1. Third-Party App Stores
    1. To be more secure on your mobile device, do not download software from untrusted sources
    2. Download apps from a legitimate source. If BYOD is in place, use company-approved apps.
  2. Rooting/Jailbreaking
    1. Rooting (Jailbreaking) a mobile device should not be performed for three reasons:
      1. The programs that perform jailbreaking often install malware on the mobile device.
      2. A mobile device with custom firmware (aka a Custom ROM) is more susceptible to root access from other attackers.
      3. Firmware OTA Updates
        1. A rooted mobile device may not receive Over-the-Air (OTA) firmware updates.
  3. Sideloading
    1. Loading third-party apps from a location outside of the official application store for that device.
    2. This can occur:
      1. by direct Internet connection (usually disabled by default)
      2. by connecting to a second mobile device
        1. USB On-the-Go
        2. Bluetooth
      3. by copying apps directly from a microSD card
  4. Carrier Unlocking
    1. SIM (Phone) Cloning Attack:
      1. Version 1 SIM (Subscriber Identity Module) cards had a weak algorithm that allowed an attacker to clone the information on a SIM card and use it themselves.
      2. Version 2 and above SIM cards are much more difficult, if not impossible to clone due to a stronger algorithm.
      3. Users should ensure they are using a Version 2 or later SIM card.
    2. Carrier Unlocking:
      1. The process of unlocking a mobile device from its carrier (service provider). Unlocking the device effectively takes it off the grid, making it difficult to track and manage.
      2. When the SIM is wiped, the International Mobile Subscriber Identity (IMSI) is also lost and cannot be recognized.
      3. However, the smartphone may still be identified by the International Mobile Equipment Identity (IMEI), Electronic Serial Number (ESN), or Mobile Equipment Identifier (MEID), depending on the type and age of the device.
  5. Permissions
    1. Camera Use
    2. SMS/MMS
    3. External Media
    4. Recording Microphone
  6. GPS Tagging
    1. Your security policy should clearly define whether GSM (satellite) services are enabled or disabled on your organization's devices (there are certain pros and cons either way).
    2. Privacy and data security (potential corporate espionage) are the two main concerns, which should be addressed when defining your organization's security policy.
    3. However, if a device is lost or stolen, remote wipe and tracking require GPS.
  7. Wi-Fi Direct/Ad Hoc
    1. Unapproved Ad Hoc networks are a security risk because they present an unsecured backdoor into your secure network.
  8. Tethering
    1. Turn off unnecessary wireless features such as mobile hotspot, tethering, and so on. These features reveal information to potential attackers.
  9. Payment Methods
    1. Wireless Payment methods are an unproven technology. Your information is unsafe for two reasons:
      1. Your payment information can be sniffed by attackers.
      2. The app writers have no standard to which they must adhere, such as the PCI DSS, when you provide them with your information. This technology has advanced faster than the regulations meant to control it.