Mobile Security
How individuals use and secure smartphones and tablets for work purposes.
Indicators
An observed identity uses a rooted or jailbroken device, bypassing built-in OS safeguards and exposing the endpoint to malware, data theft, and unmonitored changes that weaken enterprise security controls.
An observed identity disables or fails to enable full-disk encryption, leaving sensitive enterprise data vulnerable to exposure in the event of device theft, loss, or unauthorized physical access.
An observed identity connects to an untrusted or malicious Wi-Fi network, exposing communications to interception, spoofing, or man-in-the-middle attacks that can compromise enterprise data and credentials.
An observed identity fails to establish or maintain a secure VPN tunnel, leaving sensitive traffic unencrypted and significantly reducing the enterprise’s ability to monitor and protect remote connections.
An observed identity installs apps from untrusted sources outside sanctioned stores, increasing the likelihood of introducing malware, spyware, or unauthorized software into the enterprise environment.
An observed identity installs or uses apps with permissions beyond their intended purpose, raising the risk of data misuse, surveillance, or privilege abuse that can expose corporate information.
An observed identity’s device shows signs of SIM replacement or reassignment, suggesting a possible SIM swap attack that could allow adversaries to hijack communications or intercept MFA tokens.
An observed identity removes or alters the mobile device management (MDM) profile, disabling enterprise oversight and weakening the ability to enforce compliance and detect threats on the device.
An observed identity operates a device in a prohibited or high-risk geography, which may conflict with policy and expose the enterprise to heightened regulatory, espionage, or compliance risks.
An observed identity’s device lacks remote wipe capability, preventing security teams from remotely erasing sensitive data if the device is lost, stolen, or compromised.
An observed identity uses a device containing manufacturer-installed riskware or malicious firmware, which undermines trust in the endpoint and increases the attack surface for adversaries.
An observed identity follows authorized device maintenance practices, applying only official updates, reporting anomalies, and avoiding unapproved modifications that could compromise endpoint integrity.
An observed identity applies patches promptly, ensuring mobile operating systems and apps remain up to date and reducing exposure to publicly known vulnerabilities.
An observed identity maintains a locked bootloader and prevents unauthorized firmware installation, preserving device integrity and ensuring compliance with enterprise configuration baselines.
An observed identity connects to trusted Wi-Fi networks and uses a VPN when on public networks, reducing exposure to interception and reporting anomalies that could indicate rogue hotspots.
An observed identity installs applications exclusively from approved sources, avoiding side-loading and reporting anomalies, thereby limiting malware risk and maintaining enterprise compliance.
An observed identity follows secure BYOD practices, enrolling personal devices into MDM and consenting to endpoint controls, ensuring corporate visibility and protection of sensitive resources.
An observed identity applies least-privilege principles to app permissions, granting only necessary access and preventing excessive data collection or potential abuse by third-party applications.
An observed identity reports abnormal SIM or mobile network activity, enabling early detection of SIM hijacking, unauthorized reassignment, or suspicious carrier behavior that could compromise identity assurance.
An observed identity maintains compliance with mobile device management (MDM) requirements, avoiding tampering and notifying IT when controls appear degraded, ensuring visibility and consistent enforcement of policy.
Relevance
This category identifies risks tied to mobile endpoints, including device theft, malicious apps, and phishing delivered through mobile channels.
Why this matters
Practitioners must care because mobile devices are constant attack targets and often fall outside traditional security monitoring. Ensuring mobile controls prevents them from becoming weak links.
Consequences of neglect
Failure to secure mobile devices enables attackers to bypass enterprise protections, exfiltrate sensitive data, or compromise identity assurance mechanisms like MFA.