17th Jun 21 3:11 pm

Mobile Pentesting vs. MDM: 3 Reasons Why MDM Is Not the Best Solution

June 17, 2021 | By: Alex Hewko

87 percent of companies rely on smartphones and business apps – the overwhelming majority of which are BYOD. Maybe because they’ve been gaining an extra 240 hours of work per year from employees? Or maybe because it’s a seemingly simple way to save on budget (an average of $350 per employee, per year).

Just like they’ve changed our personal lives, smartphones and tablets are also transforming the workplace. They’ve got tremendous benefits in terms of flexibility, mobility, and connectivity.

But like everything, they don’t come without risks.

Mobile devices are a favorite target for hackers for many reasons. Read on to discover the special security challenges created by mobile devices, what mobile pentesting accomplishes, and why mobile device management (MDM) solutions often fall short.

The Challenge: Mobile Devices are a Favorite Target for Hackers

Threats to mobile apps have been increasing in the past several years and they experienced a spike during the pandemic. Research in the last months of 2019 showed that 72 percent of fraudulent activity and breach attempts involved apps. In the first quarter of 2020, app incidents climbed to 26 percent from 13 percent, making apps the number one means through which hackers attempted to access data.

Screen Size

It’s easier to phish on small screens as users may not be able to see details that would otherwise signal an email as fraudulent. While errors like spelling mistakes or grammatical errors are easier to identify, some indicators like fake domains and fake email signatures are harder to detect on mobile devices. Typically, mobile devices don’t display the sender’s address in the view window, so the user would have to be aware to actively check the address rather than rely on the sender making a mistake in the body of the email.

Use Cases

Mobile devices (and their applications) are typically designed for entertainment rather than security. Users purchase and engage with their phones and tablets for social media apps, video streaming and reading. The average use is not aware where potential threats could lie in their applications or even what data they are providing (such as their name, email addresses, IP addresses, in-app behaviors, etc). Research shows that 28 percent of smartphone users don’t even use a screen lock.

Assuming Security

The general public mistakenly assumes that manufacturers handle security. And while these companies often tout a commitment to data privacy, there’s actually no convincing evidence that mobile devices from one company are more secure than others.

Quantity Over Quality

App stores hold such a high volume of apps, with potentially thousands of new apps coming into the online store every day. Google Play alone has 2.7 million available apps. As such, these stores can’t vet each app that comes through, and they have to rely on some level of trust.

Malicious hackers have no qualms uploading their malware packaged as a legitimate app. A study late in 2020 found that 67 percent of all malicious apps on Androids came from the Google Play Store.

Public Access

Public Wi-Fi is everywhere these days, and most people don’t think twice about connecting to it. Hackers know this and often exploit data sent through unsecured and unencrypted public Wi-Fi. In some cases, rogue hotspots are also used by hackers. These are fake hotspots set up in public areas to appear as real connections. In reality, they are really just lures for cybercriminals to intercept data and inject malware to connected devices.

To address these issues in the workplace, many companies turn to MDMs. While they’re generally a good idea, they aren’t the silver bullet that many companies think they are. Here’s why.

MDM Solutions: Clever, But No Dice

MDM stands for mobile device management. It’s a platform or software that allows network administrators to monitor and manage devices. Businesses deploy them when employees rely on company-issued mobile devices to work.

Advantages & Disadvantages of MDM

Advantages

  • Standardize policies and security procedures
  • Automatically configure account permissions or Wi-Fi settings
  • Blacklist or whitelist apps to prevent unauthorized installations
  • Control how, when, or with whom data is shared between devices
  • Allow for remote monitoring without disrupting the employee at work

Disadvantages

While these advantages certainly are appealing for employers, especially in the work-from-home era, MDM solutions also present a few critical shortcomings.

  1. MDM Is Not a Full Security Solution

MDM seeks to bolster security by making it difficult for malware to get onto the device in the first place. These solutions provide network administrators with visibility into each device, allowing them to feel like nothing is going unnoticed. In reality, this is creating a false sense of security as the device can still be susceptible to attack, even while under supervision.

An MDM is useless if:

  • The device’s password is compromised
  • User credentials to log into various apps are stolen
  • Malware lands on it from another device
  • The device is physically stolen

  1. Hackers Know How to Compromise Them

MDMs are notoriously easy for hackers to compromise. Consider this 2019 attack, where a single compromised device allowed malware to spread unfettered. It successfully infiltrated around 75 percent of a multinational conglomerate’s mobile devices before discovery.

MDMs are easy to attack because they tend to be higher maintenance than other security solutions.

What makes an MDM high maintenance?

  • Constant update and audit requirements, which a company may not have time to do
  • Reliance on perfect use from employees, which causes frustrations
  • Diligence with spotting phishing or other threats, which are more difficult for average users to identify on mobile devices
  • They only cover select areas of your business, leaving other areas exposed to vulnerabilities
  1. Users Perceive MDM as Overly Intrusive

One key shortcoming of using an MDM is that your employees might resent the feeling of being watched. For many employees, it mimics the feeling of having a manager watching your shoulder at any given moment. In fact, it’s the use of tools like MDMs that often lead employees to abandon company devices altogether, opting to use their personal devices instead (which host their own array of security risks).

Another major problem with MDMs occurs with Bring Your Own Device (BYOD) policies. Apple’s struggle with BYOD and its device enrollment plan illustrates the increasing incompatibilities between privacy, data ownership, and the need to protect corporate data.

A Better Alternative: Mobile Pentesting

Mobile pentesting is a specialized penetration testing service meant for mobile applications and devices. In this pentest, security professionals try to compromise your mobile apps to gain access to:

  • Consumer or employee information
  • Developer accounts
  • Sensitive company data
  • Other parts of your business or infrastructure

Unlike pentesting or penetration testing as a service (PTaaS) that targets your entire cybersecurity strategy or computer network, mobile pentesting only looks at potential vulnerabilities in your apps and mobile devices. This more targeted service means it’s a much deeper probe to discover anything criminals might exploit.

Why Mobile Pentesting Succeeds Where MDM Doesn’t

MDMs have their place in a security strategy, but they should be kept as just that – as a component of an complete, overarching strategy that secures your hardware and software from every angle.

As the better alternative to MDM, a mobile pentest delivers a few critical advantages:

  • It provides insights from the hacker’s perspective. Mobile pentesting is done by an experienced security engineer who seeks to exploit potential vulnerabilities in your system from the outside.
  • It secures data at the app-level rather than at device-level. An MDM attempts to secure the device while mobile pentesting looks for application flaws to exploit. That means even if malware lands on your smartphone, your app-specific data will stay protected.
  • It can be performed automatically when a software update is rolled out. Mobile pentesting can be deployed regularly through PTaaS. With PTaaS, you can enjoy continuous retesting any time a new feature or update launches.

How to Keep Your Apps and Devices Secure

An MDM solution combined with mobile pentesting can significantly bolster your mobile security posture. However, there are a few more things that you should do to ensure that sensitive data stays safe.

Whether you’re relying on company-issued devices or using a BYOD policy, do:

  • Train your employees. Knowledge is power. Make sure everyone knows about the unique cyber risks facing mobile devices and is empowered to handle them correctly.
  • Use security best practices. From establishing secure passwords to safely transferring data, emphasizing security best practices in everyday operations helps build an internal security culture.
  • Establish formal policies. Document formal policies and procedures, then make these available to everyone. Proper security policy education and implementation increases the likelihood of uniformity and compliance.
  • Pentest each update. Use mobile pentesting alongside your other security measures to guarantee the strength of your defense systems. Deep assessments can be done quarterly through PTaaS, or one-off penetration tests are done on an as-needed basis.
  • Be clear about data ownership. Emphasize that the personal data of employees will remain their own property, but also that company data is yours. Clearly communicate and implement policies so that users don’t feel like their data privacy or rights have been infringed.
  • Have a plan to offboard data from employees. If your company uses a BYOD policy, develop a process to remove company data from personal devices that may have been used at work.
Mobile Pentesting: A True Sense of Security

Mobile devices like smartphones and tablets are commonplace in many companies. They can deliver an extra degree of flexibility and connectivity for employees, empowering them to get more done on their own terms. However, companies still have very real concerns about the protection of sensitive data. As a result, they turn to mobile device management solutions.

We’ve revealed how MDMs aren’t necessarily the overarching solutions they’re often perceived to be. At best, they provide only a degree of protection while allowing for remote monitoring of employees. At worst, they create a false sense of security that hackers can exploit.

In contrast, mobile pentesting secures your device at the app level. Mobile pentesting finds flaws from an outside perspective and helps you build confidence in your application security.

Book a 30-minute meeting with our experts to discover what mobile pentesting can do for you.

We help DevOps teams at SaaS companies to build confidence in their application security.
Discover PTaaS

Was this article helpful?

Share This Post

Leave a Reply

Your email address will not be published.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Post
7 July 2021 | By: Jeremy Buis
Exploiting Less.js to Achieve RCE
READ MORE
24 June 2021 | By: Alex Hewko
The 6- Step Guide to Reviewing Your PenTesting Results
READ MORE
27 May 2021 | By: Alex Hewko
Is Penetration Testing Worth It? Maximizing the ROI on Penetration Testing as a Service
READ MORE