• Return on Security
  • Posts
  • The Revolution of Mobile Device Security: Navigating Threats and Solutions

The Revolution of Mobile Device Security: Navigating Threats and Solutions

Mobile devices are essential to our daily lives at work and at home, yet securing them remains significantly underfunded and under-discussed. This article digs into the evolution of mobile device security, the current threat landscape, and the reasons behind the industry's slow response to these vulnerabilities. It also examines the psychological and structural barriers to better security and offers up solutions to prioritize the protection of our most personal tech.

TOGETHER WITH

Table of Contents

TL;DR

Here’s the TL;DR (too long, didn’t read):

  • Smartphones are a huge part of personal and professional life but often aren’t secure enough.

  • The mobile threat landscape is rapidly evolving and outpacing current security solutions.

  • Outdated perceptions, physiological hurdles, and marketing all impact how the security of mobile devices is viewed.

  • Corporate ambiguity makes implementing mobile security challenging, leaving more gaps in an already troubled space.

  • Collective action, industry standards, increased investments, and more innovation are desperately needed.

  • The mobile security industry is at an inflection point where a sea change in capabilities is needed, just like the desktop security industry went through 10 years ago.

Smartphones: Essential, Indispensable, and Vulnerable

Smartphones - can't live without them. They are basically an extension of you, right? They're how most of the world communicates, reads the news, uses social media, checks the weather, orders groceries, and does online banking (even YOLOing on meme stocks). There’s a strong chance you’re reading this post on a smartphone right now.

And it's not just for your personal life. Over the last 15+ years, they've also become essential to how you operate in your professional life. Your phone can be used to check your work email, as your badge to scan into an office building, to receive One-Time Passwords (OTP) for multi-factor authentication (MFA) to work applications (although most of the industry is moving away from OTP to FIDO2), and run important work-related apps.

For many, smartphones have moved well past convenience and into "absolute necessity" territory. But are they secure?

Tens of billions of dollars are invested every year in the cybersecurity industry, but mobile device security receives very little of that pie. So why is it that a piece of technology that most people and businesses could not live without does not have the same support, money, and fervor in protecting and securing it as the rest of the industry?

This is the key question I keep coming back to. In this post, I attempt to break down the evolution and revolution of mobile device security over the past decade and understand the challenging landscape of securing this important tech.

But first, let’s talk about mobile devices themselves.

What is a "Mobile Device?"

Once upon a time, in a land not so far away, a "mobile device" meant anything other than a desktop or server. It was a type of computer that was mobile in some way, traditionally a laptop.

An absolute unit

The Osborne 1, the first consumer-market laptop, weighed 24.5 pounds (11.1 kilograms) and hit shelves in April 1981. The first portable Apple computer, the Mac PowerBook, didn't hit the streets until 1989. 

In 1995, global laptop sales reached 10 million for the first time. In 2000, sales reached 28.5 million. By the early 2000s, laptop sales were earning more revenue than desktops. As the computing industry evolved over the years, laptops became the standard over desktops, and the association of "mobile" became less important in describing non-desktop computers.

On the same timeline, mobile phones were also hitting the scene. BlackBerry launched their phones in 1999, and they quickly became synonymous with security. Large businesses and government agencies worldwide flocked to BlackBerry because of the security standards (and had a tough time letting go). RIP, brick breaker.

Then came the Apple iPhone in January 2007, and the smartphone as we know it today changed how we thought about mobile phones and mobile computing forever. The iPhone changed everything.

An image of Steve Jobs unveiling the first iPhone

The first public release of the Android phone came in October 2008. The Android phone changed everything again.

With the introduction of those two platforms, the term "mobile device" was forever altered in our collective hearts and minds. That shift leads us to what it means to secure a mobile device.

The journey of mobile devices from bulky laptops to sleek smartphones mirrors the evolution of their security challenges.

The Mobile Device Threat Landscape

Think your mobile device is secure? The reality might surprise you. Today's mobile threat landscape is more diverse and sophisticated than ever before.

In 2023, Kaspersky cited that it detected and blocked over 33 million attacks targeting mobile devices, an approximate 52% increase from the previous year.

Attackers have continuously evolved and improved their methods of compromising mobile devices and people. Social engineering tactics like pretexting and smishing are now major threats to mobile security.

Pretexting, a social engineering tactic in which attackers create fake scenarios to trick victims into clicking malicious links or sharing sensitive information, has surged as a major threat in 2024.

The 2024 Verizon Data Breach Investigations Report (DBIR) highlighted a rise in pre-texting incidents, surpassing traditional phishing attacks for the first time. Per Verizon, “We have seen incidents involving Pretexting (the majority of which had Business Email Compromise [BEC] as the outcome) accounting for one-fourth (ranging between 24% and 25%) of financially motivated attacks.”

This marks a shift where attackers use more personalized and convincing schemes to exploit people.

This is the part where things get interesting for mobile devices. Not only are mobile devices targeted for fraud, scam, and extortion attacks. The attacks are getting increasingly sophisticated with the use of generative AI (c’mon, you didn’t think I’d missing mentioning AI in this post, did you?):

However, attacks against mobile applications and the underlying mobile device operating systems are also possible. iVerify tracked a few high-profile cases of direct attacks on individuals with high net worth and high status, including:

  • The use of NSO Group’s Pegasus mobile spyware tool against a journalist, Anand Magnale, investigating corruption allegations against billionaire Indian businessman Gautam Adani, a close associate of Prime Minister Narendra Modi.

  • A US-based think tank employee that experienced an Android SMShing compromise in which an attacker pretending to represent their ISP sent a malicious link, which the user clicked and rooted the device using Odin. The users’ WhatsApp, Telegram, and Signal were accessed, along with their ISP billing portal, likely in an attempt to harvest credentials/identities to gain initial access into the organization's broader IT infrastructure.

In the post The Era of Mobile-First Zero-Days is Here, iVerify cites how half of known zero-day exploits against Google products are attributed to commercial spyware vendors (CSVs). The mercenary spyware business is valued at $12 billion and operates openly with traditional business structures. Mobile device security threats have gone the corporate model route in the same ways as the ransomware market.

There’s even a “Malicious Quartile” for ransomware gangs showing their power rankings:

We live in a society

Why is this happening? In short, mobile devices are easier to access and have a high payoff.

Phones have become an easier path to exploitation, fraud scams, or gaining credentials. Combine this with the fact that no one is watching mobile devices the way they do with the desktop, and you’ve got a recipe for disaster.

Humans have an intimate relationship with their phones—they carry with them all of their life and professional experiences. Using the phone as the initial access point and working from there to bypass (or use) MFA checks allows quicker privileged access. 

From there, it's game over. Sounds a lot like the desktops we use and protect differently, no?

Dialing in on the Mobile Device Security Market

Numbers don’t lie, though.

If you look at the mobile device security market, you see a collective drop in the bucket compared to the larger cybersecurity market. Breaking this down further, 96% of mobile device security funding has gone to Mobile Device Management (MDM) and Mobile Application Security companies.

Zooming in on just the portion that was allocated to MDM and Mobile Application Security players, 90% of the funding has just been for four companies:

  • Lookout has raised over $430 million

  • Jamf has raised over $330 million

  • Mosyle has raised nearly $250 million

  • MobileIron raised over $160 million, went public in 2014, and was acquired by Ivanti in 2020 for ~$872 million.

This also doesn’t account for Microsoft Intune, which launched in 2011 as an MDM tool and later became a more generic endpoint management platform.

We are in the early innings of the next iteration of the mobile device security category. Over the years, this market has taken an arc similar to that of the endpoint computer market. "Mobile Device Security" covers a wide range of offerings, some of which compete and overlap, and some of which do not.

Here is a market map I created to help visualize what we’re working with:

Click for full-size & I’ll update this as needed

This space is still largely fractured today, so let's break down each of these areas to make sure we are all on the same page:

Mobile OS Security

This section focuses on protecting mobile device operating systems to prevent unauthorized access and malicious software from compromising them. This includes:

  • Device Encryption: Ensuring data on devices is encrypted to protect against unauthorized access.

  • App Vetting: Thoroughly checking apps before they are allowed on the device.

  • Threat Detection: Identifying and mitigating potential security threats in real time.

Secure Mobile Access & BYOD

This section addresses the challenges related to secure mobile device access, and the Bring Your Own Device (BYOD) trend, where employees use personal devices for work purposes:

  • Secure Access: Solutions like VPNs and multi-factor authentication (MFA) to protect corporate data.

  • BYOD Management: Policies and technologies that secure both personal and corporate data on employee-owned devices.

Corporate Mobile Fleet Management

This section focuses on managing and securing fleets of mobile devices to maintain control over their mobile assets. An adjacent spin-off of MDM designed for companies with a large mobile fleet, this fits with companies with warehousing, logistics, or a large number of field agent employees.

Mobile Threat Detection and Response (MTDR) - Growing

MTDR focuses on identifying and responding to threats targeting mobile devices, including: 

  • Threat Detection: Monitoring for malware, phishing, smishing, and other malicious activities like zero-day attacks. This is Endpoint Detection and Response (EDR) but for mobile devices.

  • Response Mechanisms: Tools for quickly and proactively addressing detected threats and minimizing damage.

Mobile Application Security

Moving up the chain from the device to the applications, this section focuses on keeping mobile apps secure from vulnerabilities and attacks, including:

  • App Development Security: Identifying and addressing vulnerabilities during the development process.

  • Runtime Protection: Monitoring and protecting apps against real-time threats once deployed.

Mobile Device Management (MDM)

This is where it all started and where the bulk of investments have gone. MDM solutions help companies manage and secure mobile devices, including:

  • Device Enrollment and Management: Ensuring devices are registered, configured, and managed properly.

  • Policy Enforcement: Applying and enforcing security policies across all managed devices.

  • Patching and Updates: Automatically deploying patches and updates to ensure devices are running the latest, most secure software versions.

  • Remote Wiping: Allowing administrators to remotely wipe data from devices that are lost, stolen, or no longer in use to protect sensitive information.

  • Application Management: Controlling which apps can be installed and used on devices, ensuring that only approved and secure applications are accessible.

Mobile Theft Response - Emerging

These solutions are designed to protect mobile devices and the data they contain in the event of theft or loss.

  • Preventive Measures: Features like remote lock, wipe capabilities, and device tracking.

  • Recovery Tools: Assisting in the recovery of lost devices and managing theft incidents effectively.

Many MDM solutions also have this capability, but this emerging section is geared toward individuals rather than corporations and cuts into the Personal Cybersecurity category.

After examining the data and considering the gaps in this market, some key themes emerged for me:

  • Market Ripe for M&A Consolidation: The mobile device security market is highly fragmented, presenting an opportunity for mergers and acquisitions to consolidate and streamline offerings, improving efficiency and effectiveness.

  • Opportunity for New Entrants: The market is open for innovative new entrants to disrupt legacy Mobile Device Management (MDM) players. Fresh approaches can challenge established norms and introduce better solutions to match today’s threat landscape.

  • Emerging Needs in Threat Detection and Response: We are only beginning to address the extensive requirements for mobile threat detection and response. As mobile threats evolve, there is a growing need for advanced solutions to protect against sophisticated attacks.

I was also left with a few more philosophical follow-up questions:

  • Are the incentives off to support growth in this area of cybersecurity?

  • Is there too much friction because changing human behavior is a step too far?

  • Are mobile devices the true embodiment of the adage that people will give up security and privacy for convenience?

I think the answer to these questions is a resounding “yes.” Let’s break this down into a few different areas that I think are the likely culprits.

Understanding the Gaps in Mobile Device Security

Outdated Perceptions of Mobile Device Safety

The risk doesn't "feel" high enough.

Why is the security community less interested in mobile than in other areas of security? There's a lingering mental model that the phone is still safe.

This mental model stems from the historical context where computers were the primary targets for malware, phishing attacks, and other cyber threats. Mobile phones were considered less dangerous because they were simply not used the same way. Phones didn’t have access to sensitive corporate data in the same way desktops did, and phones were not as essential for everyday personal and professional life as they are now. 

Greybeard alert 🧙‍♂️—I’m old enough to remember when companies did not require you to have a cell phone when you took a new job. I saw this provision slowly added to employee agreements many years after the release of the smartphone. Heck, some of the jobs I took issued me a corporate mobile device or even paid me extra for my personal phone bill so I could be available for work. 

The Influence of Marketing on Security Perceptions

See also 👉 Marketing.

Apple has consistently marketed the iPhone as the most secure and privacy-focused phone on the market. The company’s marketing emphasizes several key features:

  • A closed hardware and software ecosystem allows for a more integrated security system.

  • A rigid and thorough check of all mobile apps that enter the iOS ecosystem

  • End-to-end encryption for messaging and video calls to preserve privacy

  • Data minimization from services like Siri (although this is poised to change with Apple’s potential future introduction of Generative AI models directly on the devices)

(More on cybersecurity marketing in general here.)

Despite all of these measures, mobile devices are not immune to threats. The assumption that mobile devices are less prone to attacks is outdated and dangerous.

Overcoming Personal Resistance to Mobile Security

What about personal resistance to mobile device security?

  • There are privacy concerns.

  • Security training has led us to think computers are dangerous and to be careful when using them, but not when using mobile phones.

  • There are too many personal and professional life moments.

  • Corporate encroachment and personal autonomy are fast colliding.

It isn't easy to get people to add MFA to their online accounts other than the ones their work mandates. It's even more work to get people to use password managers in their daily lives. However, the Passwordless movement has really made this easier through passkeys and biometric authentication methods.

Introducing any additional steps for people between MFA and password managers is still more challenging. Ask any cybersecurity startup founders who have tried to shim an extra authentication or authorization step into the existing flow of passwords and MFA. Do you have a solution requiring someone to download another app outside that preexisting flow? Good luck! Only the most paranoid and security-minded people would even consider this. That is, up and to the point that the same extra security measure prevents a person from doing a simple thing one too many times.

That friction in human interactions makes it highly challenging to get wide-scale adoption for additional steps that could keep people more secure. People don’t want friction; they want a certain level of security without effort.

Similarly, ask other cybersecurity startups that took the "social good" angle to this problem how things are going. These companies try to incorporate some element of an individual’s personal security posture across a mobile device into a corporate risk posture. Outside of Bring Your Own Device (BYOD) policies, the construct of having a workplace push down corporate standards into the most personal relationship (the one with our mobile device) is too many steps too far for almost everyone. Especially if a person's cybersecurity standard outside the workplace creates a less-than-stellar personal risk score inside the workplace.

Can you imagine a world where your paycheck could hang in the balance if you don't have the right settings on your iPhone? This is not the dystopian future people want.

The Disconnect in Mobile Device Security Solutions

Strangely enough, securing a mobile device also feels a bit too disconnected. While mobile device threats could potentially affect every person with a mobile device - which has surpassed the number of people in the world (!!) - the solutions to mobile threats do not feel personal enough for enough individuals to make changes.

According to a post from the World Economic Forum, in 2022, there were over 8.58 billion mobile subscriptions worldwide, and the global population was approximately 7.95 billion.

The Collective Action Problem in Mobile Security

Mobile device security has become a Collective Action Problem. In this concept, individuals would all benefit from a specific action, but the cost of taking action is high for any individual. Therefore, they hope others will take on the burden, leading to collective inaction.

However, cybersecurity challenges are always bigger than one individual, and sometimes, collective action for the greater good needs to come from a higher level. For example, a person cannot prevent who calls or texts their mobile devices, leading to an ever-increasing onslaught of robocalling and scam messages.

In a blog post about finding cybersecurity startup ideas worth pursuing, Ross Halieuk cites:

Mobile security has never really taken off as a market as well, which is unfortunate as we’re drowning in smishing, vishing, and other types of attacks.

The Federal Trade Commission (FTC) and Federal Communications Commission (FCC) have implemented several measures, working closely with mobile carriers to protect consumers from these unwanted calls, including automatic call blocking and spam call labeling.

Outside of these efforts, however, the cost of taking additional actions (or the perception of taking that action) still presents too much friction for most people.

The Corporate Stance on Mobile Device Security

Structural barriers, including fragmented responsibility within organizations, further complicate mobile device security.

Managing a mobile device is not the same as securing a mobile device from compromise.

Rocky Cole, iVerify

The ownership of mobile device security within companies is often muddy. Responsibility for mobile device security can fall across various teams, making it challenging to establish a cohesive security strategy and leading to gaps in accountability and effectiveness.

Ownership could fall to one or more of these teams:

  • Endpoint Management Teams: This team manages end-user devices and may not have the expertise or a focus on broader security implications.

  • Corporate Security Teams: This team is more focused on physical security and environmental controls and may not have the expertise or focus on broader security implications.

  • Executive Protection Teams: This team has an acute focus on executive personal safety and online safety, including mobile devices, due to the sensitive nature that executives have access to. Again, similar challenges arise on the technical front and way may scale enterprise-wide.

  • Cybersecurity Teams: While cyber teams may have the necessary security skills and focus on securing mobile devices, they may not have the experience and finesse required of the end-user support world.

In reality, it’s not just one of those teams but all of those teams that make up the collective hive mind of the “mobile device experience.” 

CISOs have so many other pain points, and mobile security is often a priority far "below the line."

The one exception to this might be government agencies and companies with a lot of intellectual property to protect, like the semiconductor industry.

Meanwhile, security teams face growing vulnerability gaps due to increased mobile usage and increasingly advanced attacks.

Mobilizing the Future of Device Security

What CrowdStrike initially did for endpoint malware—leveling the playing field for attackers and defenders—the same thing must happen for mobile security. Incidentally, it will take an outside perspective to make this change possible, and the longstanding incumbents are unlikely to make the necessary step functions.

This is a “build it, and they will come” moment for mobile device security. If the industry at large starts to force these actions to take shape, then entrepreneurs and venture capitalists will show up to play ball.

The world needs someone to step up to the plate and make the call.

References

About Return on Security

Return on Security is all about breaking down the cybersecurity industry for you with expert analysis, hard facts, and real-life stories. The goal? To keep security pros, entrepreneurs, and investors ahead in a fast-moving field. Read more about the “Why” here.

Feel free to borrow any data, charts, or advice you find here. Just make sure to give a shoutout to Return on Security when you do.

Thank you for reading. If you liked this analysis, please share it with your friends, colleagues, and anyone interested in the cybersecurity market.

Follow me on LinkedIn or Twitter to never miss Return on Security updates.

Reply

or to participate.