What is Mobile Threat Defense (MTD)?

When technologies are new, it can take a while before everyone agrees on the same language. Mobile security has gone by many names – Gartner goes for Mobile Threat Defense (MTD), IDC calls it Mobile Threat Management (MTM) while others prefer Mobile Threat Prevention (MTP). Regardless of the exact terminology, these solutions are all concerned with the same thing doing the same thing: securing mobile devices.

Importantly, as businesses have equipped employees with the latest devices, there has been a growing need to ensure they are protected from an increasingly sophisticated threat landscape.

In the 2019 Gartner Market Guide for Mobile Threat Defense Solutions it was estimated that 30% of organizations will have MTD in place by 2020, an increase from less than 10% in 2018.. IDC published similar sentiments in its MarketScape for MTM, stating that enterprises are adopting mobile security having decided that EMM and native sandboxing on mobile operating systems (OSs) are not enough to meet overall mobile threat management needs.

What does Mobile Threat Defense protect against?

All mobile security solutions must consider a wide range of attacks designed specifically for mobile. These are attempts by hackers to compromise the device, typically for financial gain or to obtain sensitive corporate and/or personal data.


Mobile malware is growing fast. Malware ranges from relatively benign spam-like apps (adware) and screen-locking nuisances (ransomware) to highly dangerous, advanced threats that extract data from the device, like spyware or trojans.

Mobile Threat Defense solutions scan devices and applications to looks for signs of malicious activity, informing security teams when evidence of malware is discovered. The best solutions will not only identify known malware files, but also discover previously unknown strains, known by researchers as ‘zero-day threats’. One example of a zero day attack is a family of malware named RedDrop, first discovered in 2018. RedDrop is a particularly nasty threat, racking up large SMS costs and stealing all kinds of data from the victim’s phone.

The best mobile security solutions will not only detect when malware has been downloaded and installed, but actively monitor connections to suspicious domains, blocking any attempts to download the malicious files before they even reach the device. The most advanced will also be able to prevent the outbound connections that malware may attempt, preventing the exfiltration of data to attackers.


This threat has been around for decades, but in recent years has shifted to mobile and is now the no.1 mobile threat. iPhone users are 18 times more likely to get phished than they are to download malware.

Phishing is where attackers attempt to trick victims into sharing their personal or corporate data, either through direct manipulation or, more frequently, by getting them to click on illegitimate links to phishing pages. These links are distributed through SMS, social media, WhatsApp and thousands of other apps. The pages shared are extremely convincing and instruct users to enter their credentials, which are then available to the attacker. These pages are designed to look very similar to real brand landing pages – typically appearing to be content from Paypal, Apple or other recognizable names.

Some Mobile Threat Defense solutions are able to provide visibility whenever a user navigates to a known mobile phishing page, and the best ones can block access to phishing links as soon as the victim attempts to access it.

Network attacks

Mobile devices connect to many, many different networks – much more than most laptop or desktop do. This carries with it a number of new risks, such as when users connect to unsecured WiFi hotspots. Research suggests that 12% of all WiFi hotspots that employees connect to are open, and therefore vulnerable. This might be in the local coffee shop, hotel or airport, and can leave devices exposed to a variety of different attacks. In some instances, the network itself is ‘fake’, set up by an attacker physically sat in close proximity to their target.

Mobile Threat Defense solutions protect against network attacks like this by automatically encrypting traffic when connecting to open WiFi networks. More advanced tools will also scan the real-time data communications made with each website and mobile app, identifying instances when data is being transmitted insecurely – a critical issue when that data includes credit card information or corporate data. A surprising number of apps are ‘leaking’ data like this, such as those from international airlines and well-known technology companies. Some mobile security solutions will identify these risks and allow admins to block access to the risky content, eliminating the chance of exposure to what is known as a Man-in-the-Middle (MitM) attack.

How does Mobile Threat Defense reduce risk of attack?

Mobile security solutions do not just protect against active threats – the live, deliberate attacks undertaken by hackers described above. A central part of any enterprise security strategy will be to improve the organization’s security posture, meaning measures are taken to reduce the risk of an attack in the first place. Mobile Threat Defense platforms are designed to highlight vulnerabilities and risks present in a company’s mobile fleet.

Configuration risks

Updates in the mobile world come thick and fast. Apple, Google and other operating systems are updated on a regular basis, and users are encouraged to customize their settings to suit their preferences. For businesses however, this can leave users exposed to unnecessary risks. Some updates to Android or iOS are due to a vulnerability found in the operating system, meaning devices become targets for attackers seeking to exploit them. Mobile Threat Defense solutions highlight out of data OS versions to admins, helping direct them to devices that may be in a needlessly risky state.

Even when devices are fully loaded with the latest updates, they may be configured in a risky way. For example, the settings on the device might be such that third-party applications are allowed to be installed (AKA sideloading), making it much easier for malicious content to be installed upon the device. Mobile security tools provide information on the state of each device, highlighting potential risk areas for security teams to address.

Compliance risks

One of the most common forms of corporate data loss is from careless or ill-natured employees. Rather than an attacker exploiting the device or tricking the victim into sharing data, many users make use of unsanctioned services to perform their work. This might include the use of cloud storage services such as Google Drive or Dropbox, often accessed via the web browser if the EMM policy has blocked installations of the native apps.

The intent may be accidental or harmful, but improper shadow IT policy can facilitate the mismanagement and loss of sensitive company information. Many mobile security solutions give organizations the ability to control access to different services, ensuring data does not end up in the wrong places. The implementation of policies like these can help in compliance efforts with legislation such as GDPR.

Risk assessments

There are all kinds of mobile security risks that businesses should be aware of. As part of GDPR and general good security practice, most organizations will conduct regular audits of their risk profile for mobile. Mobile Threat Defense is used, often in tandem with an Enterprise Mobility Management tool, to inform these projects.

Security leaders will assess a wide variety of components when preparing these audits, including a robust analysis of the permissions levels that mobile apps are requesting on corporate devices, and establishing processes for handling mobile-specific threats within wider enterprise security response processes – such as the integration of MTD with SIEM tools.

Risk assessments might also include usage risks or liability risks beyond GDPR and traditional security, such as reducing the chance of expensive bill shock events or preventing access to gambling or adult websites to limit the likelihood of HR incidents. Many mobile security solutions are designed to aid and support this process, facilitating the enforcement of acceptable usage policies and implementing usage caps.

How does Mobile Threat Defense work?

Securing mobile devices can be more difficult than it first seems, and requires a different approach than for other types of threat defense.

Mobile is fundamentally distinct to desktop, especially when it comes to security. Unlike operating systems like Windows, the main mobile systems Android and iOS offer very few privileges to security vendors. Reduced access to the OS and the device means a reduced ability to see threats.

It’s perhaps because of this that security companies take all kinds of different approaches to protecting devices, with some vendors focusing on the applications installed, rather than the device itself. Modern MTD, however, has converged on two core methods for providing threat defense.

The first is endpoint only, relying on an agent installed on the devices the organization wishes to protect. These can scan the device locally for evidence of threats, and communicate with a cloud intelligence to get the latest updates on new vulnerabilities, and report back information on risk factors present on the device. When an issue is identified, these app-only MTD tools push an alert to the EMM/UEM solution (e.g. MobileIron), which can then take action, such as putting the device into a quarantine state.

This architecture is effective at flagging risks on the device, but is lacking when it comes to taking action – and crucially, provides no insight into online or web-based threats like phishing. The other approach to MTD is to not only utilize an agent installed on each device, but also operate at the network level. Access to the network allows these an MTD to take action too, blocking connections to malicious content and taking preemptive action to prevent attacks, as well as just detecting them. Be careful to assess the architecture of your MTD solution when considering the extent of its capabilities.

How do you deploy a Mobile Threat Defense solution?

Most MTD solutions can be tricky to deploy, relying on employees navigating to the app store to download the latest version. Many encourage end-user downloads through email or SMS campaigns, pointing employees towards links that install the MTD app.

Some MTD vendors have invested in integrations with leading EMM or UEM tools, designed to enable more seamless deployment. These work in a variety of different ways, but will typically make use of push notifications to remind end-users that they are expected to update or install their MTD app, delivered in a streamlined way to improve the employee experience. A number of MTD solutions also have even deeper integrations, offering one or even zero-touch deployment options, silently updating devices with the MTD app and/or profile, without the need for any action on the user at all.

Each MTD solution will offer a different range of deployment options, so again be sure to assess the simplicity of deployment when deciding which platform to adopt.

What does Mobile Threat Defense integrate with?

As explained, a key integration to look for in an MTD solution is how they connect with your EMM or MDM platform. The best integrations offer much more than just a better way to deploy MTD, and many support bidirectional policy functionality too. In short, this means that you can take action on security alerts directly in your EMM console, and similarly use integrated EMM functionality from within your MTD admin portal.

Other extensions available in some MTD solutions include integration with SIEM tools, helping aid the workflow and management of mobile threats into the wider security strategy, or the inclusion in other ecosystems with a similar objective in mind. Examples of these would be the Palo Alto Networks Application Framework or the IBM App Exchange.

How do I decide which MTD solution is right for me?

There is no one perfect mobile threat defense solution for everyone. The tool that is best suited for your organization will depend on the unique nature of your fleet. Which OS do you employ? What is your blend between BYOD and COPE? What kind of access do employees have on their devices? Which EMM do you have?

Scoping out your requirements will help in finding the right MTD solution for you. For a demonstration of Wandera, please get in touch and one of our representatives will be happy to answer your questions and walk you through our technology.

Learn more about Wandera’s Mobile Threat Defense solution