SecProve
Pillar A: CybersecurityA16

Mobile & IoT Security

MDM, mobile app vulnerabilities, IoT protocols, firmware analysis, embedded systems security.

Practice A16 (42 questions)
Part of Pillar A: Cybersecurity · Cybersecurity groups the disciplines that share methods, tools, and threat models with Mobile & IoT Security.

What is Mobile & IoT Security?

Mobile and IoT security addresses the unique challenges of securing billions of connected devices — from smartphones and tablets to smart home sensors, medical devices, industrial IoT gateways, and connected vehicles. These devices expand the attack surface dramatically, often running constrained operating systems with limited patching capabilities, communicating over wireless protocols with varying security properties, and collecting sensitive data in environments where physical access by adversaries is common.

Mobile security encompasses securing both the devices themselves (via Mobile Device Management/MDM solutions, OS-level controls, and hardware security features) and the applications that run on them. Mobile app vulnerabilities — insecure data storage, improper certificate validation, hardcoded credentials, and insecure inter-process communication — are cataloged by the OWASP Mobile Top 10 and tested using frameworks like the OWASP Mobile Application Security Testing Guide (MASTG).

IoT security introduces additional complexity with resource-constrained devices that may lack the processing power for strong encryption, use proprietary protocols (Zigbee, Z-Wave, BLE, MQTT, CoAP), ship with default credentials, and have firmware that is rarely updated. The EU Cyber Resilience Act and NIST IoT guidelines are driving manufacturers toward security by design, but the installed base of insecure IoT devices remains enormous.

Why it matters

Mobile devices and IoT endpoints are the fastest-growing attack surface in enterprise and consumer environments. Their proliferation, diverse protocols, and often-weak security create systemic risk that traditional perimeter defenses cannot address.

Mobile and IoT security extends traditional endpoint security to device categories with fundamentally different constraints — limited compute, wireless communication, physical exposure, and long deployment lifetimes. It connects to network security, application security, and firmware analysis disciplines.

Layer 3

Build, Connect & Operate

Build and run the systems — apps, cloud, data, networks, OT, AI infra, supply chain, quantum engineering.

Other domains in this layer

A2Network SecurityA4Application SecurityA5Cloud SecurityA12Data Security, Privacy & ProtectionA13Supply Chain SecurityA14OT/ICS SecurityA17Cyber-Electronic WarfareC3AI Supply Chain SecurityC4AI Data SecurityC6AI Infrastructure SecurityD5Quantum Networking & CommunicationD6Quantum Security EngineeringA25Security Architecture & Engineering
See how this layer connects to the rest of the domain map →

Key topics

Mobile Device Management (MDM) and Enterprise Mobility Management (EMM)
OWASP Mobile Top 10 and mobile app vulnerabilities
Mobile application security testing (SAST, DAST, MASTG)
IoT protocol security (MQTT, CoAP, Zigbee, BLE)
Firmware analysis and reverse engineering
Secure boot and hardware root of trust
IoT device identity and authentication
Over-the-air (OTA) update security
BYOD security policies and containerization
Connected vehicle and medical device security

People shaping this field

Researchers and practitioners worth following in this space.

Samy Kamkar

Security researcher, IoT and hardware hacker

Georgia Weidman

Mobile security researcher and author of Penetration Testing

Ang Cui

Founder of Red Balloon Security, embedded device security researcher

Curated resources

Authoritative sources we ground Mobile & IoT Security questions in — frameworks, research, guides, and tools.

OWASPtool

OWASP Mobile Application Security (MAS)

MASVS (verification standard) and MASTG (testing guide). The primary mobile security testing reference. L1 and L2 verification levels.

NISTframework

NIST SP 800-183 — Networks of Things

Primitives for IoT: sensor, aggregator, communication channel, eUtility, decision trigger. Framework for thinking about IoT security architectures.

ETSIframework

ETSI EN 303 645 — IoT Baseline Security

13 provisions for consumer IoT security. No default passwords, vulnerability disclosure policy, secure update mechanisms. The emerging regulatory baseline for IoT.

NISTframework

NIST IR 8259 — IoT Device Cybersecurity Capability Baseline

Foundational capabilities IoT manufacturers should provide: device identification, configuration, data protection, logical access, software update, cybersecurity state awareness. The baseline US regulators cite.

OWASPtool

OWASP Internet of Things Project

OWASP IoT Top 10 (weak passwords, insecure network services, etc.) plus testing guides. The IoT analog to the OWASP Top 10 for web apps.

View all resources for A16

Certifications that signal this domain

Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.

Core coverage

GAWNProfessional·GIACOfficial page →

GIAC Assessing Wireless Networks

GIAC Assessing Wireless Networks

GIMEProfessional·GIACOfficial page →

GIAC iOS and MacOS Examiner

GIAC iOS and MacOS Examiner

GMOBProfessional·GIACOfficial page →

GIAC Mobile Device Security Analyst

GIAC Mobile Device Security Analyst

OSWPProfessional·OffSecOfficial page →

Offensive Security Wireless Professional

Offensive Security Wireless Professional

Browse all certifications → — pick a cert on the interactive map to highlight every domain it covers.

More in Cybersecurity

A1

Governance, Risk & Compliance

A2

Network Security

A3

Zero Trust Architecture

A4

Application Security

A5

Cloud Security

A6

Identity & Access Management

Test what you know about Mobile & IoT Security

42 questions available. Beginner to expert questions, scored against the global leaderboard.

Start a QuizSign Up Free