CrowdStrike Falcon® for Mobile FAQ
Falcon for Mobile™ expands CrowdStrike’s mission to stop breaches by extending its capabilities to address mobile endpoints. It provides unprecedented visibility into malicious, unwanted or accidental access to sensitive corporate data, while protecting user privacy without impacting device performance.
Falcon for Mobile is based on CrowdStrike’s provenendpoint detection and response (EDR) technology for enterprise endpoints. Leveraging the cloud-native CrowdStrike Falcon® platform, customers can stop breaches on every platform: workstations, servers, cloud and containers — and now, mobile devices.
The CrowdStrike® lightweight agent technology is ideal for mobile devices, while the integrated, cloud-native Falcon platform provides the perfect conduit to manage, administer and hunt for threats. Falcon for Mobile is comprised of two key components:
1. CrowdStrike Android/iOS Apps: These apps behave as “sensors,” providing the CrowdStrike Security Cloud with the visibility and telemetry required to detect malicious behavior on the device. The apps are available in the Apple App Store and Google Play
2. CrowdStrike Falcon® Platform: Falcon for Mobile provides telemetry from iOS and Android devices to populate the “mobile host” and “mobile detection” dashboards within the Falcon console. In addition, telemetry from both traditional endpoints, cloud workloads, and mobile devices is presented together to enhance endpoint monitoring and investigations. Expert hunters can search for threats across your enterprise — from mobile devices to the data center.
The ATT&CK for Mobile framework was developed by MITRE, whose unique position as a not-for-profit, government-backed organization allows it to work toward the universal goal of creating a safer cyber environment for all. The ATT&CK for Mobile framework aims to model adversarial tactics and techniques that are used to gain access and take advantage of mobile devices in order to accomplish their objectives. Each adversarial ATT&CK technique includes a technical description with a prescribed mitigation and countermeasure approach.
MITRE ATT&CK for Mobile levels the playing field for all security teams, letting analysts and red teams see specific trends between attacks and adversary styles.
Most third-party enterprise applications can be protected by Falcon for Mobile. On Android, administrators can select from a list of pre-tested, third-party apps or designate apps in Google Play to validate. The validation process ensures that the app works properly when protected by Falcon for Mobile.
On iOS, the sensor can monitor all apps on supervised devices, or designated corporate apps only on unsupervised devices.
Falcon for Mobile monitors corporate apps (and non-corporate apps if the device is supervised) to provide visibility into malicious or unwanted activity in business-critical mobile apps.
On iOS, network traffic generated by the monitored app is made visible, exposing potential phishing attempts, leaky apps and insider threats. Falcon for Mobile also detects jailbroken and out-of-date devices and will reveal potentially high-risk Wi-Fi and Bluetooth connections.
On Android, the flexible modular app architecture of Falcon for Mobile enables administrators to set the level of monitoring using configuration policies. The baseline setting enables visibility into device health, root detection, malicious app monitoring via Google SafetyNet, and the detection of blocklisted hashes identified by CrowdStrike Intelligence. In addition, administrators can activate the network visibility setting to enable network traffic monitoring for all installed Android apps.
Finally, CrowdStrike’s exclusive app containerization setting provides enhanced monitoring of enterprise apps to further protect sensitive corporate data and intellectual property. Each app shielded by CrowdStrike provides telemetry on network activity, user activity and operating system events. This visibility enables threat hunters to detect phishing attempts, leaky apps, insider threats, and risky device connections and configurations. Falcon for Mobile also provides dedicated data storage (which can be remotely wiped) for each monitored app to protect against malicious access.
A trampoline attack is a technique used in sophisticated targeted attacks on iOS devices. In order to prevent the detection of a jailbroken phone, an attacker can alter the behavior of system code, and instead of executing normally, it will instead “jump” to the attacker’s malicious code, while hiding its own existence. This code modification that makes a “jump” to the attacker’s code is known as a “trampoline.”
CrowdStrike Falcon® for Mobile iOS app automatically detects and reports the existence of any trampolines in critical system code and marks the device as compromised.
Falcon for Mobile only monitors enterprise apps selected by your organization’s security team. The data collected differs based on device type:
iOS Devices
On iOS devices, Falcon for Mobile monitors and logs the network activity of selected corporate apps (or all apps on supervised devices). In addition to this data, basic statistics from the phone such as battery usage, device jailbreaking, names of connected Wi-Fi networks and connected Bluetooth devices. None of the data contains private or personal information, such as text messages, emails, or browsing history.
Android Devices
The corporate apps being monitored by Falcon for Mobile are clearly indicated by a small Falcon icon emblazoned over the app icon. Falcon for Mobile will gather network, operating system and access data for each monitored app. In addition to this data, the Falcon for Mobile app will gather basic statistics from the phone such as battery usage, CPU usage, device rooting, names of connected Wi-FI networks and connected Bluetooth devices. None of the data contains private or personal information, such as text messages, emails, or browsing history.
The CrowdStrike apps for Android and iOS are extremely high-performance and lightweight with a minimal effect on battery life.
The application battery usage details are available on the system settings screens:
1. On iOS, go to Settings > Battery to find activity and battery usage of the CrowdStrike app.
2. On Android, go to Settings > Device > Battery or Settings > Power > Battery to see a list of all apps and the battery power they're using. On most Android devices, the activity and battery usage of the CrowdStrike app includes total battery usage of all apps monitored by Falcon for Mobile.
Falcon for Mobile supports iOS 15 and later. The CrowdStrike Falcon app supports the most recently released version of iOS plus the previous two versions.
Falcon for Mobile supports Android 9.0 and later.