Mobile Threat Defense – trying to extend established Enterprise Mobility Management

Portable devices like smartphones and tablets have developed from being just single-purpose communication tools to becoming valuable assets in business infrastructures and in personal life. Smartphones have become the most important devices in consuming digital media, purchasing goods on the Internet, performing online banking transactions, and accessing work-related documents. The use of mobile devices continues to grow in both the private and business context – in 2017, more than 50% of all global website views were generated from mobile devices. The way people use mobile devices and apps in their personal life inevitably reflects their behavior, preferences, and expectations at work. Consequently, companies must be prepared for the use of mobile phones and tablets. This applies to device and user management, the enforcement of security policies for the use of mobile devices as well as to the detection and protection of related attacks related. Although today’s operating system and device manufacturers are increasingly focusing on security, there is a constant battle between attackers and defenders, just like in any other area of IT security.

Current examples of popular attacks and exploitable vulnerabilities are Blueborn (using Bluetooth vulnerabilities), Krack (attack against WPA) or Stagefright (code execution triggered by malicious MMS) as well as generic Jailbreaks or Security flaws in LTE.

OS vendors, such as Google and Apple, have reacted to the growing importance and threats with a variety of measures to support the OS, including device encryption, app assessments and boot chain verification.As a result of this this trend, companies must keep mobile devices up-to-date if they are to profit from these new security features. Similar to the handling of the established device types such as notebooks, centrally managed mobile devices usually achieve a current patch level.

Nowadays, two different product categories address these requirements:

  • Enterprise Mobility Management (EMM) – solutions that manage mobile devices and enforce usage and compliance rules
  • Mobile Threat Defense (MTD) – solutions that detect and prevent threats and attacks (which is the focus of this article)

Types of mobile threats

Because of the very extensive usage of smartphones and the valuable information they carry, cybercriminals are increasingly focusing on mobile devices. Governments also target them as means of surveillance e.g., for tracking user movements, or for intercepting messages, calls or network connections. Governments not only act on their own but have broad backing from the private sector with companies like NSO Group, Hacking Team or the German FinFisher GmbH / Gamma Group.
Research and statements by most suppliers of mobile security solutions show thatrespective threats can be grouped into three major areas:

App Security Threats

These threats originate from installed apps that perform malicious attacks on mobile devices. Application security threats range from single applications presenting advertisements in special app overlays to those applications that hiddenly undermine cryptocurrencies, ship banking trojans or fake popular apps in order to steal sensitive user data.

Device Security Threats

Faulty device configurations, unpatched operating systems and libraries often open possibilities for exploiting mobile devices. This includes settings that downgrade specific security measures like PIN or lock screen passwords, or options which sideload applications. External storage devices can also contain malicious applications or files which also should be considered as a threat worthy of monitoring.

Network Security Threats

Network security threats often occur in cases of intercepted network traffic, e.g., redirection of traffic, degradation of encryption to insecure ciphers or breaking complety breakdown of communication encryption, when performing man-in-the-middle attacks, or via SS7 redirections. Where governmental attackers are concerned, location surveillance actions of individuals pose completely different, network-related threats to mobile device users. SMS phishing attacks have also become a notable trend where attackers send an allegedly legit SMS with links to lure victims to attacker-controlled sites in order to steal credentials or to exploit the device.

How MTD tools work

MTD tools promise to provide measures against stated types of attacks. These solutions address a gap left by EMM solutions with their focus on the management of company assets as well as enforcement of policies. However, as most MTD products have no, or only limited capabilities to remediate a detected threat themselves, they rely heavily on an integrated EMM to trigger response actions

There are further constraints – with the mobile device’s operating system itself posing the most significant limitation to MTD solutions. Since both Android and iOS introduced app sandboxing, mobile applications have limited access to memory and resources and cannot alter data of other applications, so implying specific constraints for security vendors and their products. Within these boundaries, MTD providers focus on the three stated core threat areas, using different approaches.

Many MTD solutions require an agent to be deployed on the mobile endpoints. Usually, such an agent needs the deployment of administrative profiles on the mobile operating systems, as this is the only way to access the required operating system APIs. Through this mechanism, MTD apps can access information about installed applications and, on Android, they can also control the app installation process. Therefore, Android apps that are queued for installation to the vendor’s analysis environment can be uploaded in order to carry out a full security assessment beforehand. This often includes execution in a sandbox with behavioral recognition and analysis of the app’s communication. The results are optionally enriched with vendor-crafted or third-party threat intelligence, resulting in a risk score to be called up in a vendor-controlled catalog. App security is the discipline where most vendors excel.

The challenges regarding device security occur primarily in the monitoring of security measures given by the OS (PlayProtect, USB debugging, developer mode, device encryption, allowed unknown sources for apps), of external devices and the usage of the device components for legitimate, intended purposes. Due to the more or less complete dependence on the options allowed by the device and OS manufacturers, the capabilities are limited for all vendors. Network security threats are countered by MTD vendors in various ways. The products either route traffic using a VPN through their filtering infrastructure or implement the filtering intelligence on-device via a local gateway. Usually, the vendors augment monitored traffic data with intelligence to give the customer an overview of malicious traffic, and an opportunityto block these.

Some MTD solutions not only rely on EMM products to roll out their agents but also leverage EMM-provided device/user management and compliance enforcement options, thus complementing each other’s capabilities. In such cases, the MTD products have different levels of cooperation with major EMM manufacturers. Ultimately, MTD products are dependent on the APIs offered by the EMM manufacturers and must continuously ensure compatibility.


MTD is a relatively new segment in the IT security market, and is meant as a pendant to endpoint security solutions for more traditional desktop machines. Compared to these, MTD products usually provide somewhat superficial security functionality that cannot compete with the level of sophistication of NGES products. This observation also applies to the perceived maturity and quality aspects of the assessed products. We can imagine that the future development of MTD products will follow the same evolution steps as NGES products, evolving from signature-based, static malware analysis to dynamic, self-learning systems that leverage machine learning and artificial intelligence aspects.

The majority of MTD products is strongly dependant on EMM solutions. Both, this aspect and the observed overlap in provided functionality indicate a market consolidation. Possible projections of how the two market segments might develop are naturally subject to uncertainties. Nevertheless, it is not unreasonable to speculate and there is a certain probability that MTD functions will be increasingly integrated into EMM solutions, making stand-alone MTD solutions obsolete. We can also conceive other scenarios, but the current situation of having two backends and two different agents on the same devices is not a promising one.

As a consequence, customers should ask themselves if they really need an MTD solution. Firstly, most of the attack surface can be reduced by using current mobile phones with up-to-date software. Secondly, good and mature EMM solutions in conjunction with an enforced corporate VPN already cover a wide range of MTD functionality and are often needed or used anyway. The application assessment which is potentially missing can be countered by defining restrictions for app stores or, if needed, by specializing solutions. However, if these alternatives cannot be leveraged, MTD might bring an additional layer of security to mobile fleets with heterogeneous OS versions and limited policy enforcement options.

Who we are
The “Technology Scouting & Evaluation” (TSE) service identifies and evaluates promising IT security solutions. With this service, DCSO supports companies in staying ahead of a dynamic and ever-changing market. The centralized and unbiased evaluation process is supplemented with the experience of all community members.