Like many of you I was extremely excited when my organization started allowing purchases of iPhones and Android devices. With the entire buzz around “the consumerization of IT” and “Bring Your Own Device (BYOD),” it wasn’t long before these devices started becoming a necessity for business rather than simply the coolest new gadget. Syncing my email and calendar was a great first start, although I have to admit the electronic leash has become quite long in the past few years. When I was able to make travel reservations, submit expense reports, attend internal web conferences, review Statements of Work (SoW) and presentations all without opening my laptop, I became a huge fan. Policy never came to mind much less a hack first mentality.
If you’ve read any of my previous articles, then you will realize I come from a hacking background first and foremost. Therefore, when I began to delve into mobile security, I didn’t start with learning best practices or how to develop secure mobile applications. And a corporate policy was definitely the last thing on my mind. I simply wanted to start breaking things. However, as it wouldn’t do to brick a corporate device, I explored the possibility of purchasing an iPhone/iPad/iPod without a data plan to use as a hardware testing platform. This was not only a stroke of genius for learning mobile application security, but it led to this article. So let’s look at a practical business decision, but, from the get-go, approach it as a hacking exercise.