53% of organizations. That’s the chunk running at least one mobile device on a critically outdated operating system.
Jamf’s 2025 retrospective—scanning 1.7 million devices from their customer base—drops this bomb right in the lap of enterprise IT. We’re talking iOS and Android fleets, personal BYOD mixes, company-issued gear. The mobile attack surface? It’s ballooning, fragmented, and slipping from security teams’ grasp like sand through fingers.
And here’s the kicker: these aren’t fringe cases. Healthcare pros snapping patient data on the go. Pilots plotting flights via apps. Retail scanning inventory at warp speed. Michael Covington, Jamf’s VP of Portfolio Strategy, nails it:
“Healthcare practitioners make visits and collect sensitive data from their patients; airplane pilots and flight crews use mobile devices in preparing and piloting an aircraft with passengers on board; retail uses mobile devices for point of sale, inventory management, warehousing and more.”
Mobile’s no longer a side hustle. It’s the new desktop—rich data vaults, always-connected stepping stones to corporate networks.
Why Can’t Enterprises Lock Down Mobile?
Outdated OS? Check—53%. Risky Wi-Fi hotspots? 18% of staff plugging in. Jailbreaks? One per 850 devices. Phishing clicks? 8% of all devices, meaning your 100-employee firm has eight potential breaches brewing.
Apps pile on the pain. Jamf probed 135 popular ones as of Dec 31, 2025.
“About 86% of the 135 apps analyzed have known security flaws, with only 14% considered to have minimal risk. This implies that risk is prevalent in the most common business and personal apps used daily, even on the latest versions.”
Multiple vulns per app in spots. But wait—enter Shadow AI. Sneaky, undeclared AI models hitchhiking in third-party apps, sideloading or store-bought. Users oblivious. Sec teams blind. Covington warns:
“I think shadow AI is absolutely a growing risk that needs to be better managed. I think we’re getting more informed as to how it comes into the organization and how widespread the problem might be, but I don’t think we’re even at the start of being able to get this fully under control.”
Picture it: Salesforce access humming silently with unvetted AI, exfiltrating data in the background. Enterprises thought MDM tools like Jamf would tame this. Nope. Control’s evaporating.
My take? This reeks of BlackBerry’s 2010 implosion—corpos dismissed smartphones as toys until iPhone hordes overran them. Bold call: by 2027, unmanaged mobile fleets will trigger breaches rivaling desktop SolarWinds-scale hits. Jamf’s data isn’t hype; it’s a siren, but their customer-only lens (conveniently) spotlights their fix.
The frontline’s fractured. OSes mimic desktops now—file systems, persistent storage. Apps wield god-mode tools. Data caches locally, ripe for snatch-and-grab before network sync. Attackers salivate.
Zero-Clicks and Spyware: Adversaries Dial It Up
Bad actors aren’t poking around. They’re blasting through with elite kit. 2025 spyware parade: Predator, Pegasus, Graphite, Dante, Landfall, Spyrtacus. 2026 adds Coruna, DarkSword. Nation-states birthed ‘em; crooks repurpose for ransomware hauls.
Zero-clicks rule high-value marks—journalists, execs. iOS CVE-2025-43300 (CVSS 10.0): parse a dodgy image, boom, memory corruption. CVE-2025-24201? Same score, code exec via data tweaks.
Android’s bleeding too. CVE-2025-10585 (9.8)—memory rewrites, crashes, RCE. CVE-2025-48543 (8.8)—local priv esc, no extras needed. CVE-2024-53104 (7.8)—out-of-bounds writes for corruption or code.
Patches exist. Vendors pump ‘em out. But users? Snoozing. 53% orgs with ancient OS proves it. Vendors fix CVEs; fleets lag.
Will MDM Save the Day—or Is It Too Late?
Jamf pushes their ecosystem—fair, they’re in the game. But market dynamics scream urgency. Mobile management tools market? $15B now, eyeing $30B by 2030 (Statista vibes). Players like Microsoft Intune, VMware Workspace ONE scramble. Yet adoption gaps yawn wide.
Enterprises expand mobile unchecked. No central control. Shadow AI slips in. Spyware evolves faster than patches deploy.
Here’s the thing: defenses work—if enforced. But BYOD wild west? Forget it. Prediction—regulatory hammers (think GDPR fines on steroids) will force CISO hands by 2028, spiking MDM spend 40%. Jamf’s report? Perfect timing for their pitch, but the stats don’t lie.
Risk’s not theoretical. It’s daily. One phished link per dozen employees. Jailbroken outliers as insider threats. Shadow AI as the ghost in the machine.
So, IT leads—audit now. Enforce updates. Vet apps ruthlessly. Or watch the mobile attack surface swallow your network whole.
🧬 Related Insights
- Read more: CVE-2026-20929: Hackers Hijack Your Certs with DNS CNAME Tricks
- Read more: CrowdStrike’s Falcon Data Security: Taming Data’s Borderless Dash
Frequently Asked Questions
What is the mobile attack surface according to Jamf?
It’s the sprawling, uncontrolled mix of iOS/Android devices in enterprises—1.7M scanned showed 53% outdated OS, 8% phished, Shadow AI lurking.
How risky are mobile apps for businesses?
86% of 135 top apps have known flaws, even latest versions; Shadow AI hides in third-party ones, unknown to users or sec teams.
What spyware targeted mobiles in 2025?
Predator, Pegasus, Graphite, plus zero-click CVEs like 2025-43300 (iOS, 10.0 score) for memory corruption without user action.
