Mobile Device Attack and Penetration

Find out what could happen if your devices fell into the wrong hands.

Mobile Device Attack and Penetration Assessments evaluate the existing deployment of mobile devices to determine their security posture. This assessment is an invasive look at the security of the mobile device itself which simulates loss or theft of the device. SecureState attempts simple device attacks (such as passcode bypass) along with more advanced, targeted attacks such as “Rooting” or “Jailbreaking” the device to achieve a complete compromise.


Mobile devices have been adopted by many enterprises as a must-have business tool. However, as enterprises embrace the business benefits, these devices introduce unique risks to the enterprises. Security controls and processes need to be implemented and assessed just like any other network enabled device connected to an enterprise's network.


SecureState has been on the cutting edge of developing Mobile Device Testing Methodologies for the last several years. SecureState has presented our mobile security research at national security conferences, including SANS and OWASP AppSec DC. Our experience and expertise has led us to follow a very detailed and structured methodology based on exploiting mobile devices from a hacker's mindset.

Approach and Methodology

During a Mobile Device Attack and Penetration, SecureState evaluates the following controls:

  • Basic security controls, such as remote wiping, passcode auto locking, passcode brute force prevention, and enforcement
  • Advanced security requirements, such as Rooting or Jailbreaking preventive controls, secure wireless, and VPN configurations
  • Exploitation of known and unknown mobile device vulnerabilities

Additionally, if a target organization makes use of a Mobile Device Management (MDM) solution, attempts are made to bypass established controls and requirements.

Once a device has been compromised, SecureState attempts to find sensitive or confidential information either stored on the device or being used by applications. Some of the "trophies" that can be retrieved by SecureState upon successful exploitation include:

  • Application Logs and Data
  • Contact Lists and Address Book
  • Email
  • Geolocation Data
  • Keyboard Cache
  • Passwords
  • Photos/Videos
  • Screenshots
  • SMS Messages
Get Started!