Mobile Threat Catalogue

Attack Surface

The functionality provided by mobile devices has significantly evolved over the past two decades and continues to rapidly advance. When first introduced, mobile devices were basic cellular phones designed to make telephone calls. Although carriers were targeted by malicious actors wanting to make free phone calls, users and their data were rarely the target of criminals. Once modern mobile OSs were introduced over a decade later, the threat landscape drastically changed as users began trusting these devices with large quantities of sensitive personal information. Enterprises also started allowing employees to use mobile devices and applications to access enterprise email, contacts, and calendar functionality. Shortly after the wide scale adoption of modern smartphones, a large upscale in the use and deployment of cloud services occurred. While this reduced costs and simplified operations for businesses, it altered the threat landscape in its own unique way.

The attack surface sections describe primary components of the mobile attack surface: technology stack (mobile device technology stack), communication (mobile and local network protocol stacks), supply chain, and the greater mobile ecosystem.