Corporate email on personal phones. Slack notifications on tablets. CRM access from airport lounges. The modern workforce expects to reach company systems from any device, anywhere. Businesses have largely obliged, often without thinking through the security implications.
Bring your own device policies give employees flexibility but create headaches for security teams. Personal devices run different operating systems, carry different patch levels, and connect through networks that the organisation cannot control. A single compromised phone can become a gateway into corporate systems.
Where the Risks Live
Mobile applications that access corporate APIs often store authentication tokens locally. If a device lacks encryption or runs an outdated operating system, an attacker with physical access or malware can extract those tokens and impersonate the user remotely. Applications that cache sensitive data offline compound the problem.
Public Wi-Fi networks remain a genuine threat despite widespread awareness. Man-in-the-middle attacks against devices that do not enforce certificate pinning can intercept credentials and session tokens. Even encrypted connections offer limited protection when the attacking device sits between the user and the access point.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “Mobile applications rarely receive the same security testing as their web counterparts. We regularly find mobile apps that store API keys in plain text, communicate with backend services over unencrypted channels, or fail to validate server certificates. These weaknesses give attackers a direct route to corporate data through a device the organisation does not fully control.”
Extending Testing to Mobile
Organisations that conduct web application penetration testing should extend the scope to cover mobile API endpoints and the mobile applications themselves. Testing mobile apps involves examining local storage practices, network communication security, authentication token handling, and business logic that differs from the web interface.
Practical Controls
Deploy mobile device management (MDM) to enforce encryption, minimum OS versions, and remote wipe capabilities. Require a separate managed container for corporate applications on personal devices. Block access from devices that fail compliance checks.
Work with a best penetration testing company that tests mobile applications alongside web and API assessments. Fragmented testing misses the attack paths that span multiple platforms. A joined-up approach gives you a complete picture of your mobile risk exposure.
The situation worsens when employees leave the organisation. Personal devices that once connected to corporate systems may still hold cached credentials, downloaded files, and authentication tokens. Without remote wipe capabilities, that data persists on devices the organisation no longer controls or can even locate.
Certificate pinning on mobile applications prevents man-in-the-middle interception even on compromised networks. Applications without pinning trust any valid certificate, meaning an attacker with a rogue access point and a forged certificate can intercept and modify all traffic between the app and your servers.
Regularly review which applications have access to corporate data on mobile devices. Revoke OAuth tokens and API permissions for applications that staff no longer use. Stale application permissions create persistent access channels that outlast the original business justification for granting them.
Mobile security cannot be an afterthought. If your staff access corporate data on their phones, those phones are part of your attack surface. Treat them accordingly.