Hello everyone. My name is Adam Boon. I work on our security strategy here at JF. So yeah, I obviously work for JF. JF are the leaders in Apple. That's what we're best known for. However, the past uh 5 10 years, we've really been investing in innovative mobile security solutions and bolstering what we can do when it comes to mobile device uh management and security. So today we are trusted by the likes of NATO, SAP, HSBC and Nike uh to provide security for their mobile devices. On a personal level um what I try to do is is break down complex ideas for different audiences. So whether that's deeply technical or completely non-technical um or as I try to explain to my 5-year-old son what I do, I tell people stories um and often those stories about are about how to defend um against bad guys. So that is my intention for today's session. Hopefully we're going to understand a little bit more about the mobile threat landscape and how we can best defend and protect our our mobile devices. secure the pocket as the title alludes to. So this is an introduction if you like to the partnership of now secure and JF. So yeah, I'm going to spend the next 20 30 minutes or so just providing some background and context to this partnership. Now, if an attacker wants to compromise your business, it's likely they'll attack the infrastructure or other sort of um parts of the wider network. If they want to compromise an individual, they will always go after the mobile device. Let's dive into that and understand a bit more about why that might be. So, taking a step back, these statistics really underscore the critical role that mobile devices now play in the modern workplace. And some of the stats that really call out to my to myself is the one at the bottom right. 80% of IT executives believe that their employees cannot do their jobs effectively without a mobile device. I personally I travel quite a lot with my uh role my job. It's very rare these days that I actually have to get my laptop out of the bag. I can do most of what I need to do from a mobile device which is obviously great from a a productivity point of view. And the other stat on the screen, 34% of employees who regularly use their mobile devices for work tasks saw an increase in their efficiency and productivity. So we know that a lot of mobile devices are now in the enterprise. So around about 60% according to Microsoft yet only 10% give or take of average security budget is actually focused on providing some form of protection for mobile devices. So it's a huge grap uh a huge gap and a grow growing one. Now mobile devices are prime targets right because we use them all the time we access so much sensitive data from them and generally security awareness is quite low. So uh a recent study found that at any given point half of mobile devices within an organization are running an outdated OS. I'll come on to I'll come on to later the importance if you like of keeping devices on that latest version of OS but it is kind of security 101. We also like diving into that a little bit further from our own customer data we found that at uh in 2024 39% of organizations had devices with known vulnerabilities. So this is not just an outdated OS. This is actually a known vulnerability within an operating system or an application uh which is present on these devices. And just some other stats that kind of highlight this mobile blind spot. So fishing attacks are 50% more effective uh on a mobile device than on a Windows. Uh so if you think about it, if a user receives an identical fishing message, one is sent via email, one is sent via SMS, they're twice as likely to click on the SMS. Once they then get taken to a mobile fishing screen, the screen size is smaller. It's a lot harder to spot. They're twice as likely to give away those credentials. And then lastly, spyware loves mobile. So again, I'll do a little bit more of a deeper dive on spyware later on, but if you think about it, it's the one device that we always have on us. If I'm an attacker and I'm investing millions in trying to spy on an individual, that is the device that that individual carries with them at any given point. And in fact, I guarantee most of us sitting on this the this session here will be able to get their mobile device within arms distance, right? you keep it with you all times. But obviously, like I said, spyware does love mobile for that very reason. So, I guess looking at some of the uh the latest trends, bit of research that I'm finding interesting uh from the wider market. So, early this year, Google released their threat intelligence report looking at 2024 focused on zeroday uh exploitations. Now, they actually in 2024 saw mobile zeroday vulnerabilities drop from 17 to 9. Uh, two of those were on iOS, seven on Android. Of the Android vulnerabilities, what was interesting was three of those seven zeroday exploits were found in third-party components. Now, third-party components are likely to uh to be perceived as lucrative targets for exploit development since they can enable an attacker to compromise many different makes and models of devices across the Android ecosystem. But for 2025 already, Apple have actually patched five actively exploited zeroday vulnerabilities since the beginning of this year, including two that were in iOS 18 uh.4.1, which was released just 2 weeks after iOS 18.4. 4 which actually in itself had over 60 different vulnerabilities although they weren't necessarily uh zero day exploits uh as was found in 18.4.1. So obviously uh great that Apple can identify and fix these um these vulnerabilities but the trend is there right already this year we're seeing attackers finding these uh exploits and actively exploiting them. Um, so this is not just uh researchers discovering vulnerabilities and alerting Apple of this. This is actual actively exploited exploits that have been confirmed. Um, similar numbers for Android. So far this year, there's been 169 total vulnerabilities that were addressed by Android. Uh, and of those, four of those were actively exploited, zero day vulnerabilities that have been patched. So, like I said, very important that we keep devices on the latest version of OS. Um but also yeah quite interesting to see that shift already this year in terms of attackers uh targeting mobile devices and finding and um yeah different ways they can do so. Some further uh interesting bits of um I guess media coverage that I found that kind of support that argument as well. Um a mobile security company found that uh of uh scans of 18,000 devices there were 11 new Pegasus infections. So again, we'll touch a little bit more on what Pegasus uh is and the implications of that if you don't know. Um but it what was interesting about this report was those infections were primarily on devices used by business executives. So it potentially indicates a broader threat landscape than what was previously understood because as um as is evident by the bottom um clipping. Appreciate the text is quite small there but there was a 2023 uh report from the European Parliament which uh revealed that at least 14 EU countries have acquired or used Pegasus uh spyware. So uh these are countries such as Poland, Hungary, Spain, Greece. Um so typically when we talk about these type of um advanced spyware type attacks on mobile it's often government type organizations that are at the center of this. So again it still is uh is the case that we see um those in the higher profile industries being targeted with these more advanced spyware attacks. But in 2025 in general, we are seeing an increase in lower profile but still damaging mobile attacks such as fishing, side-loading and application uh data usage. So where in reality where can these risks come from? These could come from um attackers looking to exploit vulnerabilities within an outdated OS. So like I mentioned earlier, incredibly important that we keep devices on that latest version of OS because that is what attackers are often uh looking to exploit when we find evidence of attacks. It's often the case that the device was not up to date. Now we know it's a challenge keeping those devices up to date, but it it's just the reality. Then we also see examples where attackers are trying to trick users into downloading rogue uh profiles onto the device um or third party applications. Uh we're seeing an increase in social engineering type attacks. So whether that is SMS fishing attacks or or actually increasingly QR code uh fishing attacks which again are either taking a user to a site to to give away credentials or in some cases with QR codes actually getting them to directly install profiles uh onto onto a device which um again if a user is not particularly tech savvy um can be quite an effective social engineering attack for the the attacker. And then we have applications which are not necessarily providing adequate protection or uh over data authentication. Um and again we'll touch a bit more on that later on. And as I mentioned there is also mobile spyware which is is very rare but often does involve attackers exploiting several of these threat sources both with applications and on the device side. So let's look at some examples of mobile spyware. This is obviously the the exciting stuff that um the kind of James Bond style uh stories that we hear about, but the most probably high-profile uh example uh was supposedly um the Saudi prince uh compromising Jeff Bezos phone with with Pegasus. And again, I'll talk a little bit more about how this was done in a second. Um but um yeah, obviously this gained a lot of attention at the time. We've also seen uh examples like I mentioned um parliament government organizations. This uh particular one was an Egyptian member of parliament who announced that they were running for the upcoming presidency election in Egypt. Suddenly started to get suspicious activity on their mobile device and actually their device was infected for a zero uh click exploit where they weren't able to do anything. the attackers had put something within the Vodafone network within Egypt that was specifically targeting that individual's device phone number. As soon as the device connected to the Vodafone network, it was redirected to a site which installed the spyware, the malware um and then redirected back within a matter of milliseconds. So nothing the individual could have done to uh to stop that. Um, at JF, we've also found evidence of uh different types of techniques attackers are using uh to install spyware onto uh onto high-profile individuals devices. I mentioned earlier European Union uh putting out press release or reports on member states using spyware. The actual Poland uh prime minister actively came out and said the previous regime were using spyware against opposition within the state within the country. Um, again, some more examples here. Uh, we saw a couple of years ago Apple fixed um some software vulnerabilities that were supposedly used uh to compromise Russian individuals. We found uh the UK had governments affect uh government officials infected with Pegasus, including at the time the uh Prime Minister Boris Johnson, which I'm sure for those of you that are across UK politicians probably won't be too surprised at that, but there are a number of examples of this and and unfortunately there there are more um that uh if you are Yeah, I guess unfortunately, but if you are interested, you can do your own research in terms of mobile spyware and the latest and and greatest stories there. Now one particular story that's again came uh to attention recently was uh NSO group who are the developers of Pegasus versus WhatsApp. So there's a legal dispute that's um that's ultimately happening here. So what actually happened? So back in 2019 WhatsApp filed a lawsuit against the Israeli cyber cyber intelligence firm NSO group. Um and they alleged that NSO uh exploited a vulnerability in WhatsApp's video calling feature to install the Pegasus spyware on approximately 1400 users devices across 20 countries. So as I mentioned Jeff Bezos was probably the most high profile here. Now this spyware allowed unauthorized access to the users messages, microphones, camera and other sensitive data. Um, and as I mentioned, they included the targets included high-profile business leaders, but also journalists, human rights activists, politicians, etc. Now, WhatsApp claimed that NSO group not only developed the spy web, but also actively operated it. So, that actually contradicted NSO's assertion that it was merely supplied supplying the technology to government clients. So, what was the outcome? So, in 2024, uh, December last year, a US court ruled in WhatsApp's favor. Um uh and in May of this year, so just uh the other week, uh a federal jury ordered NSO Group to pay $1.68 million in damages. Um so this was the first time a commercial spyware vendor was held legally accountable in a US court. So again, interesting story. Um why is this relevant? I mean, the reaction should be this wasn't theoretical, right? This this happened. it was a vulnerability uh within one application and then suddenly even world leaders are are compromised. So it really does show why app security matters just as device security matters and if ultimately you rely on mobile applications you must know what's under the hood. Um and critically uh it also proves that attackers don't always need access to your network or the operating system. the app itself can be uh the entry point. So here's an example done by our threat labs team of what a compromise could look like from an attacker's point of view. Now I must state this uh is a a video that was done in a controlled environment on a device that is outdated and also has been tampered with. Just the purpose of this demonstration is to showcase the intention often behind an attacker's um motiv uh goal for these type of attacks. When it comes to spyware, like I mentioned, this is the device you have on you at any given point. So, if I have access to the device camera and microphone, I can potentially listen into very sensitive or valuable information to an attacker. So that could be um yeah board meetings you're going into personal conversations. Ultimately when we see these type of spyware attacks this is largely what an attacker is trying to get uh access to camera microphone remotely. Um and typically the life cycle is they identify a target they um try to deliver the exploit which is often a zero-click exploit. Um, it can be delivered silently via like we see in WhatsApp, potentially Safari via malicious links or or another web browser. Um, they're then using these zero day vulnerabilities to gain root or kernel level access to bypass potential security layers. Um, and then once they're on there, they're trying to access the microphone, the camera, potential messages or location um, uh, location tracking for the individual. Very, very rare. Like I said, this is a a controlled demo, but hopefully it illustrates the point what an attacker um who is investing millions into these type of attacks is trying to achieve. Now, the good news, Apple and Android are responding to this growing uh growing threat, growing attacks, if you like. So, there's obviously a lot of great features that we know about that are built into uh iOS in particular. Um, we know the app sandbox. Um, we know iOS enforces um very um strict security built into the hardware. You got the secure enclave. Um, there's there's a lot of other great sort of features within uh iOS that offers security off the bat. They've also invested in uh lockdown mode which is a high security mode designed for users who are at risk of targeted attacks. So its intention is to drastically reduce the devices attack surface by limiting certain features and functionality and Android also have similar uh security features available to them. So um they are responding which is great but uh as you'll see there are a little bit more that's needed to uh ultimately make mobile uh deployment secure and successful. So yeah we don't really need to reinvent the wheel here, right? uh both Apple and and and Android give us great native controls. The challenge the businesses find is actually then deploying them at scale with visibility and without ruining the user experience that people expect and that's where we come in. So with um the different scenarios that you could face, right? There is a danger in taking the easy option and ultimately the first option is get the device enrolled into MDM. Maybe you already have a subscription to a basic uh endpoint security tool for mobile. Um and and I I don't mean basic in that it might be a very advanced security tool that's running on your u other endpoints like your Windows endpoints. um but their mobile functionality from a security is quite limited and basic. So you enroll the device into M MDM, you maybe deploy uh your endpoint security solution uh that you've been running on Windows to your um to your mobile devices, but that's about it. You have quite limited um app visibility and control over the applications. Um, and as we've mentioned already, the risk here is that attackers will look to exploit vulnerabilities within applications. There could potentially be data leakage if uh if users are downloading apps from unofficial app stores that don't go through the same vetting process that official app stores bring in. Um, or that endpoint security tool that you've deployed onto the device may not perform as well as on uh on a mobile operating system. For example, u Microsoft Defender works brilliant on Windows. for mobile devices. It doesn't really offer insight into the application risks um the vulnerability um sort of management within mobile OSS or malware detection or protection on iOS devices. So um that is the kind of danger as I mentioned of of taking that easy option then you might want to say actually like let's let's start with the apps and app first approach is good but again let's not forget the the basics. So if you are vetting all the applications that users have installed you've got the app store locked down they can only download apps from trusted app stores and they're managed via um MDM like great but what is the risk? So, as I mentioned, these built-in security features, they're only affected if they are configured correctly and automatically patched. So, you want to make sure that you're leveraging the native security features built into mobile OSS um and automating them as best as you can. Applications are just one of the vectors attackers look to exploit. So, I mentioned earlier outdated operating systems or social engineering techniques. So like user behavior will introduce risks if it's not monitored correctly. And yeah, here's an example of a a well-known fishing uh type attack on screen. So that is why we're really excited about this partnership. So we believe that this is the most effective mobile security that you can get on the market today. So how does J help you get there? So we have different capabilities on the mobile device. We offer mobile device management functionality uh including management of BYOD devices. We have a a MTD which is a mobile threat defense solution. So this is a purpose-built security solution for mobile operating systems. So, this is protecting you against cyber threats such as if a user clicks on a fishing link or scans a QR code as well as highlighting any vulnerabilities such as not just an outdated OS but actually they're running on an OS that is attributed to known vulnerabilities or there's applications on that user's device which are insecure or again could be um exploited. We also have built-in ZTNA functionality which is all about um setting up a a mobile first VPN. Um you can set up dynamic split tunnels for business applications. You can ensure that only um devices that meet certain criteria are actually um allowed to access company data. Um so brilliant to kind of round off all of the security functionality um when it comes to then allowing users to access applications. And then we also have a mobile forensics tool which is a a really unique solution on the market that um allows you to analyze a lot of deep level data from a mobile device. the system level, kernel level, and then understand if a device potentially has been compromised or look for potential um weak spots within the the device ecosystem that could be compromised in the future. And everything that we offer is like I said, it's it is purpose built for that uh mobile experience. So user experience is not impacted, super easy to deploy from an admin experience. A lot of great functionality that that we can offer. um via this. So yeah, as a as a quick overview, we're not just securing the device, we're we're also making sure that the experience be it the onboarding, the access uh to applications, compliance and insight into mobile devices that everything is mobile native, everything is unified, very easy to to kind of manage and run. So from a from my point of view, yeah, we are super excited about the potential uh that this partnership can bring. Um I personally can't wait to see it realized. I really hope that you've uh enjoyed my session today. Um and yeah, thank you for your time. Hi, I'm Michael Krueger and here to talk to you about traditional pen testing versus pen testing as a service. Standalone pen testing is our traditional application of pen testing for mobile apps. Experts uh conduct rigorous security testing against the application, provide a final report and then ultimately remediation consultation. However, there is a problem with that. Uh in this example, there may be an application that has uh three major releases throughout the year as well as a number of minor releases. Uh and we're conducting an annual pen test as well. The annual pen test in March, as you can see, may catch one of four bugs throughout the year. However, those other three bugs may introduce vulnerabilities that may not be caught until the following annual pen test if it's not uncovered during other rigorous testing. How do we fix this sort of application? Well, that's where we bring in pen testing as a service. Pen testing as a service modernizes the pen testing approach by utilizing SDLC integrations to allow and reduce developer friction by uploading binaries directly into uh a software as a service platform. Allow you to dynamically request pen test on demand from experts. go through that typical expertled pen testing cycle, export reports on demand, but also feed that report information back into a more continuous monitoring program. Can also conduct retesting. But as we as we ingest into the continuous monitoring, continuous testing program, we start this continuous cycle of uploading new releases for assessment, automated assessments occurring throughout the year, constant reporting and notification out to van management and uh bug tracking systems and of course that remediation consultation all happening in a continuous application. As you can see here, we've now taken that that annual pen test. We've introduced another more prescriptive pen test throughout the year, but we've also introduced this concept of a continuous monitoring, continuous testing program so that uh those bugs throughout the year can be addressed in a much uh much more reduced time frame. Uh final, I'll leave you with uh some benefits to PEZ. uh continuous testing really does ensure that new releases don't go untested for long periods of time. It reduces that developer friction by enabling binaries and results to be provided directly via CI/CD. Uh ideally, it's an application of progressive testing for your mobile app risk management program. Reduces cost by allowing flexibility in the frequency and the types of continuous testing. And finally, it allows trend analysis and a view of all of your assessments despite their type in a single platform to get a overall view of your entire mobile portfolio. [Applause] [Music] Hello and welcome to your MAR minute. I'm Alan Snyder and today we're going to talk about the first step in the MARMM program. We're going to talk about how you classify apps and put them into business impact tiers. The business impact tier is super simple. It's basically saying how important is this app to my business and what is the impact to my business if there is a cyber security incident. Be that a data breach, be that a vulnerability, privacy issue, operational disruption, all sorts of things that can cause harm to the business. So let's dive right in and let's take a look at some of the characteristics that we recommend. Now what's important to understand about what we're going through here is that each company is going to come up with what is appropriate for them. We've created a best practice document to help you define these and serve as a template, but based on your threat model and based on your operations organization, it's probably going to vary a little bit. But you need to look at things like sensitive information. Does it have PII, health information, financial transactions? Does it have your brand on it? Is it the primary path to business? Does it collect geolocation data? Maybe have access to contacts and microphone and camera. So, it's collecting information that you have an obligation to protect. How many uh connections and endpoints does it have? In essence, where could that data that it's collecting be distributed to with or maybe without your knowledge? All of these things go into that factor in terms of how much of an impact therefore how much of a risk is it to your business. So this has been the MARM minute super quick but hopefully it helps you put together a better program. [Music] Hello and welcome to the Mar. I'm Alan Snyder and today we're going to talk about the second step in the MARM program. It is basically asset inventory. It's understanding the mobile apps that are in your environment that need to be secured and protected. It comes in a couple different groups. The first relatively straightforward to uh understand a little bit harder to identify that is all the mobile apps that you or a vendor develops on your behalf. typically is going to have a brand usually going to be in public app store maybe in your internal enterprise app store. The second category is uh apps that are approved for use. So this is one that you didn't develop but a third party vendor developed with their brand but you're putting your intellectual property or uh PII or other such information that needs to be protected in it. So, think of things like maybe Slack or some other uh messaging uh platform teams that you didn't build it, but you're using it. It's super sensitive. Uh those are typically going to be in your MDM, and they are approved for use apps that get pushed out to new employees. The third category is going to be BYOD. And this really depends on your security posture about how important it is to protect, but that's your big categories there to go and find.