Dissecting the Security and Protection Issues in Pervasive Computing

Human beings reflect nomadic behaviour as they keep on travelling place to place whole day for personal or organizational purposes. The inception of modern networking technologies and the advent of wide range of applications in terms of services and resources have facilitated the users in many ways. The advancements in numerous areas such as embedded systems, WN (Wireless Networks), mobile and context-aware computing, anticipated pervasive computing dominated the human communication at large. Pervasive computing refers to the environment where information is accessible anywhere and anytime while existing system is invisible to the user. On the other hand, the invisibility of pervasive computing is also a problem in its adoption as users are unaware when and what devices collect their personal data and how it is being used. It has caused new security chaos as the more information about user is collected the more privacy and security concerns it raises, thus, the pervasive computing applications became key concern for user. This paper is aimed at analyzing the security and protection issues that arise while traveling from place to place connected with wireless mobile networks. The paper reviews many existing systems that offer possible security to pervasive users. An easy, precise and relative analysis and evaluation of surveyed pervasive systems are presented and some future directions are highlighted.


Dissecting the Security and Protection Issues in Pervasive Computing
A term "Pervasive" comes near to the impression of ubiquity or submerging [1]. Hence, the "pervasive network" echoes ubiquitous network or nomadic network.
Pervasive devices are intelligent objects that recognize other communicating devices automatically. The nomadic user has "anywhere and anytime" access to the worldwide grid irrespective of time and place. Over the past few years, nomadic computing has taken over the world. has not caught pace with nomadic trends. This vital asset of users is becoming more vulnerable to attacks therefore, valuable information on such networks and systems is at risk. Security is the main concern to protect the nomadic devices from the attacks [2].
When people get addicted to new technology, they expect

Dissecting the Security and Protection Issues in Pervasive Computing
The main objective of this paper is to review the possible security and user's data privacy issues that arise in PCE (Pervasive Computing Environment), privacy management challenges, analyze existing pervasive computing architectures/models and evaluate the best among them on the basis of privacy management parameters. This paper is organized as follows. Section 2 provides a discussion on security and privacy threats in PCE. Section 3 presents challenges to privacy management techniques.
In section 4 existing architectures of PCE are overviewed.
Section 5 analyzes the architectures on the basis of privacy management parameters. In section 6, the work done so far is discussed and suggestions regarding some open issues are given before the paper is concluded in Section 8. At the end, some contributions are acknowledged.

SECURITY AND PRIVACY
Security is the main concern as the nomadic devices and nomads are increasing in number. Nomadic devices are introduced to new wireless environments in which they can suffer weak security. Following are some security threats that may occur in PCE and security needs to protect PCE.

Security Threats
Data Locality: When sensitive information is being passed over to the network, there is a great need to take high security measures. Even if the data is not that much sensitive but it is a users' significant asset. In case of data failure and absence of backup or recovery measures, organization may be at a great risk [4]. attacks. Data broadcasted through air is hard to control than the data that is accessible to only respective users [4].

Wi-Fi
Session Hijacking: Session hijacking is also known as cookie hijacking. It is the manipulation of a session key by gaining an unauthorized access to user information and services. This threat is of great concern in today's computing environments since the advancement of mobile banking is more prone to this type of threats [2]. Confidentiality: Users' data should be protected from loss of privacy. To ensure confidentiality few steps should be placed in consideration like encryption and VPN [2].
Integrity: Data should be protected against unauthorized modification. Electronic signatures can be used to secure messages over the network that guarantee the safety of content and also identity of the sender [4].

Firewall:
One of the commonly used mechanisms for security is a firewall. Mechanism contains lists of permitted and non-permitted traffic.
Anti-Virus Software: Anti-virus is common and important mechanism to ensure security. It scans downloaded files, emails and removes malicious codes from files if found File Protection on Device: Important files on devices should be encrypted and marked as "private" and hide them from unconcerned users, which makes files hidden for malicious users. These files should be password protected to avoid unauthorized access [5].
Secure Interoperability: As mobile networks are expanding and making interoperability and interaction between different organizations possible. These interactions need to be secure enough so that the sensitive data remain under cover [4].
Transparency: In nomadic environment, each entity must be authenticated transparently and acquire rights in transparent way [5].
Flexibility: New mechanisms for authorization and identification have been introduced over the past few years [5]. Mobile networks should be flexible to integrate these mechanisms.
Privacy Protection: In pervasive environment, user's sensitive information can be accessed and misused. To avoid such possibility, the user's devices must have the authority to recognize the environment in which they are located, and to evaluate its degree of confidence [2].
Security Levels: For each session over the network, the user should get access permission. High level security will be required for critical data accessing [4].

CHALLENGES TO PRIVACY MANAGEMENT MODELS
In this section, the research work is presented that concentrates on the number of challenges that occur in pervasive environment and their possible solutions to provide security to users. about some services such as nearby restaurants. User has to make his location accessible to the service provider to gain advantage of these location centered services.
Later, this obtained location data can be maltreated. There is also need for services to provide some flexible approaches to define different location privacy policies according to certain condition [8].
Context Reliance: Pervasive computing applications also rely on some contextual information. This context information may contain GPS coordinates, user preferences, user profiles, wireless device type, system time etc. The context-aware system uses a set of information which differs in privacy requirement level at times, making difficult to provide sufficient protection.
There are no sufficient protocols to insure security for contextual information [9].

Contribution of Service Provider:
Service provider has a critical and an important role being the maintainer and preserver of user data. There is the possibility of ill-use of user's sensitive data by the devices of service provider.
Internationally some rules are specified that communicates objective, maintenance and receivers of data of each service provider request. But coming to reality it is difficult to ensure that these rules would not be violated [9].
Possession Deficiency: In traditional computing system, users have some specific access control and privileges to resources. In contrast, user enters and leaves PCE frequently and shares resources. Therefore, user has no privilege over the resources making it difficult to implement privacy controls [10].
Privileged Access Regulation: There must be some defined control of access rights to the confidential information in PCE. It is a challenging problem to control the access rights of users in diverse environment. At a time, user may be interacting with numerous smart devices and service providers. Since there is no guarantee of being un-maliciousness of these devices, hence, privacy of user maybe compromised [11].
Access Strategy Regulation: Some strategy must be defined to control access to user's confidential data. How user data is accessed and transmitted in diverse environment of PCE [11]. Although it is difficult to ensure fool proof security of user's sensitive data but some measures should be taken to define policies in regard to protect user's information.

Resources Taxonomy:
In pervasive environment where users share resources, surplus parties could access the confidential information triggering leakage of user information and violating the user privacy. There must be some parameters taken to promise the users that resource sharing will avert private information outflow [9].

Data Maintenance Authority:
In PCE, user data can be spontaneously composed together and kept over extended time span. User private information is quite respected that must be protected against any ill-use and revelation. To achieve this purpose, data may be distributed at different systems thus data persistence is as important as data revelation [10]. PCE must define some tools to control data revelation and ensure data persistence for example, may be by placing some time constraints.
Constraints Definition: In a PCE, there must be some defined constraints on access rights. Sometimes to gain access to a specific service a user may have to tradeoff the level of privacy. Possessors of information should be given suitable criteria to specify the circumstances under which their data can be retrieved.

Dissecting the Security and Protection Issues in Pervasive Computing
In a PCE, to gain access to a certain service there must be some criteria defined for granting access permission. A number of policies could be defined and the conditions and rules to get permission to gain access to particular service(s) [3].
Service Access Approval: In the era of detection technologies context data may be provided which contains location information, user profiles, time etc. user may want to maintain the confidentiality of his data and want to know who can access what and how it is being used [10].

Information Usage Monitoring:
The communication takes place in PCE is visible to service provider. To guarantee non-leakage of user data, SP must require only essential data for a specific task and user should offer just required data [10]. The decision must be taken earlier about the data sharing among users and service providers.

Data Concealment Assurance:
The assemblage and storage of information sets a trial to privacy of user.
Information should be secured from third party access and any misuse by the ISP, be restricted and such information should be hold for future referencing [10].
When data is transmitted, it should be transmitted to the supposed recipient. No control over data transmission means no control over privacy.

EXISTING SYSTEMS OF PERVASIVE COMPUTING
This section reviews some of the work that has been done so far for ensuring the security and privacy of pervasive devices as the new technology makes its way. Primary requirement in pervasive computing is to provide sufficient security and ensured privacy everywhere and anytime to all nomadic users. By ensuring the privacy of nomadic systems, security could inevitably be achieved. Over the years, a number of schemes, methods and models have spoken about some prominent problems of security and privacy in pervasive environments. Taxonomy of these systems is presented in Fig. 2 and summary of respective systems is presented in detail in Table 1.
Privacy Sensitive Information dilUting Mechanism: Cheng et. al. [12] states two techniques in their paper "Protection of

Dissecting the Security and Protection Issues in Pervasive Computing
distinguish between true and false information for the ISP.
This false data is produced by using the previous locations that user has had used. The strong side of PSIUM is that it protects the ill use of users' data by ISP and preserves the quality of the service as well. Its weak side is that increase in number of queries results in increase in cost of attaining results and communication between user and ISP is susceptible to attack [12].
Spirit: Spirit is a modern location based system with middleware event driven applications which generate events when an entity enters or exits some predefined space. Some specific locations are defined in applications and whenever an entity enters that particular defined space, application receives callback of occurring of an event from middleware. Communication between user and application is indirect in nature [13]. Currently, the  [14]. In this network, a mix node accepts input of n-equal length packets and reorders them by applying some metric before forwarding them to destination. This and ISP is still vulnerable to attack [14]. practice because of its complexity [15].

Geopriv:
The motivation behind Geopriv is to securely gather and transfer user location information while ensuring the protection of privacy of the entities involved.
Myles et. al. [16] in their paper describe Geopriv scheme in which location based objects are created which encapsulates user location information and privacy preferences alongside it. These objects are digitally signed to protect data from any sort of distraction. This scheme could offer greater accountability but practically this scheme has not been implemented yet, Compbell et.
LocServ: LocServ serves as a middleware service between applications and location tracking machineries. Myles et.
al. [16] in their paper "Preserving Privacy in environments with location-based applications" describes LocServ applications use a number of systems where users can identify location query by using any of the location model (symbolic or geometric) then service resolve query using any of technology that LocServ understands.
Applications works independent of the technologies used.
This type of service allows users to have control over the amount of location information that can be released but it depends upon user for location query.
Mist: Roy et. al. [16] proposed a model that guarantees protection of both location information and user's privacy.   [19].

Quality of Privacy:
As the name suggests QoP (Quality of Privacy)architectures provide a mechanism that balances the privacy measures between the user and ISP.
Quantitative parameters are used to manage the level of privacy provided to user. These quantitative parameters are based on five contextual variables: location, identity, access, activity and persistence [20]. The parameters can determine the cost to avail the services provided by ISP.
In QoP, the information shared by the user with the pervasive environment is controlled according to the level of negotiation between the user and the service provider.
But the perception of anonymity is dependent upon quantitative parameters.  [26].

Hierarchical Identity-Based Encryption: HIBE
(Hierarchical Identity-Based Encryption) offers a way to transfer context information with defined granularity level of information, abstracting the detail of information. Based on this granularity level, an access to certain information may be denied or evaluated before granting access. User who owns the information can set the granularity and associated privacy levels. This approach gives an open hand to users to define parameters in order to protect their data [27].
Role Based Access Control: Most extensively used method to govern authorized access to resources and services is RBAC (Role Based Access Control). Users are assigned roles and have certain privileges. To gain access to service or resource, they may have to compromise a bit of privacy. Restraints on privileges sometimes are responsible for the tradeoff between privacy level a user is granting and the service provided in result. Owners can state the circumstances to access their information. As there are large number of service providers and the users, thus, it is difficult to ensure protection to each. Therefore, it is impractical to implement it [27].
An abundant work has been done to make nomadic devices more secure, reliable, invulnerable, and immune to spiteful abuse [9]. As PDAs (Personal Digital Assistant) are ruling the world nowadays, most of the mobile devices' operating system is Android or iOS.

Taming Information Stealing Smartphone Applications:
Zhou et. al. [28] introduced TISSA (Taming Information Stealing Smartphone Applications) which provides a privacy mode that permits the user to control a criterion upon which application can access the personal information. At runtime, granted access can be modified according to the scenario. It required few lines of code and had a negligible performance overhead. This application requires modification to the Android OS.
IdentiDroid: IdentiDroid is a customized Android OS proposed by Shebaro et. al. [29] which guarantees security that applications cannot ascertain a user.
IdentiDroid takes two approaches. First approach is to shadows user and application data, information about device, and the resources used so that user identity could not be revealed. Second approach is to modify runtime Android Runtime Security Policy Enforcement Framework: Banuri et. al. [30] proposed a framework that observes an application's behavior during its runtime. The framework is named as 'The Android Runtime SEAF (Security Policy Enforcement Framework) which notices application's permission patterns and aids in application validation. User is conversant of the hazardous behavior of application grounded on permission patterns' permutation. Initial examinations showed its insignificant performance overhead and found it reliable enough to be used in consumer market but it requires alteration to underlying Android OS.
TaintDroid: TaintDroid is an information flow tracking system for runtime privacy monitoring of smartphones proposed by Enck et. al. [31]. TaintDroid tracks the flow of user private data through third-party applications running on smartphones. It considers third-party applications as non-trust-worthy and monitors their behavior during execution how they use users' sensitive data. Enough of contextual information needed to analyze data to where it is sent and how personal is it. TaintDroid labels the privacy sensitive data source as taint and monitors its flow over the network. When data leaves the system, it notices taint label of data, its destination, and the application responsible for transmitting that data. This feedback notifies users and services about the suspicious applications. Performance overhead must be low and it was acknowledged that context based personal data could be tough to sense.
PSiOS: PSiOS concentrates to ensure security and privacy in iOS. It is a tool which provides a sandboxing (user or administrator defined) for each application running on iOS. Some popular iOS applications (e.g. Facebook, WhatsApp) are evaluated to validate the throughput and usefulness of PSiOS. It needs a modification to the native source code [32].
RecDroid: Rashidi et. al. [33] proposed RecDroid which is a framework for users to govern approval to the applications before they run for the very first time then After that, the results are summarized simply by adding the number of 1's against each architecture. We get the concluding results in Table 3. This analysis is represented in Fig. 3. As a graph to make the comparison more visible.

OPEN ISSUES AND DISCUSSION
In this research paper, number of security threats and users' privacy needs in pervasive computing are discussed. This paper provides a summary of twentyfour different architectures proposed earlier which constitutes methodology/approach, advantages, and Although, a lot of work has been done in this area but there is still a need to make PCE more secure for its users.
As PawS is evaluated as the best approach among others

CONCLUSION
Where people adore benefits a pervasive computing accompanies, security and privacy of pervasive environment is a fundamental requirement. In this paper, numerous challenges for protecting user's sensitive data have been addressed. There had not been given much attention on the security and privacy protection of users' information in PCE since its emergence but this research paper focused on the key areas that need to be concentrated. Various existing systems are summarized and evaluated according to the number of key areas focused by these existing systems. Security and Privacy are the basic concern in PCE and it should be concentrated properly while designing pervasive computing applications so that better quality of service is provided to pervasive users.Hence, this paper summarizes the existing development in PCE environment and provides their qualitative comparison for advantages and limitations.

ACKNOWLEDGEMENT
Authors would like to acknowledge with thanks the anonymous referees for their useful suggestions that led us to enhance the quality of the paper. Authors are also