Chapter 34: Mobile and IoT Security¶
Overview¶
Mobile devices and the Internet of Things (IoT) have expanded the attack surface into every pocket and every room. With over 15 billion IoT devices deployed globally and every employee carrying a powerful computer with corporate access, mobile and IoT security has become a critical security domain. This chapter covers mobile platform security architectures (iOS and Android), mobile threat landscape, Mobile Device Management (MDM) and Unified Endpoint Management (UEM), IoT security architecture, OT/IoT convergence threats, and practical hardening for both device categories.
Learning Objectives¶
By the end of this chapter, students SHALL be able to:
- Describe the security architectures of iOS and Android and their strengths/limitations
- Assess mobile application security using OWASP Mobile Security Testing Guide (MSTG)
- Design and operate a Mobile Device Management program
- Identify IoT security risks and apply the ENISA IoT security framework
- Analyze IoT network traffic for anomalous behavior
- Implement network segmentation strategies for IoT device management
Prerequisites¶
- Basic understanding of operating system security concepts
- Chapter 31 (Network Security Architecture) for segmentation context
- Chapter 29 (Vulnerability Management) for firmware vulnerability context
Why This Matters
In 2016, Mirai botnet infected 300,000+ IoT devices (cameras, routers, DVRs) using default credentials and launched the largest DDoS attack ever recorded — taking down Dyn DNS and making Twitter, Netflix, and Reddit unreachable for hours. In 2021, Verkada security cameras were breached — attackers accessed live video from hospitals, jails, Tesla factories, and police stations. A pacemaker manufacturer's cardiac devices were found to have 8,000+ vulnerabilities — remotely exploitable. A hospital's infusion pump could be remotely commanded to deliver a lethal drug dose. Mobile and IoT security is not theoretical — it has direct physical consequences.
34.1 Mobile Platform Security¶
34.1.1 iOS Security Architecture¶
iOS SECURITY LAYERS:
Hardware Security:
├── Secure Enclave Processor (SEP) — isolated co-processor
│ ├── Stores: Biometric templates (Touch ID, Face ID)
│ ├── Stores: Device encryption keys, passcode
│ └── Processes: Touch ID/Face ID verification (never leaves SEP)
├── Unique Device ID (ECID) — hardware burned identifier
├── Hardware UID (Unique ID) — per-chip unique key, inaccessible to software
└── Secure Boot chain: iBoot → iOS kernel (each stage signed by Apple)
Software Security:
├── App Sandbox: Each app isolated in own container
├── Mandatory code signing: All apps must be signed by Apple-trusted cert
├── App Store review: Vetting before distribution
├── Permission model: Explicit user consent for each capability
├── Pointer Authentication Codes (PAC): Prevents code pointer exploitation
└── Memory safety: Swift enforced memory safety
Data Protection:
├── Filesystem encryption: Every file encrypted with per-file key
├── Data Protection classes: NSFileProtectionComplete (locked when screen off)
├── Keychain: Encrypted credential storage
└── Full disk encryption: Active even when device is off
Updates:
└── 5-6 years of security updates; 0-day patches within hours/days
34.1.2 Android Security Architecture¶
ANDROID SECURITY ARCHITECTURE:
Process Isolation:
├── Each app runs as unique Linux user (UID)
├── App Sandbox: DAC + SELinux enforced isolation
└── Inter-app communication only via explicit Intents
Hardware Abstraction:
├── TEE (Trusted Execution Environment) — ARM TrustZone
│ ├── StrongBox Keymaster (Pixel, Samsung) — dedicated security chip
│ └── Key material never leaves TEE
├── Verified Boot — cryptographic integrity of boot chain
└── Android Verified Boot (AVB) — prevents rollback attacks
Application Security:
├── Play Protect: ML-based malware scanning
├── Permission model: Runtime permissions (user can revoke)
├── Network Security Config: Force HTTPS in apps
└── SafetyNet / Play Integrity API: Device attestation for apps
Fragmentation Challenges:
├── 3+ Android versions widely deployed simultaneously
├── OEM modification introduces vulnerabilities
├── Some devices: 1-2 year security update support only
├── Enterprise: Android Enterprise Recommended (AER) for reliable support
└── Solution: Enforce MDM enrollment; block outdated OS versions
34.2 Mobile Threat Landscape¶
34.2.1 Mobile Attack Vectors¶
| Attack Vector | iOS | Android | Mitigation |
|---|---|---|---|
| Phishing via SMS (Smishing) | Vulnerable | Vulnerable | Security awareness + URL filtering |
| Malicious apps | Rare (App Store review) | More common (sideloading) | MDM: disable sideloading, Play Protect |
| Zero-click exploits | High-value targets (Pegasus) | NSO Group / others | Keep iOS/Android updated; avoid jailbreak |
| Insecure Wi-Fi (MITM) | Vulnerable | Vulnerable | Always-on VPN via MDM; certificate pinning |
| Jailbreak/Root | Jailbroken iOS compromised | Rooted Android | MDM: block jailbroken devices |
| Physical theft | Encrypted + Activation Lock | Encrypted + FRP | Strong passcode; remote wipe |
| Stalkerware | Rare | Common | MDM policies; MDM anomaly detection |
| Supply chain (malicious SDK) | Possible | Possible (more common) | App vetting; code signing; SAST on mobile apps |
34.2.2 NSO Group Pegasus — Advanced Mobile Spyware¶
Pegasus is the most sophisticated mobile spyware ever documented:
PEGASUS CAPABILITIES:
├── Zero-click delivery: No user interaction required
│ - iMessage, FaceTime, WhatsApp zero-click vulnerabilities
│ - Delivered via malicious GIF, PDF, or message
├── Persistence: Survives reboots (kernel-level implant)
├── Capabilities:
│ ├── Read all messages (iMessage, WhatsApp, Signal, Telegram, email)
│ ├── Camera: Activate front/back camera silently
│ ├── Microphone: Record ambient audio
│ ├── Location: Real-time GPS tracking
│ ├── Call log: All calls, contacts
│ └── Password stealing: Keylogging
├── Anti-forensics: Self-destructs if can't reach C2
└── Cost: ~$650,000 for 10 targets (nation-state pricing)
Detection (Amnesty International's MVT tool):
pip3 install mvt
mvt-ios check-backup --iocs pegasus.stix2 --output ./results ~/Library/Application\ Support/MobileSync/Backup/
34.3 Mobile Device Management¶
34.3.1 MDM Architecture¶
graph TB
subgraph "MDM Console"
MDM[MDM Server\nMicrosoft Intune\nJamf\nVMware Workspace ONE]
end
subgraph "Enrollment"
DEP[Apple DEP / ABM\nAuto-Enrollment]
AE[Android Enterprise\nZero-Touch Enrollment]
BYOD[BYOD\nUser-Initiated Enrollment]
end
subgraph "Managed Devices"
IOS[iOS Devices\nCompany-Owned]
AND[Android Devices\nEnterprise Profile]
BY[BYOD Devices\nPersonal Profile / Container]
end
MDM --> IOS
MDM --> AND
MDM --> BY
DEP --> IOS
AE --> AND
BYOD --> BY
IOS --> COMP[Compliance Check\nOS Version\nPasscode\nEncryption\nJailbreak Detection]
AND --> COMP
BY --> COMP
COMP -->|Non-compliant| BLOCK[Block Corporate Access\nConditional Access]34.3.2 MDM Policy Baseline¶
<!-- Microsoft Intune Compliance Policy — iOS Minimum -->
<CompliancePolicy>
<Platform>iOS/iPadOS</Platform>
<Settings>
<MinimumOSVersion>17.0</MinimumOSVersion> <!-- Latest major version -->
<RequirePasscode>true</RequirePasscode>
<MinimumPasscodeLength>6</MinimumPasscodeLength>
<MaxPasscodeAgeDays>90</MaxPasscodeAgeDays>
<PasscodeRequiresAlphanumeric>true</PasscodeRequiresAlphanumeric>
<PreviousPasscodeBlockCount>5</PreviousPasscodeBlockCount>
<MaximumMinutesAfterScreenLock>5</MaximumMinutesAfterScreenLock>
<DeviceEncryption>required</DeviceEncryption>
<JailbreakDetection>block</JailbreakDetection>
<BlockRooted>true</BlockRooted>
</Settings>
<ConditionalAccess>
<BlockNonCompliantDevices>true</BlockNonCompliantDevices>
<GracePeriodDays>3</GracePeriodDays> <!-- Allow 3 days to become compliant -->
</ConditionalAccess>
</CompliancePolicy>
34.3.3 BYOD Container Strategy¶
For personal devices (BYOD), the container model separates corporate data from personal:
ANDROID ENTERPRISE WORK PROFILE:
├── Work Profile: Managed by organization
│ ├── Corporate email, calendar, contacts
│ ├── Corporate apps with DLP policies
│ └── IT can wipe ONLY work profile data
├── Personal Profile: Employee-owned
│ ├── Personal apps, photos, data
│ └── IT cannot access or wipe personal data
└── Visual separation: Work apps have badged icon
iOS MANAGED OPEN-IN:
├── Corporate documents can only be opened in managed apps
├── Personal → Corporate: Blocked (paste restrictions)
├── Corporate → Personal: Blocked (managed app constraint)
└── Remote wipe: Only managed data/apps removed
Privacy Protection (CRITICAL for legal compliance):
├── MDM inventory: device model, OS version, compliance status
├── MDM CANNOT see: personal apps, messages, photos, location
└── This separation is legally required in EU (GDPR) and many US states
34.4 Mobile Application Security Testing¶
34.4.1 OWASP Mobile Top 10 (2024)¶
| Rank | Category | Example Vulnerability |
|---|---|---|
| M1 | Improper Credential Usage | Hardcoded API keys in app binary |
| M2 | Inadequate Supply Chain Security | Malicious SDK included in app |
| M3 | Insecure Authentication/Authorization | PIN bypass via API manipulation |
| M4 | Insufficient Input/Output Validation | SQL injection in offline SQLite |
| M5 | Insecure Communication | HTTP used for sensitive data |
| M6 | Inadequate Privacy Controls | PII logged to device logs |
| M7 | Insufficient Binary Protections | No obfuscation; easy reverse engineering |
| M8 | Security Misconfiguration | Backup allowed for sensitive data |
| M9 | Insecure Data Storage | Credentials in UserDefaults/SharedPreferences |
| M10 | Insufficient Cryptography | ECB mode, weak keys |
34.4.2 Mobile Security Testing Tools¶
# MobSF (Mobile Security Framework) — automated static + dynamic analysis
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
# Upload APK or IPA via web interface
# Frida — dynamic instrumentation (iOS + Android)
# Requires jailbroken iOS or rooted Android
pip3 install frida-tools
# Intercept specific API calls
frida -U -l intercept_crypto.js com.targetapp.example
# Certificate pinning bypass (for testing)
frida -U -l universal-ssl-pinning-bypass.js -f com.targetapp.example
# Android static analysis
apktool d app.apk -o decompiled/
jadx -d jadx_output app.apk # Decompile to Java
# Find hardcoded secrets
grep -r "password\|secret\|api_key\|token" decompiled/ --include="*.smali"
strings app.apk | grep -iE "https?://|password|Bearer|secret"
34.5 IoT Security¶
34.5.1 IoT Attack Surface¶
graph TB
subgraph "IoT Attack Surface"
D[IoT Device] --> HW[Hardware Interface\nJTAG, UART Debug Ports]
D --> FW[Firmware\nExtractable via UART/JTAG]
D --> APP[Mobile App\nAPI Keys, Auth Bypass]
D --> NET[Network Interface\nUnencrypted Protocols]
D --> CLOUD[Cloud Backend\nAPI Vulnerabilities]
D --> UPDT[Update Mechanism\nFirmware Tampering]
end
style HW fill:#f4a261,color:#000
style NET fill:#e63946,color:#fff
style CLOUD fill:#e63946,color:#fff34.5.2 OWASP IoT Top 10¶
| Rank | Vulnerability | Prevalence |
|---|---|---|
| I1 | Weak/Hardcoded/Guessable Passwords | Extremely common |
| I2 | Insecure Network Services | Very common |
| I3 | Insecure Ecosystem Interfaces | Common |
| I4 | Lack of Secure Update Mechanism | Common |
| I5 | Use of Insecure/Outdated Components | Very common |
| I6 | Insufficient Privacy Protection | Common |
| I7 | Insecure Data Transfer and Storage | Common |
| I8 | Lack of Device Management | Very common |
| I9 | Insecure Default Settings | Extremely common |
| I10 | Lack of Physical Hardening | Common |
34.5.3 IoT Network Segmentation¶
IoT NETWORK ARCHITECTURE:
1. Dedicated IoT VLAN (mandatory)
- NEVER put IoT devices on corporate LAN
- Rationale: IoT devices are often compromised (weak security, no patches)
2. Firewall Rules (default deny):
IoT VLAN → Internet: Allow ONLY specific required services
IoT VLAN → Corporate LAN: DENY (with very specific exceptions)
Corporate LAN → IoT VLAN: Allow management IPs only
IoT → IoT: DENY (prevent lateral movement within IoT segment)
3. DNS Resolution:
- Separate DNS resolver for IoT VLAN
- Protective DNS enabled
- Log all DNS queries
4. Network Monitoring:
- Passive monitoring (Claroty, Nozomi, Cisco Cyber Vision)
- Alert on: new devices, port scans, unusual protocols, large data transfers
Example Network Policy (Cisco ASA):
access-list IoT_ACL extended permit tcp IoT_VLAN host cloud-api.vendor.com eq 443
access-list IoT_ACL extended permit udp IoT_VLAN host 8.8.8.8 eq 53
access-list IoT_ACL extended deny ip IoT_VLAN CORPORATE_LAN log
access-list IoT_ACL extended deny ip IoT_VLAN IoT_VLAN log
access-list IoT_ACL extended deny ip any any log
34.5.4 IoT Firmware Analysis¶
# Extract and analyze IoT firmware
# Binwalk — firmware extraction
binwalk -e firmware.bin # Extract filesystem
binwalk -A firmware.bin # Analyze architecture
# Firmwalker — search extracted firmware for credentials/config
./firmwalker.sh /path/to/extracted_fs /output_dir
# Searches for: passwords, private keys, configuration files, URL patterns
# Emulate firmware with QEMU (for dynamic analysis)
# After extraction, mount filesystem:
sudo mount -o loop rootfs.squashfs /mnt/rootfs
# Set up QEMU chroot environment
cp $(which qemu-mipsel-static) /mnt/rootfs/usr/bin/
chroot /mnt/rootfs /bin/sh
# Check for default credentials
# Common hardcoded credentials locations:
grep -r "admin\|password\|1234\|root" /path/to/extracted_fs/etc/
strings /path/to/extracted_fs/usr/sbin/httpd | grep -iE "password|secret|admin"
34.6 IoT Security Frameworks¶
34.6.1 ETSI EN 303 645 — Consumer IoT Standard¶
The European Telecommunications Standards Institute (ETSI) published the world's first global IoT security standard in 2020, adopted as UK PSTI Act 2024:
ETSI EN 303 645 REQUIREMENTS:
1. No Universal Default Passwords
- Each device must have unique default password
- Or: Require user to set password before activation
2. Implement Vulnerability Disclosure Policy
- Publish security contact; respond within 6 months
3. Keep Software Updated
- Support update mechanism; notify users; update automatically if possible
4. Securely Store Credentials and Security-Sensitive Data
- No hardcoded credentials; secure storage
5. Communicate Securely
- Encrypted communications (TLS 1.2+)
6. Minimize Exposed Attack Surfaces
- Only necessary ports open; disable unused features
7. Ensure Software Integrity
- Verify firmware using cryptographic signatures
8. Ensure Personal Data is Secure
- GDPR compliance; data minimization
9. Make Systems Resilient to Outages
- Handle network disruption gracefully
10. Examine System Telemetry Data
- Anomaly detection; security-relevant telemetry
34.7 Benchmark Controls¶
| Control ID | Title | Requirement |
|---|---|---|
| Nexus SecOps-MOB-01 | MDM Enrollment | 100% of corporate devices enrolled in MDM; compliance enforced |
| Nexus SecOps-MOB-02 | Mobile Application Management | BYOD container deployment; DLP policies on managed apps |
| Nexus SecOps-MOB-03 | OS Update Enforcement | Devices on OS versions >12 months old blocked from corporate access |
| Nexus SecOps-MOB-04 | IoT Network Segmentation | All IoT devices on dedicated VLAN; default-deny firewall policy |
| Nexus SecOps-MOB-05 | IoT Inventory | Complete inventory of all IoT devices; automatic discovery enabled |
| Nexus SecOps-MOB-06 | IoT Default Credential Remediation | No IoT devices using manufacturer default credentials |
Exam Prep & Certifications¶
Relevant Certifications
The topics in this chapter align with the following certifications:
Key Terms¶
Android Enterprise — A set of Google security APIs and management capabilities for deploying Android in enterprise environments, including work profiles, fully managed devices, and dedicated devices.
Firmware — The embedded software that controls an IoT or hardware device, stored in non-volatile memory. Often lacks security features and is rarely updated in deployed devices.
MDM (Mobile Device Management) — Software enabling IT to enroll, configure, secure, and manage mobile devices across an organization's fleet.
Mirai — An IoT botnet malware (2016) that infected devices using default credentials, creating a massive botnet used for DDoS attacks. Source code release led to hundreds of variants.
Pegasus — Advanced mobile spyware from NSO Group, sold to nation-states, capable of zero-click exploitation of iOS and Android.
TEE (Trusted Execution Environment) — An isolated execution environment within a processor (ARM TrustZone) that provides higher security for sensitive operations such as key storage and biometric verification.
Zero-Click Exploit — An attack that compromises a device without requiring any user action — no clicking links, no opening files.