It's rarely in scope - but if I do wireless assessments when any mobiles are fair game, I always gain credentials through an Evil Access Point.
1. Setup Evil AP in center of client's establishment
2. Client's mobile phones connect to Evil AP (because there is always a handful of people that use their WIFI in McDonalds)
3. Capture credentials
The vulnerbility in this case is the mobile devices trusting random wireless access points. The client is informed that policy should be implemented so that users of company equipment are not allowed to connect to non-approved wireless hot spots.