Your smartphone is one of the most powerful business intelligence tools ever created. The problem? That intelligence flows in both directions.
Mobile device security has long been framed around a familiar set of questions. Is the device encrypted? Does it have antivirus software installed? Has the operating system been patched? These are sensible questions. But they address only part of the threat.
In 2025, the Financial Times reported something that should concern every business leader in the UK. US military personnel and contractors were allegedly targeted in a suspected phone-tracking campaign, not through malware or device compromise, but through mobile roaming infrastructure and commercially available advertising data. The reported objective was not necessarily to infect a device. It was to follow the data the device was already producing.
This is the reality of mobile device security in 2026: protecting the handset from intrusion is necessary but no longer sufficient. The information your phone produces simply by existing, connecting to networks, and running applications can potentially reveal where your people are, what they are doing, and who they are meeting, without a single line of malicious code ever touching the device.
Mobile device security defined: Mobile device security refers to the policies, controls, and technologies an organisation uses to protect smartphones, tablets, and mobile endpoints from threats, data loss, and unauthorised access. In 2026, this includes protecting not just the device itself, but the continuous stream of location, network, identity, and behavioural data that devices generate simply through normal operation.
This article explains the threat, why it extends well beyond military contexts, and what UK business leaders can do to reduce their organisation’s exposure.
The Digital Exhaust Your Devices Are Already Producing
Every smartphone creates a continuous stream of data simply by operating normally. Location information from GPS and cell towers. Advertising identifiers unique to each device. Mobile network activity, including which towers and roaming networks the device has connected to. Application data from the dozens of apps running in the background. Wi-Fi connection history. Device telemetry.
Individually, these data points may appear unremarkable. Combined and analysed, they can build a detailed picture of a person’s movements, routines, and behaviour. This is what security researchers call digital exhaust: the residual data trail that mobile devices leave simply by existing in the world.
The FT’s reporting specifically cited two mechanisms used in the alleged tracking campaign. The first was SS7 signalling requests, attempts to query mobile roaming infrastructure to locate specific handsets as they connected to networks abroad. The second was commercially available advertising databases, where phone location tracking data tied to persistent device identifiers is routinely bought and sold.
What Is SS7 and Why Does It Matter for Mobile Device Security?
SS7 (Signalling System No. 7) is part of the global telecommunications signalling infrastructure that allows mobile networks to communicate with one another. It is the technology that enables your phone to make and receive calls when you travel abroad, and it has been part of the global telecoms architecture since the 1970s.
The SS7 vulnerability has been known to security researchers for over a decade. Because the protocol was designed in an era before modern threat actors existed, it lacks robust authentication mechanisms. An attacker with access to SS7 signalling infrastructure can, in principle, query the location of any mobile device connected to the global network, intercept voice calls, or redirect SMS messages, all without the target device being aware.
The UK’s National Cyber Security Centre recognises SS7-based threats in its guidance for organisations. NCSC mobile device guidance recommends that organisations consider the risks of voice and SMS communications for sensitive discussions, particularly for personnel travelling in higher-risk regions.
Is Your Organisation's Mobile Footprint Exposing More Than You Realise?
Transputec works with IT leaders and security teams across the UK to assess mobile device security posture, identify digital exposure risks, and put practical, proportionate controls in place.
Get a Strategic ConsultationThe Role of Advertising Data in Location Intelligence
The second mechanism cited in the FT investigation is less widely understood outside the marketing and adtech industries: the commercial advertising data ecosystem.
Every time a user opens an application that serves adverts, their device’s advertising identifier, along with their approximate location, is transmitted to advertising exchanges. This data is bought and sold by data brokers, aggregated, and made available to businesses for audience targeting and analytics. The same ecosystem that helps a retailer target adverts at customers near a competitor’s store can, when accessed by threat actors or sold through less scrupulous data brokers, become a source of location intelligence.
Precise location data, tied to a persistent device identifier and accumulated over weeks or months, can reveal patterns of movement that are commercially sensitive. A senior executive repeatedly visiting the same building in an unfamiliar city. A legal team travelling between a headquarters, a data centre, and a prospective acquisition target. A pharmaceutical executive attending undisclosed meetings in the weeks before a major announcement. None of these require device compromise. The mobile data privacy risks are already being generated by normal device operation.
The UK’s Information Commissioner’s Office has raised concerns about the granularity of location data traded within the adtech ecosystem. ICO UK GDPR guidance makes clear that organisations processing location data must consider the potential harm to individuals, a principle that applies equally to the data brokers operating within this ecosystem.
Why Mobile Security Threats for Business Go Beyond the Military
It would be easy to read reports of SS7 tracking and advertising data exploitation and conclude that these are problems for governments and intelligence agencies. That conclusion would be too comfortable.
Consider the scenarios that apply directly to UK businesses:
- Mergers and acquisitions: Senior leaders conducting due diligence on confidential targets travel repeatedly to locations that could reveal a deal to a well-resourced competitor.
- Legal and regulatory work: Legal teams handling sensitive transactions or disputes use personal and corporate devices on public networks across multiple jurisdictions.
- Supplier and partner relationships: Employees visiting critical infrastructure sites, manufacturing facilities, or partner data centres generate location data that signals operational dependencies.
- Executive travel: C-suite movements, particularly across borders or to unusual locations, can signal strategic intent to sophisticated threat actors who combine multiple data sources.
Location is context. And context has value. One data point may reveal very little. A pattern of data points across weeks can tell a story that your organisation would strongly prefer remained private. This is why mobile security threats for business need to be taken seriously at board level, not just by IT teams.
You can read more about Transputec’s approach to identifying hidden risks in our blog on hidden technology risks inside modern businesses.
Corporate Mobile Security: Questions Every Board Should Be Asking
Modern corporate mobile security programmes need to move beyond the traditional device-centric model. The corporate perimeter has effectively disappeared. Your people are travelling, connecting through hotel and airport networks, using cloud applications, and carrying personal and corporate devices that generate data continuously. The attack surface travels with them.
Boards and security leaders should be asking practical questions:
- Which mobile devices have access to sensitive business information, and are appropriate controls in place?
- Do high-risk employees, senior executives, M&A teams, and legal and compliance functions, receive additional security guidance when travelling?
- Are unnecessary applications and permissions reviewed and restricted on corporate devices?
- Do we understand the potential exposure created by third-party applications and data brokers that aggregate phone location tracking data?
- Can our security team detect unusual mobile activity outside traditional office infrastructure?
- Are we treating the digital behaviour of senior and high-risk personnel as part of our threat model?
These questions reflect a shift in how mature organisations think about corporate mobile security: from a technology question to a risk management question that belongs on the agenda alongside traditional cybersecurity topics.
What Practical Steps Can Organisations Take?
Improving your organisation’s mobile device security posture does not require a complete technology overhaul. Many of the most effective steps involve policy, configuration, and awareness.
- Mobile Device Management (MDM): Implementing MDM for corporate endpoints gives security teams visibility and control over devices accessing business systems, enabling remote wipe, application management, and compliance enforcement.
- Application permission reviews: Auditing the permissions requested by applications on corporate devices, particularly access to location, contacts, and microphone, and removing applications that do not meet security standards.
- Travel security briefings: Providing specific guidance to high-risk personnel before international travel, including advice on device hygiene, network usage, and the risks of location data exposure.
- Advertising identifier management: Resetting or limiting advertising identifiers on corporate devices, and considering mobile threat defence solutions that identify anomalous data transmission.
- Continuous monitoring: Extending security monitoring to cover mobile endpoints and remote activity, not just traffic on the corporate network. Today’s threats do not operate between 9am and 5pm.
Transputec’s cybersecurity services include mobile device security assessments, endpoint management, and continuous monitoring that extend beyond the corporate perimeter. Our managed security services team works with UK organisations to identify exposure, build appropriate controls, and monitor for threats across all environments.
Conclusion
The question your security team should be answering is not solely whether an attacker can break into your systems. The more pressing question in 2026 is what an attacker could learn about your organisation without breaking into anything at all.
Mobile device security is no longer simply about protecting the handset from malware. It is about understanding and managing the continuous stream of data that mobile devices produce: where that data goes, who has access to it, and what it reveals about your people and your operations.
The organisations that will be most resilient are not necessarily those with the largest security toolsets. They will be the organisations that understand their digital exposure and can identify unusual behaviour quickly, wherever it occurs.
Transputec works with IT leaders and boards across the UK to build security programmes that account for the real threat landscape of 2026. If you have not yet assessed your mobile security posture in this context, get in touch with our security team today.
FAQs
What is mobile device security?
Mobile device security refers to the policies, technologies, and controls that protect smartphones, tablets, and other mobile endpoints from threats, unauthorised access, and data exposure. It covers device encryption, application controls, network security policies, and the management of data generated passively by devices through normal operation. Transputec’s cybersecurity services include mobile device security assessments tailored to your organisation’s specific risk profile and sector.
Can phones be tracked without being hacked?
Yes. Mobile devices generate continuous streams of location and network data simply through normal operation. SS7 signalling infrastructure can be queried to locate a device connected to roaming networks, and commercially available advertising databases contain location data tied to persistent device identifiers. Neither method requires the target device to be compromised with malware. This is why mobile device security in 2026 must address passive data exposure as well as active device intrusion.
What is an SS7 vulnerability and how does it affect businesses?
SS7 (Signalling System No. 7) is the global telecommunications signalling protocol that enables mobile networks to communicate. Because it was designed decades ago without modern authentication mechanisms, it can be exploited to intercept calls, redirect SMS messages, and locate mobile devices globally. Businesses with senior personnel travelling internationally, or those in sectors handling sensitive information, should consider the SS7 vulnerability as part of their mobile security risk assessment. Transputec’s managed security services can help organisations assess and address this exposure.
What are the biggest mobile security threats for business in 2026?
The most significant mobile security threats for business in 2026 include device compromise through malicious applications, exposure through unsecured public Wi-Fi networks, SS7-based location tracking through roaming infrastructure, data leakage via commercial advertising ecosystems, and poorly governed application permissions that expose sensitive data. Senior executives, legal teams, and personnel involved in sensitive transactions or site visits are at elevated risk. Transputec’s cybersecurity team works with UK organisations to identify and address these risks.
How can businesses strengthen their corporate mobile security posture?
Effective corporate mobile security requires a combination of device management, policy, and continuous monitoring. Organisations should implement Mobile Device Management (MDM) for corporate endpoints, conduct regular application permission reviews, provide travel security briefings for high-risk personnel, consider the exposure created by advertising identifiers and data brokers, and extend security monitoring to cover mobile endpoints and remote activity. Transputec helps UK businesses assess and strengthen their mobile security posture through our managed security services and cybersecurity advisory.



