Falcon for Mobile FAQ

Falcon for Mobile™ expands CrowdStrike’s mission to stop breaches by extending its capabilities to address mobile endpoints. It provides unprecedented visibility into malicious, unwanted or accidental access to sensitive corporate data, while protecting user privacy without impacting device performance.

Falcon for Mobile is based on CrowdStrike’s proven endpoint detection and response (EDR) technology for enterprise endpoints. Leveraging the cloud-native CrowdStrike Falcon® platform, customers can stop breaches on every platform: workstations, servers, cloud and containers — and now, mobile devices.

Falcon for Mobile is built using “privacy-by-design” principles to enable users to confidently adopt the solution, without fear that their personal data will be monitored. Falcon for Mobile focuses on customer-designated, corporate apps with no monitoring of personal applications on the device, such as text messaging, email, photos or browsing history.

The CrowdStrike® lightweight agent technology is ideal for mobile devices, while the integrated, cloud-native Falcon platform provides the perfect conduit to manage, administer and hunt for threats. Falcon for Mobile is comprised of two key components:

1. CrowdStrike Android/iOS Apps: These apps behave as “sensors,” providing the Falcon Platform with the visibility and telemetry required to detect malicious behavior on the device. The apps are available in the Apple App Store and Google Play

2. CrowdStrike Falcon Platform: Falcon for Mobile provides telemetry from iOS and Android devices to populate the “mobile host” and “mobile detection” dashboards within the Falcon platform. In addition, telemetry from both traditional endpoints and mobile devices is presented together to enhance endpoint monitoring and investigations. Expert hunters can search for threats across your enterprise — from mobile devices to the data center.

Falcon for Mobile auto-detects numerous adversary tactics and techniques on iOS and Android devices. All detections are mapped to the MITRE ATT&CK™ for Mobile framework including tactics and techniques such as: bad device settings, exploited OS vulnerabilities, downgrading to insecure protocols, modification of OS kernel or boot partitions, bypass app monitoring, delivery of malicious apps via authorized app store (and via other means) and more. In addition, Falcon for Mobile will detect blacklisted hashes, domains and IP addresses with integration with CrowdStrike Threat Intelligence.

The ATT&CK for Mobile framework was developed by MITRE, whose unique position as a not-for-profit, government-backed organization allows it to work toward the universal goal of creating a safer cyber environment for all. The ATT&CK for Mobile framework aims to model adversarial tactics and techniques that are used to gain access and take advantage of mobile devices in order to accomplish their objectives. Each adversarial ATT&CK technique includes a technical description with a prescribed mitigation and countermeasure approach.

MITRE ATT&CK for Mobile levels the playing field for all security teams, letting analysts and red teams see specific trends between attacks and adversary styles.

No. MDM/UEM solutions provide device management capabilities to remotely control, track and encrypt devices and enforce policies (e.g., wipe or lock the device if lost or stolen). Falcon for Mobile leverages these capabilities to install and manage apps on iOS and Android devices. On iOS, an MDM/EUM solution is required.

Most third-party enterprise applications can be protected by Falcon for Mobile. On Android, administrators can select from a list of pre-tested, third-party apps or designate apps in Google Play to validate. The validation process ensures that the app works properly when protected by Falcon for Mobile. On iOS, apps must be managed by an MDM/UEM, must have network connectivity and must not require a dedicated VPN. Apps developed by Apple are not supported.

Falcon for Mobile monitors corporate apps to provide visibility into malicious or unwanted activity in business-critical mobile apps.

On iOS, network traffic generated by the monitored app is made visible, exposing potential phishing attempts, leaky apps and insider threats. Falcon for Mobile also detects jailbroken and out-of-date devices and will reveal potentially high-risk WiFi and Bluetooth connections.

On Android, the flexible modular app architecture of Falcon for Mobile enables administrators to set the level of monitoring using configuration policies. The baseline setting enables visibility into device health, root detection, malicious app monitoring via Google SafetyNet, and the detection of blocklisted hashes identified by CrowdStrike Intelligence. In addition, administrators can activate the network visibility setting to enable network traffic monitoring for all installed Android apps.

Finally, CrowdStrike’s exclusive app containerization setting provides enhanced monitoring of enterprise apps to further protect sensitive corporate data and intellectual property. Each app shielded by CrowdStrike provides telemetry on network activity, user activity and operating system events. This visibility enables threat hunters to detect phishing attempts, leaky apps, insider threats, and risky device connections and configurations. Falcon for Mobile also provides dedicated data storage (which can be remotely wiped) for each monitored app to protect against malicious access.

Yes, the CrowdStrike Falcon cloud architecture enables proactive threat hunting at an unprecedented scale. Threat hunting increases an organization’s protection against attackers and plays a critical role in early detection of attacks and adversaries. Mobile telemetry is searchable, enabling security teams to hunt across data collected for up to 90 days and returning query results within seconds.

A trampoline attack is a technique used in sophisticated targeted attacks on iOS devices. In order to prevent the detection of a jailbroken phone, an attacker can alter the behavior of system code, and instead of executing normally, it will instead “jump” to the attacker’s malicious code, while hiding its own existence. This code modification that makes a “jump” to the attacker’s code is known as a “trampoline.”

CrowdStrike Falcon for iOS automatically detects and reports the existence of any trampolines in critical system code and marks the device as compromised.

Falcon for Mobile only monitors enterprise apps selected by your organization’s security team. The data collected differs based on device type:

iOS Devices

On iOS devices, Falcon for Mobile monitors and logs the network activity of selected corporate apps. In addition to this data, basic statistics from the phone such as battery usage, device jailbreaking, names of connected WIFI networks and connected Bluetooth devices. None of the data contains private or personal information, such as text messages, emails, or browsing history.

Android Devices

The corporate apps being monitored by Falcon for Mobile are clearly indicated by a small Falcon icon emblazoned over the app icon. Falcon for Mobile will gather network, operating system and access data for each monitored app. In addition to this data, the Falcon for Mobile app will gather basic statistics from the phone such as battery usage, CPU usage, device rooting, names of connected WI FI networks and connected Bluetooth devices. None of the data contains private or personal information, such as text messages, emails, or browsing history.

The CrowdStrike apps for Android and iOS are extremely high-performance and lightweight with a minimal effect on battery life.

The application battery usage details are available on the system settings screens:

1. On iOS, go to Settings > Battery to find activity and battery usage of the CrowdStrike app.

2. On Android, go to Settings > Device > Battery or Settings > Power > Battery to see a list of all apps and the battery power they're using. On most Android devices, the activity and battery usage of the CrowdStrike app includes total battery usage of all apps monitored by Falcon for Mobile.

The CrowdStrike app has been designed to limit cellular data use. It will primarily communicate to the Falcon platform through Wi-Fi (when available). The CrowdStrike app will not use the cellular data plan when the phone is roaming or if there’s low disk space, low battery or low bandwidth.

Yes, the CrowdStrike app will buffer data when not connected to the internet and will upload the data to the Falcon platform at the first opportunity.

All the telemetry data collected from mobile devices can be kept for up to 90 days.

Falcon for Mobile supports iOS (12 or higher) and Android devices (version 8.0 and higher).

Falcon for Mobile is licensed on a subscription basis per mobile device. Introductory pricing starts at $37.82 per device, per year for 5-299 mobile devices, billed annually. For more information please contact us, schedule a demo, or request a quote.