MORI: An Innovative Mobile Applications Data Risk Assessment Model

Abstract

The daily activities of mobile device users range from making calls and texting to accessing mobile applications, such as mobile banking and online social networks. Mobile phones are able to create, store, and process different types of data, and these data, whether personal, business, or governmental, are related to the owner of the mobile device. More specifically, user activities, such as posting on Facebook, is sensitive and confidential processes with varying degrees of social risk. The current point-of-entry authentication mechanisms, however, consider all applications on the mobile device as if they had the same level of importance; thus maintaining a single level of security for all applications, without any further access control rules. In this research, we argue that on a single mobile application there are different processes operating on the same data, with different social risks based on the user’s actions. More specifically, the unauthorised disclosure or modification of mobile applications data has the potential to lead to a number of undesirable consequences for the user, which in turn means that the risk is changing within the application. Thus, there is no single risk for using a single application. Accordingly, there is a severe lack of protection for user data stored in mobile phones due to the lack of further authentication or differentiated protection beyond the point-of-entry. To remedy that failing, this paper has introduced a new risk assessment model for mobile applications data, called MORI (Mobile Risk) that determines the risk level for each process on a single application. The findings demonstrate that this model has introduced a risk matrix which helps to move the access control system from the application level to the intra- process application level, based on the risk for the user action being performed on these processes.