Cyber Essentials
DashboardSign Out

Lesson 7.3 — Mobile devices, app stores and untrusted software

This lesson explains how mobile devices — smartphones and tablets — are treated under Cyber Essentials, what the scheme requires in terms of software sources and app controls, and how to handle the risks associated with app stores, sideloading and untrusted software on mobile platforms.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • the learner should understand which mobile devices are in scope for Cyber Essentials
  • what controls apply to them
  • how to manage the risk of untrusted software on mobile platforms including through app store controls and MDM policies.

Why This Matters

The Core Rule

Mobile devices are in scope for Cyber Essentials if they access business email, cloud services or any in-scope data. They must meet the same five control areas as other devices.

The main mobile-specific risks are: apps installed from untrusted sources (sideloading), jailbroken or rooted devices, and devices running operating systems that no longer receive security updates.

Which mobile devices are in scope

The test for whether a mobile device is in scope is the same as for any other device:

Does it connect to the in-scope network or access in-scope services?

What Cyber Essentials requires for mobile devices

Mobile devices that are in scope must meet the same five control areas as other devices. In practice, this means:

Firewalls: Mobile operating systems — iOS and Android — include built-in software firewall functionality. Both iOS and Android do not accept unsolicited inbound connections by default. The relevant question is whether this protection is in place and has not been disabled. For most standard configurations, this is already met.

App stores and the risk of untrusted software

One of the most significant mobile-specific risks for Cyber Essentials is the installation of software from untrusted sources.

On iOS, Apple enforces that all apps must come from the App Store (with limited exceptions for enterprise-managed environments). This means the attack surface from app-based malware is significantly reduced, though not eliminated.

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] Under what circumstances is a personal smartphone in scope for Cyber Essentials?
  • [ ] What is sideloading in the context of mobile devices?
  • [ ] Why is a jailbroken or rooted device a problem for Cyber Essentials?
  • [ ] Which of the following is a benefit of using MDM for in-scope mobile devices?
  • [ ] What should an organisation do with an in-scope mobile device that is running an unsupported version of iOS or Android?

Your Action

Do this now — it takes 10–20 minutes.

Check your mobile device policy for app installation. Are users restricted to official app stores? Record the policy position.

Key Takeaway

MDM makes it significantly easier to enforce and evidence mobile device controls.

Your Workbook Activity

Complete: Mobile device controls record

Next Lesson

In the next lesson: BYOD: bring your own device policies and controls

Up next

BYOD

Implement practical BYOD controls that protect organisational data on personally owned devices.