Mobile Threat Defense: Penetration Testing Can Reveal Your Weakest Links

Penetration testing is one of the most effective ways to gauge your organization’s cybersecurity readiness. While traditional security tools can block everyday threats, a penetration test (or pen test) demonstrates what might happen if a particularly clever or dedicated threat actor decided to attack your network. A well-executed pen test can reveal unexpected cybersecurity holes in both the technological and human layers at your organization. Mobile devices can be a particularly potent threat vector.

In an era of remote and hybrid work, employees rely on their smartphones and tablets more than ever before. While these devices offer flexibility and convenience, they can also give threat actors constant access to your staff. Workers tend to keep mobile devices with them at all times and respond to messages instantly. Combine these habits with smaller screens and hard-to-spot malicious sites, and it’s not surprising that smartphones and tablets make such tempting targets for attackers.

In addition to human error, insecure applications, outdated operating systems (OSs), and misconfigured device settings could also lead to compromised devices and a devastating data breach. By pen testing your mobile devices, you can fix exploitable gaps in your defenses before threat actors ever find them.

What is penetration testing?

In a broad sense, a pen test is a “friendly” attempt to breach your organization’s cyber defenses. Administrators start by hiring an outside contractor who knows how to compromise legitimate networks. This could be a single “ethical hacker” or a group of experts in a penetration testing firm. From there, the contractor does everything in their power to find and exploit an organization’s security holes. That gives administrators a chance to patch those holes before a threat actor finds them.

Since penetration testing can involve many different techniques, it’s usually up to administrators to set the parameters. For example, you could give a tester access to a non-administrator account and see how much damage they could do, or you could ask them to go in blind, starting with nothing but your organization’s name and website. You could inform your staff that a test is going on, or you could see how they respond to a potential attack when they’re not expecting one. You could even give a tester access to your building — or lock them out and see if they’re able to work their way in anyway.

While pen testing is usually a holistic process, you may find it useful to ask a tester to zero in on your organization’s mobile devices. Historically, penetration tests focused on office buildings, on-site servers, stationary desktops, and other physical objects in fixed locations. Mobile devices present a whole different set of potential vulnerabilities, which a dedicated mobile threat defense (MTD) strategy can help address.

Smartphones and tablets are often bring-your-own-device (BYOD) systems rather than company-issued property. This means that users can (and often do) mix personal and professional information. Since mobile devices are often personal property, employees may relax their usual security standards. Responding to texts from unknown numbers, following shortened URLs, and giving apps broad permissions are all ways that threat actors can compromise employee accounts — but they’re also all pretty common behaviors on mobile platforms. 

The potential for human error doesn’t end there. Mobile devices have constant access to messaging apps, making phishing a constant threat. They’re also small and easy to steal, particularly in public locations. Malicious and copycat apps sometimes make their way onto official app stores.

Perhaps the biggest threat is that mobile devices receive critical security updates for only a few years. One well-placed zero-day vulnerability can turn a fully functional older device into an irreparable cybersecurity hole.

A comprehensive Mobile Endpoint Security (MES) solution can help address some of these issues. For more specific problems and solutions, hire a pen tester to assess your mobile device security.

Which vulnerabilities can mobile penetration testing find?

Because penetration testing is so open-ended, there’s no definitive list of issues it can uncover. For mobile devices, though, some vulnerabilities come up more often than others:

Problematic apps

Between Android and iOS, there are about 4 million mobile apps available for download. These apps are prime targets for pen tests, as many of them contain vulnerabilities — sometimes by accident, and sometimes by design.

• Outdated apps are older versions of legitimate applications. Developers constantly update apps, and those updates often add critical security features. Unpatched software could be an easy target for threat actors.
• Overly permissive apps are applications that ask for more access to a mobile device than they really require. For example, a voice recording app might need access to your microphone, but not to your camera, call logs, email account, or text messages. These apps may not be dangerous on their own, but could give up a lot of valuable information if compromised.
• Copycat apps fool people into downloading them by looking and behaving just like a known and trusted app. These apps can steal anything from login credentials to credit card information.
• Malicious apps spread malware that can compromise mobile devices. The most pernicious of these apps can completely hijack phones and attempt to spread more malware across an entire organization.

The human layer in your cybersecurity framework could be the weak link for any one of these threats. Workers can easily forget to update apps, grant too many permissions, or mistake a convincing copycat for the real thing. 

Outdated OSes

Apple and Google put out routine security updates for their operating systems. Android phone manufacturers also release regular patches for their particular models. More often than not, these updates address security flaws. If the OS on your organization’s mobile phones isn’t fully patched, a pen tester may use a known exploit to take control of those devices. Outdated OSs can be particularly risky if your employees get to decide when to install their own updates. Some staff members may put the updates off for days (or weeks), allowing threat actors to gain the upper hand.

An up-to-date threat intelligence platform can be an excellent resource here, as it lets you know about new vulnerabilities as soon as security researchers discover them.

Misconfigured device settings

Not every vulnerability is explicitly malicious. For example, penetration testing could reveal misconfigurations in your organization’s mobile device settings. If a smartphone’s security screen uses a default password — or no password at all — that’s a misconfiguration. Giving every user full access to sensitive files in a cloud server is a misconfiguration. From sending unencrypted emails to deactivating multi-factor authentication (MFA), the list of potential misconfigurations is long.

These misconfigurations may come from individual employees, who take simple shortcuts rather than using longer, safer cybersecurity practices. For example, a worker could set their smartphone’s PIN to “0000” or send work emails from their personal address. These errors could give pen testers an easy way into your network.

Social engineering susceptibility

Just as threat actors can target your hardware and software, they can also take aim at the people who work for you. Social engineering refers to any attempt to deceive, coerce, or manipulate your staff into giving up valuable information. Phishing emails and copycat login pages are common social engineering tactics. However, new advances in artificial intelligence (AI) technology have made more ambitious attacks, such as deepfake voice calls and executive impersonation, easier than ever. A pen tester focused on mobile devices may try to smish (phishing via text message) your employees or trick them into revealing MFA codes.

Secure your mobile devices with EDR

Penetration testing can quickly reveal what cybersecurity solutions your organization needs to prioritize. Patching your software, properly configuring your devices, and training your employees to spot phishing scams are all ways to block off potential attack vectors.

For more detailed information on how to address these issues, read the Lookout Mobile EDR Playbook. In it, you’ll learn how a targeted mobile endpoint detection and response (EDR) strategy can help safeguard your sensitive data with powerful tools to protect your organization’s mobile devices.