**9. Security and privacy challenges concerning the use of smartphones in IoT and IoE networks**

Security and privacy of smartphones in IoT and IoE should be guaranteed to the maximum, because the smartphone is considered the major personal device used in IoT. Threats and attacks on the smartphone and IoT devices can be divided into the following categories as reported in [64]:

• **Resources**: such as GPS, camera, NFC, and other sensors.

example, a hacker can change the settings of an insulin pump to no longer deliver insulin to

Companies experiencing the IoT technology may not have enough experience in dealing with the security issues stated above and therefore find securing IoT devices and communications a challenging task [62]. Also the structure of some IoT devices is sophisticated and the manufacturers find it difficult or expensive to apply a security patch in them if a specific vulnerability is discovered [62]. In addition, some IoT devices are made disposable after purchase and therefore, the consumers are often left with vulnerable devices shortly after their purchase in

In addition to security risks, there are many privacy risks involved with IoT such as the collection of sensitive personal daily information such as health information, geolocation, and account numbers and sending data through the cloud [62]. The collection of this information over time could be misused and can help intruders infer future values. Privacy principles state that users should control their personal data and choose the smart environment and technology that protects their private lives [63]. Users usually have difficulty knowing about the existence of IoT devices in their environment, what information is being disclosed and sent in the network, and which parties benefit from this information. Also manufacturers are interested in building services around the collected data rather than selling the devices themselves [63]. According to Ref. [62], researchers state that the smartphones could be used to disclose the user's personality type, demographics, stress level and mood, happiness, etc. [62]. Another privacy risk is that an intruder could intercept unencrypted IoT data remotely while sent in the IoT network, combine, analyze, and act upon them [63]. The above security and privacy challenges may result in an undermined consumer confidence and a decrease in the IoT technology widespread adoption, which will surely affect the overall societal accep-

Our proposed middleware architecture called FlexRFID tackles the security and privacy issues in the IoT environment at the application level by using policies as described in [29]. These policies allow the applications to specify the security, access control and privacy rules that should be applied on data before getting them, and therefore minimize the possibilities of compromising user's sensitive data. At devices level, new security models other than strong encryption are required in IoT because of the devices' limited capabilities such as limited size,

Authors in [1] define features of IoT security and privacy in the healthcare field, including security requirements of medical data, which are "confidentiality, integrity, authentication, availability, data freshness, non-repudiation, authorization, resiliency, fault-tolerance, and self-healing" [1]. In addition, the authors in [1] identify challenges for providing secure IoT services, which include (1) the computational, memory, and energy limitations of IoT healthcare devices, (2) multiplicity of IoT devices in healthcare, (3) mobility of IoT devices through different networks having different security configurations, which requires a challenging task of developing a mobility-compliant security algorithm, (4) scalability of IoT devices and their connection to the global information network, (5) IoT devices are connected to multiprotocol networks using a wide range of communication media and a dynamic network topology,

the concerned patient, which creates health problems and crisis [62].

most cases [62].

154 Smartphones from an Applied Research Perspective

tance of IoT services [62].

computing, and processing power [63].


Other smartphones attacks discussed in [64] include "financial malware attacks, network spoofing attacks, phishing attacks, surveillance attacks and network congestion attacks" [64].

Authors in [64] divide security violation into five categories, which are the following: (1) "*breach of confidentiality"* when "an unauthorized person reads and gets access to the data" [64], (2) "*breach of integrity"* when "the attacker reads and modifies the data" [64], (3) "*breach of availability"* when "the attacker destroys and deletes the data" [64], (4) "*denial of service"* when "the attacker attacks the limited resources of the smartphone like filling its memory, draining its battery, etc. and therefore makes it unable to communicate with other IoT devices" [64], and (5) "*theft of services"* when "the resources are used by an unauthorized person" [64]. The five categories of attacks stated above have different effects on the smartphones as major IoT devices, for example, a Denial of Service attack of a smartphone will affect the IoT and the cellular network, a data leakage attack of a smartphone will disclose private data such as online transactions, and a spamming attack will send messages to other smartphones and IoT devices [64].

The study in [64] compares IoT devices and smartphones in terms of many features such as "computation capacity, storage, external storage, authentication, end-to-end communication, expansibility, battery exhaustion, etc." [64]. The study shows that the smartphone has a lot of functionalities and has built-in sensors that allow it to perform most of IoT devices functions [64]. The study also shows the behavior of smartphones in the IoT environment concerning data sharing with other IoT machines, communication with IoT devices and the cloud, supporting more computation in IoT than in the web, and the possibility of sending malicious data to other IoT machines [64].

A survey of more than 5000 consumers from the USA, UK, Canada, Austria, and Japan conducted by Norton in 2016 revealed that some people understand that smartphones and IoT devices present risks and the rest do not care about their information being hacked [65]. As stated in [65] few research studies have focused on the risk of controlling IoT devices by the use of mobile apps installed in a user's smartphone. An intruder can control or get access to the smartphone and therefore control the IoT devices from mobile applications such as control of home appliances and healthcare-sensitive sensors [65]. Mobile applications can send unencrypted sensitive information from a user's phone such as location, call logs, browser history, and account details. Examples of vulnerabilities could be adding browser favorites, downloading and changing call logs, etc. Authors in [65] state the most important best practices that a user can adopt while using IoT devices, smartphones, and mobile apps, which are the following: (1) *using a reputable mobile security app* that identifies potential vulnerabilities before downloading an app, (2) *downloading apps from an official app store*, (3) *being mindful of the app settings* such as apps asking the user to disable security setting that protects installing apps from an unknown source, (4) *keeping the IoT devices current* by installing the latest updates, (5) *protecting the device by choosing a strong and unique password*, and (6) *being stingy with the device* such as protecting the communication between the device and network using an encrypted Wi-Fi connection or a hard-coded LAN connection if available [65].
