With powerful computing capability, plentiful functionality and advanced operating systems with flexible APIs, smartphones have become indispensable part of our daily lives. However, growing functionality, complexity and popularity of smartphones have also increased concerns about information security, and these concerns have been further exacerbated by rich third-party applications. In order to protect information security, significant research and standardizations efforts have been made in recent years. However, most of these activities focus on specific issues, which cannot mitigate negative effects as a whole. In this paper, we first introduce a common architecture of smartphones including main smartphone assets. Then we identify smartphone threats which are clustered into vulnerabilities and attacks. Based on the layered structure of smartphones, we propose a hierarchical security framework for smartphones including hardware security, operating system security, application security, user data security and communication security. Finally, we present the preliminary security solutions with regard to the security framework, and give future research direction.