages of SMS http://computer.howstuffworks.com/e-mailmessaging/sms1.htm Top 10 advantages of SMS https://www.callfire.com/blog/2012/05/15/top-tenadvantages-of-sms-text-marketing Mobile Device Data Management in iOS http://www.apple.com/iphone/business/integration Mobile Device Security http://www.darkreading.com/cloudsecurity/167901092/security/news/229625511/half-of-lostor-stolen-devices-store-sensitive-company-data.html Enterprise Data Security http://www.infosecuritymagazine.com/view/14865/thousd ans-ofmobile-devices-set-to-go-missing-overholidays.html Fred A. Cummins. 2002. Enterprise Integration: Architecture for Enterprise Application and Systems Integration. John Wiley & Sons, Inc., New York, NY, USA. Johnson, Pontus. "Enterprise Software System Integration–An Architectural Perspective." Ph. D. Thesis, Industrial Information and Control Systems, Royal Institute of Technology. 2002. Venkatachalam, A. R. "A holistic perspective on enterprise integration." Journal of Information Technology Case and Application Research 8.1 (2006): 1-6. Land, Rikard, and Ivica Crnkovic. "Software systems integration and architectural analysis-a case study." Software Maintenance, 2003. ICSM 2003. Proceedings. International Conference on. IEEE, 2003.