Mobile security: Android and iOS enterprise hardening, MDM and BYOD
Comprehensive Guide to Mobile Security for Businesses: Threat Profile (Malicious Apps, Smishing, Vishing, Network Risks), MDM vs. MAM, BYOD/COPE/COBO Models, iOS Enterprise Hardening (Supervised Mode, Per-App VPN, Lockdown Mode), Android Enterprise (Work Profile, Fully Managed, Knox), Mobile Threat Defense (Lookout, Zimperium, Microsoft Defender for Mobile), Conditional Access, GDPR-Compliant MDM Policies, and Incident Response for Compromised Mobile Devices.
Table of Contents (10 sections)
Smartphones are the most widely used business devices—for email, Teams, SharePoint, VPN, and banking apps. At the same time, they are the least secure endpoints: no EDR agent, constantly connected to public Wi-Fi networks, and a mix of personal and business use. Today, mobile devices are the primary work tool for many employees and, at the same time, one of the weakest links in the security chain. A structured approach with MDM, policies, and threat protection is essential.
Mobile Threat Profile
Malicious Apps
Vectors of attack:
→ Officially in the App Store (rare, but it happens): FlekSpy, Goldoson SDK
→ Sideloading outside app stores (Android, enterprise distribution on iOS)
→ Hidden under a well-known app name (fake WhatsApp, fake banking app)
What malicious apps can do:
→ Activate microphone/camera (without visible indicators)
→ Track location
→ Read SMS (intercept 2FA codes!)
→ Exfiltrate contacts, emails, files
→ VPN apps with routing through C2 serversNotable case: Pegasus spyware (NSO Group) – zero-click exploit on iMessage. No user interaction required. Widely used against journalists, activists, and executives.
Mobile Phishing (Smishing, Vishing)
SMS Phishing (Smishing):
"Your DHL shipment could not be delivered.
Confirm address: tracking-dhl-de.ru/confirm"
Mobile-specific risks:
→ URL is displayed as a shortened link (full link not visible)
→ Smaller screen → less context
→ HTTPS padlock deception (phishing sites also use TLS)
→ User looks at phone in a relaxed situationStatistics: Mobile phishing is 3x more effective than desktop phishing (Lookout 2023).
Network Risks
Public Wi-Fi (hotel, café, airport):
→ No WPA2-Enterprise → easy to eavesdrop on
→ Evil Twin Attacks: Fake hotspot with a familiar SSID name
→ SSLStrip: TLS downgrade if the app does not use certificate pinning
Solution: Always use a VPN on public Wi-FiPhysical Risks
Lost/stolen device without encryption:
→ All emails, contacts, documents accessible
→ Saved passwords in the browser
→ 2FA apps (TOTP tokens)
Shoulder surfing:
→ Passwords, PINs, confidential emails visible in public spacesBYOD vs. COPE vs. COBO
Comparison of device ownership models:
BYOD (Bring Your Own Device):
→ Employees use personal devices for work
→ Advantages: no device purchase, high user acceptance
→ Disadvantages: limited control, GDPR challenges
→ MDM solution: Work Profile (separate area)
→ Data deletion: only Work Profile (not private!)
COPE (Company Owned, Personally Enabled):
→ Company purchases device; employee may use it privately
→ Good balance: control + usability
→ MDM: full access to device, but private app use allowed
→ Recommended for most companies
COBO (Company Owned, Business Only):
→ Purely company-owned device, no private use
→ Maximum control (no personal app store!)
→ For: highly sensitive roles (Finance, C-Suite, KRITIS)
→ MDM: complete control, configurable in a kiosk-like manner
CYOD (Choose Your Own Device):
→ Employee selects from a defined device list
→ Compromise: user preference + standard support
Decision matrix:
Industry → BYOD COPE COBO
General OK Best Heavy
Finance/Insurance No OK Best
Healthcare No OK Best (GDPR!)
KRITIS No No Best
Startup/IT OK OK HeavyMobile Device Management (MDM) vs. MAM
MDM - Complete Device Management
MDM manages the entire device:
IT Capabilities with MDM:
✓ Enforce disk encryption
✓ Screen lock with minimum PIN length
✓ Install/enforce approved apps
✓ Block unapproved apps
✓ Remote wipe (erase entire device)
✓ Location tracking
✓ Automatic VPN configuration
✓ Automatic Wi-Fi profiles
Disadvantages of BYOD:
→ IT can see all installed apps (including personal ones)
→ Remote wipe deletes personal photos
→ Employee resistanceMAM - App Management (BYOD Recommendation)
MAM manages only corporate apps:
Microsoft Intune App Protection Policies (MAM):
Business apps: Outlook, Teams, OneDrive, SharePoint
Container: Encrypted, separate from personal apps
Rules:
✓ PIN required for business apps
✓ Copy-paste from business to personal blocked
✓ App-specific remote wipe (business data only)
✓ No screenshots in business apps
✓ Blocked backup of business data to iCloud/Google Drive
Advantage:
→ No private data visible to IT
→ Employees are more likely to accept it
→ Remote wipe deletes only business appsiOS Enterprise Hardening
Apple iOS Hardening with Intune/Jamf:
Supervised Mode (Full Access):
→ Activation: Apple Configurator 2 or Apple Business Manager
→ Enables: MDM signals for critical policies
→ Required for: COBO devices, very strict environments
Critical iOS MDM Policies:
Device Lock:
Passcode Type: Alphanumeric (not just a PIN!)
Minimum Passcode Length: 8 characters
Auto-Lock: 2 minutes
Grace Period: 0 (immediate lock upon sleep)
Maximum Failed Attempts: 10 → Remote Wipe!
Network:
Force WiFi: Only defined Wi-Fi SSIDs (no public Wi-Fi!)
Per-App VPN: VPN only for corporate apps
DNS over HTTPS: Enforce (no DNS sniffing)
Content Filter: Safari web filter (parental controls + malware block)
Apps:
App Store disabled: YES (for COBO) / NO (for COPE)
Allowed Apps Whitelist: Only approved apps
Apple ID: Managed Apple ID (not personal!)
iCloud: Disabled (Company data → no iCloud sync!)
App Clips: Disabled
iTunes Sync: Disabled
iOS Lockdown Mode (for highly vulnerable individuals):
→ Enabled via: Settings → Privacy & Security → Lockdown Mode
→ Disabled: Link previews, message attachments, FaceTime calls from unknown senders
→ For: Journalists, activists, C-suite executives facing threats
→ Apple: Lockdown Mode protects against sophisticated attacks (NSO Group Pegasus!)
# Intune Configuration Profile (iOS):
{
"PayloadType": "com.apple.restrictions",
"allowCamera": true,
"allowCloudBackup": false,
"allowInstallApps": false, // COBO: App Store disabled
"allowSafariJavaScript": true,
"allowScreenShot": false, // Confidential data: Screenshots prohibited
"forceEncryptedBackup": true,
"safariPasswordAutoFillDomains": [],
"allowAirDrop": false
}Android Enterprise
Android Enterprise - Work Profile and Fully Managed:
Android Enterprise Modes:
Work Profile (BYOD/COPE):
→ Separate work environment on personal device
→ Apps: Work + Personal with clear separation (flashlight icon)
→ MDM can only manage Work Profile apps
→ Personal apps: not visible to MDM
→ Data wipe: Work Profile section only!
Fully Managed (COBO):
→ Company-owned device, full MDM control
→ Zero-touch enrollment: Device is turned on → automatically enrolled
→ No Google account required (Managed Google Play)
Dedicated Device (Kiosk):
→ Single-purpose device (scanner, POS terminal, display)
→ Only one or a few apps allowed
# Intune Android Work Profile Policy:
DeviceConfiguration:
Type: androidWorkProfile
Settings:
passwordMinimumLength: 8
passwordRequiredType: alphanumericWithSymbols
screenLockEnabled: true
workProfileDataSharingType: preventAny # No copy-paste between work and personal!
workProfilePasswordRequired: true
workProfileBlockScreenCapture: true
workProfileBluetoothEnableContactSharing: false
Samsung Knox (Enterprise Extension):
→ Knox Workspace for stronger isolation
→ Knox Vault: Hardware security enclave
→ DualDAR: two independent encryption layers
→ KRITIS/Government Agencies: NATO-RESTRICTED certified (with Knox Matrix!)iOS vs. Android Security
| Feature | iOS | Android |
|---|---|---|
| App Store Control | Strict (Cupertino review) | More open (including sideloading) |
| OS Updates | Fast, 5–7 years of support | Fragmented, manufacturer-dependent |
| Encryption | Always on (since iOS 8) | Since Android 6, manufacturer-dependent |
| Sandboxing | Very strong | Strong, but more freedom |
| MDM Maturity | Very good | Good (Android Enterprise) |
| Jailbreak Risk | Rare | More common (rooting) |
| Business Recommendation | Preferred | Only with Android Enterprise MDM |
Mobile Threat Defense (MTD)
MTD Features (Microsoft Defender for Endpoint Mobile, Lookout, Zimperium):
What Mobile Threat Defense detects:
→ Device compromise: Jailbreak/Root detection
→ Network attacks: MITM, Evil Twin WiFi, SSL stripping
→ App threats: Malware, stalkerware, riskware
→ Behavioral anomalies: Unusual access patterns
→ Phishing URL detection in the browser
MTD Products:
Lookout Mobile Security:
→ Market Leader
→ Integration: Intune, Jamf, SIEM
→ Detects: Pegasus, stalkerware, riskware
Zimperium zIPS:
→ On-device ML (no cloud lookup!)
→ Advantage: Offline detection, data privacy
Microsoft Defender for Mobile:
→ Intune-native integration
→ Conditional Access: non-compliant device → no O365 access!
→ More affordable for Microsoft shops (in the M365 E5 bundle)
Jailbreak/Root Detection:
iOS:
→ Checks: Do /Applications/Cydia.app, /bin/bash, /etc/apt exist?
→ Sandbox escape: Can the app write outside its sandbox?
Android:
→ SuperUser app installed?
→ Build properties: test-keys (not an official image!)
→ SELinux: permissive instead of enforcing?Integration with Zero Trust:
Conditional Access Policy:
If:
Device: iOS/Android
MTD status: "High Risk" (jailbreak or malware detected)
Then:
M365 access: Blocked
Teams access: Blocked
→ Compromised phone cannot access corporate dataTechnical Security - Checklist
Device Level
☐ Screen lock: PIN ≥ 6 digits or biometrics enabled
☐ Auto-lock: < 5 minutes
☐ Device encryption: enabled (iOS automatic, check Android)
☐ Remote Lock/Wipe: configured (iCloud Find My / Find My Device)
☐ OS updates: automatic enabled
☐ Security patch level: Android < 3 months old
☐ Jailbreak/Root: not presentNetwork Level
☐ VPN: always active on public Wi-Fi
☐ Always-On VPN via MDM for all off-premises use
☐ Automatic Wi-Fi connection to open networks disabled
☐ Bluetooth: turned off when not in useEnterprise Level
☐ MDM/MAM implemented for all business devices
☐ Conditional Access: Device must meet compliance requirements for M365 access
☐ BYOD policy documented and signed by employees
☐ Mobile Threat Defense (MTD) enabled
☐ Certificate pinning implemented in business appsGDPR and Mobile Security
GDPR challenges with BYOD:
→ Company data on personal devices: problematic under data protection law!
→ Geofencing: Employee location data → Consent required!
→ MDM logs: Contains location data, app usage → Purpose limitation!
→ Works council: Must be involved in MDM implementation!
Legally compliant BYOD implementation:
1. Company agreement:
→ Clear rules: what MDM is allowed to see, what it is not
→ Consent: Employee signs consent form
→ Works council: Right to co-determination (§87 BetrVG)!
2. Data separation (Work Profile):
→ Personal data: MDM CANNOT see
→ Company data: MDM has access
→ Remote wipe: work profile only (not private photos!)
3. Transparency:
→ User knows exactly: what is being monitored?
→ MDM app displays: active policies
4. Data minimization principle:
→ Collect only necessary data (no GPS tracking unless necessary!)
→ Log retention: only as long as necessary
GDPR-compliant MDM policies:
× NOT allowed: Real-time GPS tracking of all employees
× NOT allowed: Reading browser history for personal use
× NOT allowed: Viewing list of personal apps (BYOD!)
✓ ALLOWED: Enforce device encryption
✓ ALLOWED: Remote wipe (work profile only for BYOD)
✓ ALLOWED: Manage email configuration
✓ ALLOWED: Enforce VPN connection for corporate appsIncident Response: Compromised Mobile Device
Suspicion: Device compromised (unusual behavior, unknown apps)
Immediate Actions:
1. Put the device in Airplane Mode (prevents further data transmission)
2. Notify IT/CISO
3. Log out of all corporate accounts on the device from other devices
4. Change passwords for all accounts used on the device
5. DO NOT continue using the device – forensic analysis
Remote Wipe via MDM:
Intune → Devices → [Device] → Reset device
→ All data deleted (business data immediately; for BYOD: only MAM data)
Forensics:
→ Do not reset the device without a forensic backup
→ Back up MTD logs from MDM
→ Document the timeline of anomaliesSources & References
- [1] ENISA Threat Landscape for Mobile Devices 2023 - ENISA
- [2] BSI Mobile Device Management - BSI
- [3] OWASP Mobile Security Testing Guide - OWASP
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.
10 Publikationen
- Einsatz von elektronischer Verschlüsselung - Hemmnisse für die Wirtschaft (2018)
- Kompass IT-Verschlüsselung - Orientierungshilfen für KMU (2018)
- IT Security Day 2025 - Live Hacking: KI in der Cybersicherheit (2025)
- Live Hacking - Credential Stuffing: Finanzrisiken jenseits Ransomware (2025)
- Keynote: Live Hacking Show - Ein Blick in die Welt der Cyberkriminalität (2025)
- Analyse von Angriffsflächen bei Shared-Hosting-Anbietern (2024)
- Gänsehaut garantiert: Die schaurigsten Funde aus dem Leben eines Pentesters (2022)
- IT Security Zertifizierungen — CISSP, T.I.S.P. & Co (Live-Webinar) (2023)
- Sicherheitsforum Online-Banking — Live Hacking (2021)
- Nipster im Netz und das Ende der Kreidezeit (2017)
IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)
