Abstract: “We’ve got Mobile Device Management, BYOD is not a risk for us!” “Our proxy filters all outbound traffic, no one is getting a shell out ever!” Companies are putting a lot of faith in these security mechanisms to stop the threats of mobile devices. In this talk we put those big claims to the test and look at ways to bypass security restrictions on and using mobile devices. For example, we will see if that MDM that claims it can detect rooting/jailbreaking has ever heard of polymorphic code. And that proxy that stops all outbound traffic unless its in the Internet Explorer process authenticated against the domain? Why not just send your shell back to an exploited mobile device in the environment and have it pass the shell out via SMS? Code examples of all the techniques used will be demoed live and released as additions to the author’s Smartphone Pentest Framework.