Assessing Threats to Mobile Devices & Infrastructure
This document outlines a catalogue of threats to mobile devices and associated mobile 166 infrastructure to support development and implementation of mobile security capabilities, best 167 practices, and security solutions to better protect enterprise information technology (IT). Threats 168 are divided into broad categories, primarily focused upon mobile applications and software, the 169 network stack and associated infrastructure, mobile device and software supply chain, and the 170 greater mobile ecosystem.
Each threat identified is catalogued alongside explanatory and 171 vulnerability information where possible, and alongside applicable mitigation strategies. 172 Background information on mobile systems and their attack surface is provided to assist readers 173 in understanding threats contained within the Mobile Threat Catalogue (MTC). Readers are 174 encouraged to take advantage of resources identified and referenced within the MTC for more 175 detailed information, all of which are also referenced within Appendix C of this document.
Mobile devices pose a unique set of threats to enterprises. Typical enterprise protections, such as 158 isolated enterprise sandboxes and the ability to remote wipe a device, may fail to fully mitigate 159 the security challenges associated with these complex mobile information systems. With this in 160 mind, a set of security controls and countermeasures that address mobile threats in a holistic 161 manner must be identified, necessitating a broader view of the entire mobile security ecosystem. 162 This view must go beyond devices to include, as an example, the cellular networks and cloud 163 infrastructure used to support mobile applications and native mobile services.