From desktop to mobile: Examining the security experience

doi:10.1016/j.cose.2008.11.001

Computers & Security

Volume 28, Issues 3–4, May–June 2009, Pages 130-137

https://doi.org/10.1016/j.cose.2008.11.001 Get rights and content

Abstract

The use of mobile devices is becoming more commonplace, with data regularly able to make the transition from desktop systems to pocket and handheld devices such as smartphones and PDAs. However, although these devices may consequently contain or manipulate the same data, their security capabilities are not as mature as those offered in fully-fledged desktop operating systems. This paper explores the availability of security mechanisms from the perspective of a user who is security-aware in the desktop environment and wishes to consider utilising similar protection in a mobile context. Key issues of concern are whether analogous functionality can be found, and if so, whether it is offered in a manner that parallels the desktop experience (i.e. to ensure understanding and usability). The discussion is supported by an examination of the Windows XP and Windows Mobile environments, with specific consideration given to the facilities available for user authentication, secure connectivity, and content protection on the devices. It is concluded that although security aspects receive some attention, the provided means generally suffer from usability issues or limitations that would prevent a user from achieving the same level of protection that they might enjoy in the desktop environment.

Introduction

An increasing amount of information is being stored on mobile devices. Indeed, it has been suggested that, in business scenarios, over 80% of new and critical data is now stored in this context (Allen, 2005). In 2005, Gartner predicted that smartphones would be favoured as thin clients for mobile workers (Jones, 2005), and the subsequent quarter-on-quarter growth in smartphone shipments, of 49.8% in Q2 2006 (Cozza et al., 2006) and 44% in Q2 2007 (Cozza et al., 2007), is certainly indicative of their increasing popularity.

Although a broad definition of mobile devices would include laptop computers, the focus of this paper is specifically geared towards pocket and handheld devices such as cellular phones and Personal Digital Assistants (PDAs), with the convergence of these devices into so-called smartphones also being relevant. While not as powerful as desktop or laptop systems, these devices now support a fairly rich set of functionality, with a variety of personal information management features (e.g. contacts, scheduling, etc.), cut-down versions of applications such as word processors and spreadsheets, and Internet connectivity via email, web browsing, and instant messaging. Even at a baseline, the data held on such devices could include contact details of clients and suppliers, or calendar items revealing sensitive business dealings. As such, they can clearly be an asset worthy of protection.

Unfortunately, in addition to their capabilities, mobile devices are by their very nature more vulnerable to threats such as theft and accidental loss than larger systems in fixed locations. For example, back in 2001, the UK Home Office highlighted the desirability of mobile phones as targets for theft, reporting that over 700,000 handsets had been stolen (Harrington and Mayhew, 2001). Meanwhile, other unofficial reports (Leyden, 2002) put this figure in the region of 1.3 million. In addition, pocket devices are extremely susceptible to loss; a problem that is clearly indicated by the following advice quoted from the London Taxi lost Property site (our emphasis added):

“For mobile phones, it is essential that you supply details of the phone make and model, mobile phone service, and either the IMEI number of the phone or your SIM card number. Due to the quantity of mobile phones received, individual mobile phones cannot be identified without this information.” (London Taxi, 2007)

From a security perspective, the significant consideration here is that these devices may contain possible sensitive or valuable information (Chapman, 2007). Of course the risk can be downplayed by arguing that many of these thefts are committed in order to obtain the devices rather than their data. While this may potentially be true for now, the increasing role of the devices as repositories of sensitive information means that opportunities for data exploitation may not be overlooked for long.

In view of these threats, it is reasonable to suggest that security is an increasingly important consideration. Moreover, the fact that mobile devices now store and access comparable data and services to desktop systems implies that similar security provisions ought to be available. Indeed, some users will already utilise security on their desktop, and will be keen to parallel this on their mobile devices. Unfortunately, however, the reality of their experience may currently be quite different, with obstacles posed by mechanisms that are presenting in a different way, or indeed by functionality that is absent entirely. This raises fundamental problems. If the security features are not available, then data will be receiving less protection in a fundamentally more vulnerable location. If the features exist, but are not presented in a comparable manner, then it may mean that users cannot easily transfer their security skills from the desktop.

This paper examines the differences in security mechanisms between desktops and mobile devices that users may encounter when attempting to perform the same core tasks. This is explored from three perspectives: identification and authentication, network connectivity, and content security. Key aspects of each are examined from the perspective of a desktop user looking for the related features in a mobile context. The evaluation enables conclusions to be drawn regarding the security features that exist, and the consequent similarity of the end-user experience between current desktop and mobile systems.

Section snippets

Comparing the security experience in desktop and mobile environments

In spite of their fundamental difference in physical form factor, mobile devices can facilitate access to much of the same data, and many of the same services and applications, as their desktop counterparts. As such, a baseline argument for cognate security is easy to make. However, a notable difference is the context in which certain security features are being used. One of the most distinguishing differences between smartphones and desktop computers is that the former is a personal device,

User authentication

The nature of user authentication on mobile devices has remained largely unchanged since their inception, with the vast majority of devices relying upon point-of-entry protection via a Personal Identification Number (PIN). In this respect, the underlying principle is similar to that on most desktop systems, with both relying upon secret-knowledge authentication approaches. However, a fundamental difference on the mobile device is that the user may encounter multiple mechanisms, in order to lock

Dealing with connectivity

A Windows Mobile 6 device can offer several forms of connectivity, encompassing personal, local and wide area networking. Security-relevant considerations can be found, to varying degrees, at each of these levels.

At the personal area level, the functionality is typically offered via infrared (IR) and Bluetooth communications. The only tangible configuration option for IR communication is to be found under the ‘Beam’ setting, which in turn has only one option – ‘Receive all incoming beams’ –

Content security

Early generations of cell phones and PDAs had relatively little storage capability, with the consequence that their potential to store sensitive data was limited. The situation today is dramatically different, increasing the likelihood that data will be created with, or transferred onto, mobile devices. However, the related protection of such content is another area in which a marked contrast to the desktop experience can be observed, in the sense that the mobile versions of the software may

Discussion and conclusion

The investigation has shown that although elements of security are provided on mobile devices, the extent and usability of the implementation are often lacking. This is especially worrying since the devices will routinely operate outside of physically controlled environments and so will be at increased risk of exposure.

Summarising the main findings from the assessment, it can be seen that users face a varied experience in moving from desktop to mobile contexts. In terms of authentication, there

Reinhardt A. Botha is a professor in the Institute for ICT Advancement and the School of ICT of the Nelson Mandela Metropolitan University, Port Elizabeth, South Africa. He holds a PhD in Computer Science from the Rand Afrikaans University (now University of Johannesburg) in Johannesburg, South Africa. His research interests encompass Information Security, Mobile Computing and IT Service Management.

References (19)

N. Clarke et al.
Authentication of users on mobile telephones – a survey of attitudes and practices
Computers & Security
(2005)
S.M. Furnell et al.
The challenges of understanding and using security: a survey of end-users
Computers & Security
(2006)
S.M. Furnell
Making security usable: are things improving?
Computers & Security
(2007)
O. Mazhelis et al.
A framework for behavior-based detection of user substitution in a mobile context
Computers & Security
(2007)
K. Rannenberg
Identity management in mobile cellular networks and related applications
Information Security Technical Report
(2004)
M. Allen
A day in the life of mobile data
(November 2005)
N.L. Clarke et al.
Authenticating mobile phone users using keystroke analysis
International Journal of Information Security
(2007)
M. Chapman
Mobile phone users oblivious to data threats
Cozza R, Liang A, Mitsuyama N, Nguyen TH, De La Vergne HJ. Quarterly statistics: PDAs and smartphones, all regions....

There are more references available in the full text version of this article.

Cited by (66)

E-Brightpass: A Secure way to access social networks on smartphones
2024, Cyber Security and Applications
Social network providers offer a variety of entertainment services in exchange for end users’ personal information, such as their identity. The majority of users access social networking sites via their smartphones, which they utilize in conjunction with a traditional authenticator like a password. On the other hand, aggregators, which pull content from multiple social networks, are often used to get into smartphone apps that may involve mobile ticketing, identification, and access control. They are a potential target for malware and spyware injections due to their powerful position. Malware is capable of circumventing authentication mechanisms in order to get access to social networking services, which may result in stealing the personal information of users. To deflect any type of attack from malicious software, BrightPass [22], a malware-resistant method based on screen brightness, was introduced. Conversely, we have demonstrated that the BrightPass user’s personally identifiable information, such as PIN numbers, may be recovered by evaluating the variations between the recorded input from many authentication sessions. We have then offered various enhanced BrightPass versions to address the observed vulnerability. Our enhanced BrightPass versions are both simple and secure to use when it comes to accessing social networks via mobiles.
Interaction design for security based on social context
2021, International Journal of Human Computer Studies
Citation Excerpt :
Scholars have applied use contexts to refer to any situational information related to interactions (Dey, 2001; Liang et al., 2013) and the critical role of use context in mobile payments has been recognized by many researchers (Khalilzadeh et al., 2017; Kim et al., 2010; Mallat, 2007; Mallat et al., 2009; Zhang and Luximon, 2020). It is reasonable to consider the effect of use contexts since mobile services are ubiquitous (Botha et al., 2009). In mobile technologies research, studies have suggested contextual factors that describe the use context of mobile technologies, such as task, personal, social, spatial, temporal, infrastructural, device, service, and access network (Korhonen et al., 2010; Wigelius and Väätäjä, 2009).
Social context is a vital component of Human-Computer Interaction (HCI) design for security; however, there is little discussion about how to provide security functions based on the social context. This study examines the fit between security design and social contexts in mobile payment applications by investigating preferences and perceptions of security design based on the task-technology fit model and the technology acceptance model. To approach the fit of security design in different social contexts, this study followed the approach proposed by design science research and employed a full factorial design experiment. We developed two interfaces—a customizable interface without feedback information and a customizable interface with feedback information—and asked participants to modify security settings in the interfaces according to social contexts, conduct payment transactions, and report their perceptions of security and usability in four payment scenarios. The observed behaviors in relation to security settings and perceptions revealed the fit for security settings and feedback design in different social contexts. Implications were provided to allow insights for security design in mobile payment transactions according to social contexts.
Facing up to security and privacy in online meetings
2021, Network Security
Citation Excerpt :
Additionally, while the discussion has looked at desktop versions, there are further variations to be found in the mobile apps. As observed in prior work over a decade ago, desktop and mobile contexts can often differ in the security options that they offer.9 Figure 7 illustrates elements of the desktop and mobile interfaces for Zoom, from macOS and iOS versions respectively, and (aside from the layout) the range of key options is ostensibly the same.
One of the most noticeable effects of the Covid-19 pandemic from the technology perspective has been the significant uptake of online meeting platforms, which many have suddenly found to be a necessary alternative to face-to-face meetings in all manner of contexts. From relatively casual meetings that may have taken place among co-workers in the office, through to the staging of full conference events, online platforms have essentially come to the rescue when in-person gatherings were no longer an option.
There has been a significant uptake of online meeting platforms for everything from casual meetings to full conference events. In many cases, this has been driven by a rapid transition to home working.
However, with a significant number of people becoming first-time users, it caught a user population that was unprepared and unaware of what good security looked like. Additionally, with home working, they may have had no easy option to turn to for support. Reinhardt Botha and Steven Furnell examine the challenges that have arisen and how they can be addressed.
Effects of the design of mobile security notifications and mobile app usability on users’ security perceptions and continued use intention
2020, Information and Management
The explosive global adoption of mobile applications (i.e., apps) has been fraught with security and privacy issues. App users typically have a poor understanding of information security; worse, they routinely ignore security notifications designed to increase security on apps. By considering both mobile app interface usability and mobile security notification (MSN) design, we investigate how security perceptions of apps are formed and how these perceptions influence users’ intentions to continue using apps. Accordingly, we designed and conducted a set of controlled survey experiments with 317 participants in different MSN interface scenarios by manipulating the types of MSN interfaces (i.e., high vs. low disruption), the context (hedonic vs. utilitarian scenarios), and the degree of MSN intrusiveness (high vs. low intrusiveness). We found that both app interface usability and the design of MSNs significantly impacted users’ perceived security, which, in turn, has a positive influence on users’ intention to continue using the app. In addition, we identified an important conundrum: disruptive MSNs—a common approach to delivering MSNs—irritate users and negatively influence their perceptions of app security. Thus, our results directly challenge current practice. If these results hold, current practice should shift away from MSNs that interrupt task performance.
The usability of security – revisited
2016, Computer Fraud and Security
Citation Excerpt :
This is not the first time that security features have been sacrificed as the core functionality of the application moves onto other platforms. For example, Word Mobile (previously Pocket Word), which ran on Microsoft's earlier generation of mobile devices, did not support password-protected documents either (this aspect has at least been resolved and attempting to open a protected Word document on a smartphone or tablet will now yield a prompt for a password rather than simply reporting that the document cannot be accessed).11 The current example with Word Online appears to resurrect this problem and it is arguable that security has been masked out in favour of the more general accessibility of the application.
One of the long-standing challenges around security technology has been to ensure it is provided in a manner that is usable for the target audience. Usability in this context encompasses several underlying factors, including the need to be understandable for users and to avoid being unnecessarily intrusive or introduce undue performance overheads, while at the same time enabling the desired security tasks to be performed effectively.
One of the long-standing challenges around security technology has been to ensure it is provided in a manner that is usable for the target audience.
Unfortunately, this theory has often failed to match up with how security is presented in practice, with the result that users find it difficult to get along with security features, end up making mistakes or sometimes decide not to bother with security at all. Steven Furnell of the University of Plymouth examines the attention that usability receives within current systems and draws some comparisons to earlier assessments to see if things have changed.
Navigating Legal Implications: The Impact of Enhanced Smartphone Integration on Security in Organizational Networks
2023, Khazanah Hukum

View all citing articles on Scopus

Steven Furnell heads the Centre for Information Security & Network Research at the University of Plymouth in the United Kingdom, and is an Adjunct Professor with Edith Cowan University in Australia. He specialises in computer security and has been actively researching in the area for fifteen years, with current areas of interest including security management, computer crime, user authentication, and security usability. Prof. Furnell is a Fellow and Branch Chair of the British Computer Society (BCS), and a UK representative in International Federation for Information Processing (IFIP) working groups relating to Information Security Management (of which he is the current chair), Network Security, and Security Education. He is the author of over 190 papers in refereed international journals and conference proceedings, as well as the books Cybercrime: Vandalizing the Information Society (Addison Wesley, 2001) and Computer Insecurity: Risking the System (Springer, 2005). Further details can be found at www.plymouth.ac.uk/cisnr <https://www.cisnr.org/exchweb/bin/redir.asp?URL=https://www.cisnr.org/exchweb/bin/redir.asp?URL=https://www.cisnr.org/exchweb/bin/redir.asp?URL=http://www.plymouth.ac.uk/cisnr>.

Nathan Clarke graduated with a BEng (Hons) degree in Electronic Engineering in 2001 and a PhD in 2004 from the University of Plymouth. He has remained at the institution and is now a senior lecturer in Information Systems Security within the Centre for Information Security and Network Research. Dr Clarke is also an adjunct scholar at Edith Cowan University, Western Australia. His research interests reside in the area of user identity, mobility and intrusion detection; having published 40 papers in international journals and conferences. Dr Clarke is a charted engineer, member of the British Computing Society (BCS), the Institute of Engineering Technology (IET) and a UK representative in the International Federation of Information Processing (IFIP) working groups relating to Information Management Identity Management and Information Security Education. Dr Clarke is the co-chair of an innovative new symposium series on the Human Aspects of Information Security & Awareness (HAISA).

View full text

From desktop to mobile: Examining the security experience

Abstract

Introduction

Section snippets

Comparing the security experience in desktop and mobile environments

User authentication

Dealing with connectivity

Content security

Discussion and conclusion

Computers & Security

Computers & Security

Computers & Security

Computers & Security

Information Security Technical Report

A day in the life of mobile data

Authenticating mobile phone users using keystroke analysis

International Journal of Information Security

Mobile phone users oblivious to data threats