The Mobile Software is a Diligence risk vector. It looks at a mobile device’s operating system (OS) and browsers and compares them with the latest and currently available OS and browsers to determine if they are supported or out of date. Download the endpoint OS-browser versions (ver. 19-JUL-2025) list.
Mobile devices are smartphones and tablets in a company's network that access the Internet. Outgoing communications from mobile devices include metadata about the device's operating system, device description, browser version, and description of applications (endpoint data).
Risks
Newer versions of operating systems and web browsers typically fix stability issues, bugs, and vulnerabilities that existed in older versions. Bad actors frequently exploit known bugs in older software versions to steal information or run malicious software. The use of unsupported operating systems and browsers is correlated with the presence of a high number of malware infections and an increased likelihood of breach.
- If there are unsupported mobile devices in an organization's network, there is a greater risk of:
- System failure (vendor devices are not being maintained).
- Disruption of business continuity.
- Attackers may be able to use unpatched vulnerabilities to gain system access.
- Connecting a personal device to a corporate network infrastructure adds a potential surface of attack for a threat actor to gain access to company data and sensitive information.
Grading
See how the Mobile Software risk vector is graded in more detail.
Insufficient Data
A default risk vector grade is assigned if there is insufficient or no data.
Default:
This default grade does not have a negative impact on the rating. It is equivalent to a perfect grade.
Either:
- There are no findings.
- The number of observed devices falls below a minimum threshold. To avoid sudden fluctuations, the risk vector is reassigned an A to F grade when the number of observed devices has stayed above the threshold for 65 days.
Lifetime
Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.
Duration: 65 Days
Weight
The Mobile Software risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.
Weight: 1%
Remediation
Resources
Recommendations
- Search and identify unsupported mobile software and then update the software to the latest version.
- Set up auto-update methods for critical mobile software.
- Insufficient information prevents Bitsight from identifying unsupported software. The use of mobile device management (MDM) systems is recommended, along with integrating human processes that ensures systems in the organization are patched and the software is up-to-date.
Rescan Base Duration
The Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.
Automated Scan Duration: Not Applicable
User-Requested Rescan Duration: Not Applicable
This risk vector is not assessed using automated scans. Instead, our internal records are updated weekly based on data received from our partners. Learn more about how this risk vector is observed.
Finding Behavior
The behavior of findings based on remediation:
Remediated
There’s a grace period of 28 days for validating and updating software packages.
- July 21, 2025: OS & browsers list 19-JUL-2025 version.
- July 15, 2025: OS & browsers list 10-JUL-2025 version.
- July 8, 2025: OS & browsers list 03-JUL-2025 version.
Feedback
0 comments
Please sign in to leave a comment.