Whitepaper

Mobile Security
The 5 Questions Modern Organizations Are Asking

Whitepaper

Whether youve already embraced enterprise mobility or are

just starting to consider it, todays organizations are concerned
about the lack of visibility into these five areas:
Are the mobile apps on our employees devices a
security threat? As more sensitive data is accessed on mobile
devices, malware is becoming significantly more sophisticated

Executive Summary
The modern organization has recognized the need to embrace
mobile devices in the workplace. Some have fully implemented

Do our employees install iOS and Android apps from

unknown sources? It is now easier to acquire iOS and
Android apps from sources outside of official app stores,
introducing new risks

a bring-your-own-device (BYOD) program, while some have

adopted a hybrid model of corporate-owned and employee-owned
devices. Meanwhile, others are now just starting to consider these
mobility programs.

How many iOS and Android devices on our network have

been jailbroken or rooted? An estimated 8% of iOS devices
are jailbroken, while user tools like xCon render traditional

Wherever you fall on this spectrum of mobility adoption,

jailbreak detection ineffective

the global trend is moving towards BYOD to benefit from

enhanced worker productivity, increased revenues, and
reduced device and data expenses. In fact, more than 45% of
global firms are now introducing or expanding BYOD programs,
according to recent survey from Forrester Research.1
However, the increase in mobile devices bring with them

Are MDMs sufficient for securing enterprise data on

mobile devices? MDM and container solutions can be an
important part of a mobile security stack, but they do not
protect against advanced mobile malware and compromised
operating systems

important security implications. As the CSOs 2015 Mobile

Security Survival Guide notes, mobile security risks are

Are employees using their own mobile tools, putting

growing because much enterprise data today is created and

sensitive data at risk? Employees expect a great user

consumed on mobile devices. This clearly explains why mobile

experience on mobile devices, and if mobile productivity

security persistently tops the list of most pressing enterprise

and security solutions are not adopted, enterprise data is

security concerns.

put at risk

Forrester Research, Building The Business Case For A Bring-Your-Own-Device (BYOD) Program, Michele Pelino, December 2014

CSO Online, CSOs 2015 Mobile Security Survival Guide, George V. Hulme, January 2015
lookout.com

Whitepaper

Are the mobile apps on our employees devices a security threat?

To answer this question, you first need to understand the
categories of app-based threats that exist today. We can
broadly categorize them as:
Malicious apps Mobile apps that exploit a vulnerability to
create a security risk for the device or data.
Risky apps Mobile apps that exhibit behavior which may be

Risky apps
At first glance, it might be tempting to consider any app that
accesses your employees contact data to be risky, but would
you consider the LinkedIn app risky because it requires access
to contacts? Maybe not, but what about the aggressive piece of
adware that lives on your CEOs device, which sends contact
and browser history data to an unknown server in Russia?

benign in the right context, but may violate your organizations

security posture. For example, an app that sends contact data
to foreign servers.

Malicious apps
Recently, NSA Director Adm. Michael Rogers warned of
increasing cyberattacks on mobile devices as a coming trend 3.
But why would an attacker choose a mobile device as the attack
surface into your organization among the many options? The
answer is nicely summarized in CSOs 2015 Mobile Security
Survival Guide: malware is getting better and attackers are
targeting mobile more because thats where the data resides. 4
We also know that mobile platforms are inherently application-

Malware is getting better and attackers

are targeting mobile more because
thats where the data resides.
While some might classify these apps as just annoying,
Craig Shumard, former CISO at Cigna, notes how if youre an
enterprise that supports BYOD, this kind of annoying threat
should sound alarms. He goes on to note that the fact that
contacts and personally identifiable information is taken puts
your employees and your proprietary secrets, your competitive
edge, at risk.

centric; to access the data you need to open an app. Gartner

notes that, similarly, for attackers to get hold of files, they need
to attack mobile apps, which makes it necessary to protect apps
so that the enterprise data is protected. 5

Focus on Visibility
A risky app is in the eye of the beholder, but at the very least
you need visibility into the apps on your network and their

Its for this reason that Gartner recommends you abandon

capabilities. This enables you to make an informed decision

device-centric lockdown security models in favor of

about balancing the need to empower mobile productivity with

app-centric models. Trial data-centric solutions, but be aware of

the need to protect company data.

the limitations in terms of maturity and scalability.5

Wall Street Journal, NSA Director Warns of Dramatic Cyberattack in Next Decade, Siobhan Gorman, November 2014

CSO Online, CSOs 2015 Mobile Security Survival Guide, George V. Hulme, January 2015

Gartner, How Digital Business Reshapes Mobile Security, Dionisio Zumerle, Nathan Hill, February 2015
lookout.com

3
2

Whitepaper

Do our employees install iOS and Android apps from

unknown sources?
In Gartners recent report on mobile malware, they reveal

As a result, attackers that obtain valid, Apple-signed

one of the main sources for todays attacks are nonstandard

certificates can take advantage of this changing enterprise

application stores. One common practice for malicious

dynamic to target users with apps that were never

actors is to acquire popular applications, repackage them with

malicious code and submit them to third-party app stores.

vetted by Apple.

On Android, the barriers to installing sideloaded apps is

Apps downloaded outside official app marketplaces like the

much lower: Android users can easily enable sideloaded apps

Play Store and App Store are considered sideloaded apps and

by changing their settings to allow the installation of apps

are inherently risky due to the simple fact that they bypass the

from sources other than the Play Store.

review and controls present in official app marketplaces.

Third-party apps stores arent the only source of potentially

malicious, sideloaded apps. According to Gartner, another
source of malware comes from malicious websites that try

Sideloaded apps: Apps loaded onto the

to install mobile applications, profiles or certificates on the

device via third-party app stores,

users device.6 Its as simple as clicking a link on a mobile

webpages, or email attachments

browser, or in an email attachment.

Focus on Visibility
Apple in particular has a great reputation for keeping the App
Store free of malware, but theres an emerging threat vector
for sideloaded apps on iOS that does not require jailbreak:
apps that abuse enterprise provisioning profiles.
Companies increasingly build and distribute custom iOS apps

Fortunately, many of these sideloaded apps can be identified

within your organization by examining who signed the app
certificates. If they were signed by an entity other than your
own organization, you may want to investigate further or
block those apps entirely.

directly to employee devices using enterprise provisioning

profiles. Apple created them to enable corporate mobility and
these provisioning profiles contain Apple-signed certificates

How an attacker abuses Apple enterprise provisioning profiles:

that enable app distribution without Apples app review.

Step 1 Attacker acquires enterprise certificate

While employees will see a security notice on their device the

and signs app

first time they download an enterprise-provisioned app from

a new developer, employees today are conditioned to clicking
the trust button as custom enterprise apps have
become ubiquitous.

Step 2 Attacker distributes app via email

attachment or webpage
Step 3 Employee installs the app, which may
exfiltrate sensitive data

Gartner, Protecting Mobile Devices Against Malware and Potentially Unwanted Applications, Patrick Hevesi, Mario de Boer, March 2015
lookout.com

Whitepaper

How many iOS and Android devices on our network have been
jailbroken or rooted?
It is generally well understood by security professionals that
if a devices underlying operating system is compromised, then
its game over. Any software-based attempts to protect the data
on the device can be rendered useless, including data containers
and anti-malware solutions. A couple quick definitions:
iOS jailbreaking: The process of removing hardware
restrictions on the operating system (breaking the device
out of its jail) by modifying iOS system kernels to allow file

Prevalence
Estimates on the prevalence of this behavior vary by platform,
but recent studies suggest around 8% of iOS devices are
jailbroken7, and upwards of 27% of Android devices.8

Technical Risks

known default password (e.g., alpine) that attackers can use

system read and write access.

for Command & Control.

Android rooting: Obtaining administrator or privileged

access to the Android OS, enabling the user to alter, remove,

Some jailbreaking methods leave SSH enabled with a well

The entire file system of a jailbroken/rooted device is

vulnerable to a malicious user inserting or extracting files.

or replace the OS.

This vulnerability is exploited by many malware programs,

including the recent Xsser mRAT trojan.

Why Jailbreak or Root?

Many users intentionally jailbreak or root their devices for
non-malicious purposes. Common reasons include:

Credentials to sensitive applications, such as banking or

corporate applications, can be stolen using key logging,
sniffing or other malicious software.

Downloading apps from third party app sources

Blocking advertisements or removing pre-installed

bloatware

Enhancing device functions, such as creating mobile

hotspots without paying extra

Unlocking the phone to use the device internationally

Accessing pirated apps from app repositories

Estimates suggest around 8% of global

iOS devices are jailbroken
Focus on Visibility

Should your organization be concerned about this? As with

Protection against this emerging threat starts by knowing

any security decision, you need to weigh the risk of the

whats on your network. Yet jailbroken and rooted devices can

threat against the cost of protecting against it. So to better

be difficult to detect. While MDM solutions may offer basic

understand the risk, you need to understand jailbreak/root

jailbreak detection, they are constantly battling against users

prevalence in your organization, as well as the technical risks

who try to evade this detection. In the next section, well

it presents to sensitive company data.

discuss this further.

Daily Tech, WireLurker Malware May Have Infected 100,000+ iPhones, No Jailbreak Required, Jason Mick, November 2014

Know Your Mobile, How To Root Your Android Phone, Richard Goodwin, February 2015
lookout.com

Whitepaper

Are MDMs sufficient for securing enterprise data on mobile devices?

Modern IT professionals recognize the need for a layered
approach to mobile security, and that message has been
echoed by leading mobile security analysts such as Forrester
Research 9. In this respect, Mobile Device Management (MDM)
solutions can be an important component of a progressive
enterprise mobile strategy.

Focus on Visibility
For many organizations, MDMs and containers are important
layers in their mobile security stack. However, many CISOs
recognize the gaps that need to be filled so the organization
can have visibility into advanced mobile malware and
jailbroken/rooted devices.

As the author of CSOs 2015 Mobile Security Survival Guide

notes, MDM solutions are currently an important part of
the mobile defense toolkit. However, he goes on to say most
CISOs, CIOs, and security analysts Ive spoken to conclude that
MDM isnt an adequate mobile security answer. 10

Critical Gaps
Jailbreak/Root Detection As we discussed in the last
section, if a device has been jailbroken or rooted then your
existing security investments can be rendered ineffective.

Most CISOs Ive spoken to conclude

that MDM isnt an adequate mobile
security answer.

Risks

MDM Protection

Lost device

Locates & remotely wipes lost device

App distribution

Secure distribution of enterprise apps

As Gartner notes, most MDM/EMM solutions claim to provide

jailbreak/root detection, but are not always effective due to the
nature of the attack targeting the kernel of the OS. 11
Advanced malware detection Malware is getting better

Policy violations

and attackers are targeting mobile more because thats where

the data resides10. As malware evolves, you cant rely on basic
app reputation solutions to protect against modern mobile

getting on the device in the first place.

determined to violate company policy

! Containerizes enterprise data such

Data leakage

malware. Containers provide basic separation of personal and

corporate data, but do not prevent malicious applications from

! Manual blacklisting of apps

Jailbreaking
and rooting
Malicious apps
X No Protection

Forrester Research, TechRadarTM: Enterprise Mobile Security, Q4 2014, Tyler Shields, November 2014

10

CSO Online, CSOs 2015 Mobile Security Survival Guide, George V. Hulme, January 2015

11

Gartner, How Digital Business Reshapes Mobile Security, Dionisio Zumerle, Nathan Hill, February 2015

as emails or content, which remains

vulnerable to compromise from
sophisticated attacks
! Not always effective due to the

nature of the attack targeting the

kernel of the OS

X None
! Limited Protection

Protected

lookout.com

Whitepaper

Are employees using their own mobile tools, putting sensitive

data at risk?
As many IT professionals are well-aware, enterprise cloud
solutions have enabled employees to adopt their own work
productivity tools. This is often done when the IT-provided
solutions are too hard to use or too obtrusive on user privacy.
Yet the need to provide this consumer-friendly experience on
mobile devices is especially important for securing enterprise
data and preventing Shadow IT.

More than just good design

User acceptance of mobile security technologies goes beyond
just a user-friendly experience. Data privacy is top of mind
for todays knowledge workers, and security solutions that are
perceived to be too aggressive with accessing user data are often
rejected. This is especially true in a BYOD environment. Gartner
emphasizes this in their recent Cool Vendors in Security

This is because users have come to expect a great experience on

Infrastructure Protection report, recommending that CISOs

mobile devices. As Gartner notes in a recent report, [mobile]

and other security decision makers should defend against

solutions with a suboptimal user experience lead to users

mobile app threats in the enterprise without encroaching on

adopting privately owned devices and sometimes privately

user data. 14

managed apps to work with enterprise data. This second

practice is directly responsible for enterprise leaks. 12

Focus on Visibility
Modern organizations recognize that user experience is

The most important product

attribute in the mobile security market
is user experience

especially critical for driving employee acceptance of mobile

IT solutions. But visibility into employee adoption of these
solutions starts by selecting mobile-first solutions. As Gartner
recommends, focus your efforts on providing solutions that
are tailored for mobile use and, therefore, obviate shadow

As you look to securely enable your organizations mobile

IT practices, rather than forcing legacy toolsets to deliver

productivity, it is especially important that you also select

functionality on mobile platforms that they were never

mobile security solutions that meet the high standards of

designed for.12

todays mobile consumer. Forrester Research highlights this in

their recent TechRadar report for Enterprise Mobile Security,
discussing how the most important product attribute in the
mobile security market is user experience. If user experience
suffers, the user is quick to jump to other technologies or
options that meet his or her needs. 13

12

Gartner, How Digital Business Reshapes Mobile Security, Dionisio Zumerle, Nathan Hill, February 2015

13

Forrester Research, TechRadarTM: Enterprise Mobile Security, Q4 2014, Tyler Shields, November 2014

14

Gartner, Cool Vendors in Security Infrastructure Protection, 2015, Ray Wagner, Joseph Feiman, Avivah Litan, Neil MacDonald, Lawrence Orans, Peter
Firstbrook, John Girard, Dionisio Zumerle, April 2015
lookout.com

Whitepaper

It Starts With Visibility

As mobile devices are increasingly becoming the primary way

access to the bank vault was becoming easier via air ducts

that corporate data is accessed, progressive security professionals

and pipes? At the very least youd want that bank to install

are recognizing the need to be able to answer these five questions.

surveillance cameras to keep an eye on those attack points.

With this in mind, Craig Shumard, who spent 11 years as the

CISO of a Fortune 500 company, discusses how mobile is an
issue, we cant ignore it, and enterprises need visibility and
control now into those endpoints.

Similarly, the modern workforce requires modern security

solutions to protect against this new way of accessing
company data. As Craig concludes, [mobile] security is not
an if game, its a when game. An enterprises visibility into

Heres another way to think about it. If your local bank only

their mobile stack will only strengthen their security suit of

invested in securing the main doors, it might protect against

armor. Without insight into mobile there can be no effective

the robbers that use predictable entry points. But what if

action when the attack comes.

Lookout Mobile Threat Protection

Lookout Mobile Threat Protection is a security solution for
your mobile workforce, providing visibility into evolving
mobile threats so you can protect your sensitive data.
Organizations use Lookout to:

Detect and remediate mobile threats such as

surveillanceware, trojans, or data leakers

View and approve iOS and Android apps that

were installed outside of official app stores

Identify devices that have been rooted or jailbroken,

even if they bypass MDM detection

Connect with leading MDM solutions for simple

device provisioning and quarantine

To learn more about these mobile security risks and

how Lookout can help address them:

Deploy a beautiful endpoint app that protects user

Visit lookout.com/mobile-threat-protection

privacy while securing corporate data

Or contact us at [email protected]

lookout.com