Mobile Device Security — Android, iOS, OWASP Mobile Top 10, and MDM

What Is Mobile Device Security and Why Does It Matter?

According to the OWASP Mobile Top 10 (2024), mobile applications face critical risks including improper credential usage, insecure data storage, and inadequate supply chain security. Mobile device security is one of the fastest-growing areas in cybersecurity because smartphones and tablets now carry more sensitive data than most laptops. From corporate email and authentication tokens to health records and banking apps, mobile devices are high-value targets for attackers and a critical surface that organisations must defend.

If you are studying for CompTIA Security+ SY0-701 or CEH v13, mobile security appears across multiple exam domains. For entry-level SOC analysts, mobile-related alerts — malicious app installations, suspicious MDM policy violations, rogue Wi-Fi connections — are increasingly common in daily triage queues.

Who this is for

This page is written for career changers and cybersecurity beginners with no mobile security experience. If you have ever installed an app, connected to public Wi-Fi, or used your phone for work email, you already understand the user behaviours that create mobile security risks. This page formalises that intuition into security knowledge.

I remember the moment mobile security became real for me. I was reading about the Pegasus spyware and realised that a single text message — no clicking required — could silently compromise a phone and access everything: camera, microphone, messages, location. I looked at my own phone differently after that. It holds my banking app, my authenticator, my photos, my entire digital life. Understanding how to protect mobile devices is not just a career skill — it is a personal survival skill in the modern world.

Certification objective: CompTIA Security+ SY0-701 Domain 2 covers mobile threats and vulnerabilities. CEH v13 Module 17 covers mobile platform attack vectors, Android/iOS vulnerabilities, and mobile device management.

Quick Answer

Mobile device security protects smartphones and tablets from threats using app sandboxing, encryption, MDM policies, and secure authentication. The OWASP Mobile Top 10 (2024) is the industry-standard checklist for mobile app security risks, and enterprise environments layer MDM, MAM, and MTD solutions for comprehensive mobile protection.

What Do Real-World Mobile Attacks Look Like?

NIST SP 800-163 identifies mobile application vetting as essential for enterprise security, while the MITRE ATT&CK Mobile matrix catalogues over 80 techniques adversaries use against Android and iOS devices. Mobile attacks are not theoretical. They happen at scale and target individuals, enterprises, and governments.

Incident	Platform	Impact	Attack method
Pegasus spyware (NSO Group)	iOS and Android	Journalists, activists, and government officials surveilled in 45+ countries	Zero-click exploits via iMessage and WhatsApp — no user interaction required
Flubot banking trojan (2021-2022)	Android	Spread across Europe and Australia, stealing banking credentials and contact lists	SMS phishing (smishing) with fake parcel delivery links
XcodeGhost (2015)	iOS	39 infected apps in App Store, including WeChat, affecting millions of users	Compromised Xcode IDE distributed to developers, who unknowingly compiled malware into apps
Joker malware (ongoing)	Android	Premium SMS fraud and unauthorised subscriptions, found in 1,700+ Play Store apps	Malicious code hidden in seemingly legitimate utility and camera apps
SIM swapping attacks (ongoing)	Both	Account takeover of email, banking, and cryptocurrency accounts	Social engineering mobile carriers to transfer a victim’s phone number
Predator spyware (Cytrox/Intellexa)	iOS and Android	Government surveillance of opposition politicians and journalists	One-click and zero-click exploit chains targeting browser and kernel vulnerabilities

The Australian Cyber Security Centre (ACSC) regularly publishes advisories about mobile threats affecting Australian users, including smishing campaigns impersonating Australia Post, Telstra, and government services like myGov. In 2022, the ACSC reported a significant increase in SMS-based phishing targeting Australians.

How Does Mobile Device Security Work?

The OWASP Mobile Application Security Verification Standard (MASVS) defines a comprehensive baseline for mobile app security across architecture, data storage, cryptography, authentication, and network communication. Think of a mobile device like a small apartment building. Each app gets its own locked apartment (sandboxing). The building has a security guard at the entrance checking who comes in (app store review). The building management sets rules about what tenants can and cannot do (permissions). And the building owner can remotely lock doors or change locks if there is a problem (MDM).

When any of these controls fail — a fake tenant gets past security, a wall between apartments has a crack, or the building management system is compromised — the entire building is at risk.

Key Definition

App sandboxing is a security mechanism where each mobile application runs in an isolated environment with restricted access to system resources and other applications’ data. On Android, sandboxing is enforced through Linux user IDs and SELinux policies; on iOS, through the App Sandbox and entitlements system defined by Apple’s security architecture.

Mobile Security Fundamentals

Concept	What it means	Why it matters
App sandboxing	Each app runs in an isolated environment and cannot access other apps’ data without permission	Limits the blast radius if one app is malicious
Permissions model	Apps must request access to camera, location, contacts, storage, etc.	Gives users and organisations control over what apps can do
Secure boot chain	The device verifies each stage of the boot process is signed and untampered	Prevents rootkits and bootloader-level attacks
App store review	Apple App Store and Google Play review apps before publishing	Catches many (but not all) malicious apps before distribution
Mobile Device Management (MDM)	Enterprise software that enforces security policies on mobile devices	Allows organisations to remotely wipe, lock, and configure devices
Certificate pinning	Apps verify the exact TLS certificate of their server, not just any valid certificate	Prevents man-in-the-middle attacks even on compromised networks
Biometric authentication	Fingerprint, face, or iris recognition for device and app access	Stronger than PINs for casual access but can be spoofed with effort

Android vs iOS Security

📊 Visual Explanation

Android vs iOS Security Models

Android Security

• Open source (AOSP) — Transparent code but fragmented updates across manufacturers
• Google Play Protect — Scans apps on-device and in Play Store; catches most malware
• Sideloading allowed — Users can install APKs from outside Play Store — flexibility but risk
• SELinux enforcement — Mandatory access controls at OS level since Android 5.0
• Fragmented patching — Security patches depend on manufacturer and carrier rollout timelines

VS

iOS Security

• Closed source — Apple controls hardware and software — consistent but opaque
• App Store review — Human and automated review before publication; stricter than Play Store
• No sideloading (mostly) — Apps only from App Store — reduced attack surface but less flexibility
• Secure Enclave — Hardware-isolated processor for biometrics, keys, and encryption
• Unified patching — Apple pushes updates to all supported devices simultaneously

Verdict: Neither platform is inherently 'more secure.' iOS has tighter control; Android has more transparency. Both have been compromised by sophisticated attackers.

Use case

Enterprise environments often prefer iOS for its unified patching. Android's openness makes it more common in security research and testing.

Step-by-Step: Understanding Mobile Attack Vectors

DocHowTo

Goal: Understand the four layers of mobile attack vectors — physical, network, application, and OS-level — and how they relate to the OWASP Mobile Top 10. Time: 15 minutes to read, 1 hour to explore static analysis tools in a lab. Prerequisites: Basic understanding of security concepts (Security Concepts) and networking fundamentals (Networking Basics).

Mobile attacks exploit different layers of the device, from physical access to application-level vulnerabilities.

Layer 1: Physical Access Attacks

If an attacker has physical access to an unlocked device, the game is essentially over. They can install malware, copy data, or clone the device.

1. Screen lock bypass. Shoulder surfing PINs, exploiting biometric weaknesses, or using forensic tools like Cellebrite to extract data from locked devices.
2. USB attacks. Malicious charging stations (juice jacking) that install malware or exfiltrate data when users plug in their phones.
3. SIM extraction. Removing the SIM card to receive calls and SMS meant for the victim, including two-factor authentication codes.

Layer 2: Network-Based Attacks

Mobile devices constantly connect to networks, creating interception opportunities.

1. Rogue Wi-Fi access points. Setting up fake hotspots (evil twin attacks) that mimic legitimate networks to intercept traffic.
2. SSL stripping. Downgrading HTTPS connections to HTTP to capture credentials and sensitive data in transit.
3. Baseband attacks. Exploiting vulnerabilities in the cellular modem firmware — extremely sophisticated but used by nation-state actors.
4. IMSI catchers (Stingrays). Devices that mimic cell towers to intercept mobile communications and track device locations.

Layer 3: Application-Level Attacks

The most common attack surface for everyday users and the primary focus for entry-level security work.

1. Malicious apps. Trojanised apps in official or third-party stores that steal data, display ads, or enrol victims in premium SMS services.
2. Insecure data storage. Apps storing credentials, tokens, or personal data in plaintext on the device filesystem.
3. Insecure communication. Apps transmitting sensitive data over unencrypted channels or failing to validate TLS certificates.
4. Deeplinks and intent hijacking. Exploiting how Android intents and iOS URL schemes route data between apps.

Layer 4: OS-Level Exploits

The most dangerous and sophisticated attacks target the operating system itself.

1. Privilege escalation. Exploiting kernel vulnerabilities to gain root access from a normal app context.
2. Zero-click exploits. Triggering code execution without any user interaction — used by Pegasus to compromise devices via iMessage.
3. Bootloader exploits. Compromising the boot chain to install persistent malware that survives factory resets.

OWASP Mobile Top 10 (2024)

The OWASP Mobile Top 10 provides a standardised list of the most critical mobile application security risks.

Rank	Risk	Description
M1	Improper credential usage	Hardcoded credentials, insecure credential storage, or weak authentication
M2	Inadequate supply chain security	Compromised third-party libraries, SDKs, or build pipelines
M3	Insecure authentication/authorisation	Weak session management, missing server-side validation
M4	Insufficient input/output validation	SQL injection, XSS, and path traversal in mobile app contexts
M5	Insecure communication	Cleartext traffic, weak TLS, missing certificate pinning
M6	Inadequate privacy controls	Excessive data collection, missing consent, PII exposure
M7	Insufficient binary protections	Lack of obfuscation, tampering detection, or reverse engineering defences
M8	Security misconfiguration	Debug mode left enabled, excessive permissions, insecure default settings
M9	Insecure data storage	Sensitive data in plaintext, unencrypted databases, insecure shared preferences
M10	Insufficient cryptography	Weak algorithms, hardcoded keys, improper key management

How Does Mobile Security Fit Into a Security Architecture?

Mobile App Testing Methodology

📊 Visual Explanation

Mobile App Security Testing Methodology

A structured approach to assessing mobile application security

Pause

Reconnaissance

Understand the target

Identify app functionality

Map API endpoints

Review app permissions

Static Analysis

Analyse without running

Decompile APK/IPA

Review source code

Check hardcoded secrets

Dynamic Analysis

Analyse while running

Intercept network traffic

Test authentication

Manipulate runtime

Backend Testing

Test the server side

API fuzzing

Authorisation bypass

Data exposure checks

Reporting

Document findings

Risk classification

Remediation guidance

Retest verification

Idle

Jailbreaking and Rooting

Rooting (Android) and jailbreaking (iOS) remove the manufacturer’s restrictions on the device, granting the user (or attacker) full administrative access.

Aspect	Rooting (Android)	Jailbreaking (iOS)
What it does	Grants superuser (root) access to the Linux kernel	Removes Apple’s restrictions and enables unsigned code
Security impact	Disables SELinux enforcement, bypasses app sandboxing	Disables code signing, allows sideloading, weakens Secure Enclave protections
Legitimate uses	Security research, custom ROMs, ad blocking	Security research, app sideloading, customisation
Risks	Voids warranty, disables SafetyNet/Play Integrity, opens device to malware	Voids warranty, can brick device, exposes device to untrusted code
Detection	SafetyNet Attestation, Play Integrity API, root detection libraries	Jailbreak detection checks in enterprise and banking apps

For defenders: Enterprise MDM solutions detect rooted/jailbroken devices and can block them from accessing corporate resources. Banking apps typically refuse to run on compromised devices.

What Does Mobile Security Look Like in Practice?

The OWASP Mobile Security Testing Guide (MASTG) provides a comprehensive methodology for Android and iOS security testing, covering static analysis, dynamic analysis, and network interception techniques. These tools and commands are used in legitimate mobile security testing. Practise them only on devices and apps you own or have explicit authorisation to test.

APK Analysis with APKTool

# Decompile an Android APK to inspect its contents
apktool d target-app.apk -o decompiled_app/

# Inspect the AndroidManifest.xml for permissions and components
cat decompiled_app/AndroidManifest.xml | grep -i "permission"

# Look for hardcoded secrets in smali code
grep -r "api_key\|password\|secret\|token" decompiled_app/smali/ --include="*.smali"

# Recompile after modification (for testing purposes)
apktool b decompiled_app/ -o modified-app.apk

Reverse Engineering with jadx

# Decompile APK to readable Java source
jadx target-app.apk -d jadx_output/

# Search for insecure HTTP URLs
grep -r "http://" jadx_output/ --include="*.java"

# Find hardcoded credentials or API keys
grep -rn "password\|api_key\|secret_key\|AWS_ACCESS" jadx_output/ --include="*.java"

# Check for insecure SharedPreferences usage
grep -r "MODE_WORLD_READABLE\|MODE_WORLD_WRITEABLE" jadx_output/ --include="*.java"

Network Traffic Interception

# Install Burp Suite CA certificate on Android emulator
adb push burp-cert.der /sdcard/
# Then install via Settings > Security > Install from storage

# Monitor network traffic from a specific app using Frida
frida -U -f com.target.app -l ssl-bypass.js --no-pause

# Capture mobile traffic with tcpdump on a rooted device
adb shell tcpdump -i wlan0 -w /sdcard/capture.pcap
adb pull /sdcard/capture.pcap

MobSF (Mobile Security Framework) Quick Start

# Run MobSF using Docker
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf

# Upload APK or IPA via web interface at http://localhost:8000
# MobSF performs automated static and dynamic analysis including:
# - Manifest analysis and permission mapping
# - Code analysis for security issues
# - Binary analysis and library detection
# - Network security configuration checks

Legal and ethical warning: Only analyse apps you own, have developed, or have explicit written authorisation to test. Reverse engineering apps may violate terms of service. Intercepting network traffic on networks you do not own is illegal under the Telecommunications (Interception and Access) Act 1979 (Australia), the Computer Fraud and Abuse Act (US), and similar legislation. Always test in controlled lab environments.

What Are the Limitations of Mobile Security?

NIST SP 800-124 Rev. 2 acknowledges that no single mobile security control is sufficient, and that organisations must balance usability, privacy, and security when implementing mobile device policies.

Security control	Benefit	Limitation / failure mode
App store review	Catches most malicious apps before distribution	Sophisticated malware evades review; XcodeGhost and Joker proved this repeatedly
App sandboxing	Isolates apps from each other	Kernel exploits break out of the sandbox entirely; overly broad permissions weaken isolation
MDM enforcement	Centralised policy control for enterprise devices	Employees resist surveillance; BYOD devices may refuse MDM enrolment
Certificate pinning	Prevents MITM attacks against app traffic	Makes legitimate security testing harder; pinning failures can break app functionality
Biometric authentication	Convenient and stronger than simple PINs	Can be spoofed (gummy fingers, 3D-printed faces); coerced unlock is easier than extracting a password
Root/jailbreak detection	Blocks compromised devices from accessing sensitive apps	Detection can be bypassed with tools like Magisk (Android) or Liberty Lite (iOS)
Full-device encryption	Protects data at rest if device is stolen	Useless if the device is unlocked or the attacker has the PIN; encryption keys in memory during use
BYOD policies	Cost savings, employee flexibility	Mixing personal and corporate data creates data leakage risks; harder to enforce security standards

What Interview Questions Should You Expect About Mobile Security?

Mobile security questions are increasingly common in SOC analyst and junior security interviews, especially as organisations adopt BYOD and mobile-first strategies.

Q1: What are the main differences between Android and iOS security?

Strong answer: “Android is open source with a fragmented update model — security patches depend on the manufacturer and carrier. It allows sideloading, which increases flexibility but also attack surface. iOS is closed source with unified updates pushed directly by Apple. It has tighter app store controls and hardware-backed security through the Secure Enclave. Neither is inherently more secure — both have been compromised by sophisticated attackers like NSO Group’s Pegasus. The key difference for enterprises is that iOS patching is more predictable.”

Q2: What is the OWASP Mobile Top 10 and why does it matter?

Strong answer: “The OWASP Mobile Top 10 is a standardised list of the most critical security risks in mobile applications. It covers issues like insecure data storage, insecure communication, and improper authentication. It matters because it gives developers and security testers a common framework for identifying and prioritising mobile app vulnerabilities. If I were reviewing a mobile app’s security, the OWASP Mobile Top 10 would be my starting checklist.”

Q3: How would you respond to an alert about a malicious app installed on a corporate device?

Strong answer: “First, I would verify the alert — check the app name, package ID, and what triggered the detection. Then I would use our MDM platform to remotely quarantine or wipe the device if the threat is confirmed. I would check whether the app had access to corporate data or credentials and reset any potentially compromised accounts. I would also check whether other devices in our fleet have the same app installed. Finally, I would document the incident and update our blocked app list.”

Q4: What is the risk of jailbreaking or rooting a device?

Strong answer: “Rooting or jailbreaking removes fundamental security controls — app sandboxing, code signing verification, and integrity checks. This means any app on the device, including malicious ones, can access all data and system resources. For enterprise environments, a rooted or jailbroken device should be blocked from accessing corporate resources via MDM policy because it cannot be trusted to enforce security controls.”

How Is Mobile Security Used in Real Security Operations?

Day-One SOC Mobile Scenarios

In a modern SOC, mobile-related alerts are part of the daily workload:

• MDM compliance violation. A device falls out of compliance — outdated OS, removed MDM profile, or jailbreak detected. You verify the alert, contact the user, and escalate if the device has access to sensitive systems.
• Malicious app detection. The endpoint protection platform flags a sideloaded APK on an Android device. You investigate the app’s behaviour, check threat intelligence, and initiate device quarantine if confirmed malicious.
• Phishing via SMS (smishing). A user reports a suspicious text message claiming to be from their bank. You analyse the URL, check it against known indicators, and alert other users if it is part of a broader campaign.
• Unusual data exfiltration. Network monitoring flags a mobile device uploading large volumes of data to an unknown cloud service. You investigate whether this is a legitimate app or potential data theft.

MDM and Enterprise Mobile Security

Enterprise mobile security relies on a layered approach:

1. Mobile Device Management (MDM) — Enforces device-level policies: encryption, screen lock, OS version requirements, app blacklists/whitelists.
2. Mobile Application Management (MAM) — Controls corporate apps specifically: containerisation, app-level VPN, data loss prevention within managed apps.
3. Mobile Threat Defence (MTD) — Active threat detection on the device: network anomaly detection, malicious app scanning, phishing URL blocking.

Australian Context: Mobile Security Compliance

In Australia, mobile device security is relevant to several regulatory frameworks:

• ASD Essential Eight — Multi-factor authentication (Essential Eight control) increasingly relies on mobile devices as authenticators. Organisations must ensure these devices are secured.
• Privacy Act 1988 — Mobile apps collecting personal information from Australian users must comply with the Australian Privacy Principles (APPs), including data minimisation and security requirements.
• SOCI Act 2018 — Critical infrastructure entities must consider mobile devices as part of their risk management programme, particularly for remote access to operational systems.
• ACSC guidance — The ACSC publishes specific advice on securing mobile devices, including recommendations for both personal and enterprise use at cyber.gov.au.

Summary and Key Takeaways

Mobile device security is a critical and expanding domain in cybersecurity that every entry-level professional needs to understand.

• Mobile devices carry more sensitive data than most laptops — banking, authentication, health records, corporate email — making them high-value targets.
• Android and iOS have fundamentally different security models. Android is open and fragmented; iOS is closed and unified. Both have been compromised by sophisticated attackers.
• The OWASP Mobile Top 10 provides a standardised checklist for mobile app security risks, from insecure data storage to insufficient cryptography.
• Jailbreaking and rooting remove critical security controls and should be blocked on enterprise devices via MDM policy.
• Enterprise mobile security is layered: MDM for device policy, MAM for app control, and MTD for active threat detection.
• Mobile security testing follows a structured methodology: reconnaissance, static analysis, dynamic analysis, backend testing, and reporting.
• SOC analysts encounter mobile alerts daily — MDM violations, malicious app detections, smishing campaigns, and unusual data transfers.

Individual results vary. Career timelines, salary outcomes, and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

Related

• Understanding the Threat Landscape for broader context on threat actors and attack patterns
• Security Concepts for the CIA triad and defence-in-depth principles that apply to mobile
• Career Paths to see where mobile security specialists fit in the industry
• Home Lab Setup to practise mobile security testing in a safe environment

Frequently Asked Questions

Is Android or iOS more secure?

Neither is inherently more secure. iOS has tighter controls with unified patching and strict App Store review. Android is more transparent (open source) but has fragmented updates across manufacturers. Both platforms have been compromised by sophisticated attackers like NSO Group's Pegasus. The best security comes from keeping your device updated, using strong authentication, and being cautious about app permissions.

What is the OWASP Mobile Top 10?

The OWASP Mobile Top 10 is a standardised list of the most critical security risks in mobile applications. The 2024 version covers risks including improper credential usage, inadequate supply chain security, insecure authentication, insufficient input validation, insecure communication, inadequate privacy controls, insufficient binary protections, security misconfiguration, insecure data storage, and insufficient cryptography.

What is MDM in cybersecurity?

Mobile Device Management (MDM) is enterprise software that allows organisations to enforce security policies on mobile devices. MDM can require encryption, enforce screen lock policies, remotely wipe lost or stolen devices, block jailbroken devices, and manage which apps can be installed. It is a fundamental tool for securing corporate mobile environments.

What is jailbreaking and why is it a security risk?

Jailbreaking (iOS) and rooting (Android) remove manufacturer restrictions to gain full administrative access. This disables critical security controls including app sandboxing, code signing, and integrity verification. Any app on a jailbroken device can access all data and system resources, making the device vulnerable to malware. Enterprise environments block jailbroken devices from accessing corporate resources.

What tools are used for mobile security testing?

Common mobile security testing tools include APKTool and jadx for Android APK decompilation and analysis, Frida for runtime instrumentation and SSL bypass, MobSF (Mobile Security Framework) for automated static and dynamic analysis, Burp Suite for intercepting mobile app network traffic, and Objection for iOS and Android runtime exploration.

What is a zero-click exploit?

A zero-click exploit compromises a device without any user interaction — no clicking links, no opening files. The Pegasus spyware used zero-click exploits targeting iMessage and WhatsApp to silently install surveillance software. These exploits are extremely sophisticated and typically used by nation-state actors. They are rare but represent the highest level of mobile threat.

What is BYOD and what are the security risks?

BYOD (Bring Your Own Device) allows employees to use personal devices for work. Security risks include mixing personal and corporate data, inability to enforce full security policies on personal devices, potential data leakage through personal apps, and difficulty wiping corporate data when an employee leaves. MDM and MAM solutions help mitigate these risks.

How do I protect my personal mobile device?

Keep your OS and apps updated, use a strong screen lock (biometric plus PIN), only install apps from official stores, review app permissions carefully, avoid connecting to unknown Wi-Fi networks, enable Find My Device for remote wipe capability, use a password manager, and enable multi-factor authentication on all accounts.

What is mobile app sandboxing?

Sandboxing isolates each app in its own restricted environment so it cannot access other apps' data or system resources without explicit permission. On Android, each app runs as a separate Linux user with its own filesystem space. On iOS, apps are confined to their own sandbox directory. Sandboxing limits the damage a malicious app can cause.

Do I need to learn mobile security for entry-level cybersecurity jobs?

Yes, at least the fundamentals. Mobile devices are a major attack surface in every organisation. SOC analysts encounter mobile-related alerts daily, including MDM violations, malicious app detections, and smishing campaigns. Understanding mobile security models, OWASP Mobile Top 10, and MDM basics will strengthen both your interviews and your on-the-job effectiveness.

Related sections

Understanding the Threat Landscape

Learn about threat actors and attack patterns, including the mobile malware campaigns that target individuals and organisations.

Explore Security Concepts

Master the CIA triad, least privilege, and defence in depth — the foundational principles behind every mobile security control.

Explore Home Lab Setup

Build a safe practice environment to test mobile security tools like MobSF, Frida, and APKTool.

Explore

More resources

OWASP Mobile Top 10

The industry-standard list of the most critical mobile application security risks, updated for 2024.

Visit OWASP Mobile Security Testing Guide (MASTG)

Comprehensive guide to mobile application security testing methodology for Android and iOS.

Visit ACSC Mobile Device Security Guide

Australian Cyber Security Centre guidance on securing mobile devices for individuals and organisations.

Visit

---

Sources: OWASP Mobile Top 10 (2024), OWASP MASTG, NIST SP 800-124 Rev. 2, ASD/ACSC. Last verified: March 2026.