Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Mobile Code

Training Camp • Cybersecurity Glossary

What is Mobile Code?

Executable code transmitted over a network and run on a remote host (JavaScript, applets, ActiveX, macros); powerful but a major vector for malware delivery.

Glossary > Application & API Security > Mobile Code

Mobile Code — Executable code transmitted over a network and run on a remote host (JavaScript, applets, ActiveX, macros)

Understanding Mobile Code

Mobile code is executable software that is transmitted from a remote source across a network and run on a local or remote system, often with little or no explicit user action. Common examples include JavaScript, Java applets, ActiveX controls, Flash, browser plugins, and document macros. Its mobility makes web and dynamic applications possible, but it is also a major channel for delivering malicious payloads.

Mobile code works by having a host environment, typically a browser, document viewer, or runtime, fetch and execute code supplied by a server. To contain the risk, hosts apply restrictions such as browser sandboxes, the same-origin policy, code signing, and permission prompts, and runtimes like the Java Virtual Machine historically used a security manager to limit what downloaded code could do. The level of trust granted determines how much access the code has to the file system, network, and system resources.

This matters because mobile code lets remote, untrusted parties run code inside a victim's trust boundary. If sandboxing or validation fails, malicious mobile code can install malware, steal data, perform cross-site scripting, or pivot deeper into a network. Because of this, security policies (including U.S. government guidance) categorize mobile code by risk and restrict or block high-risk technologies; defenses include disabling unneeded scripting, enforcing code signing, content filtering, and keeping runtimes patched.

For example, a user visits a compromised website that serves obfuscated JavaScript exploiting an unpatched browser vulnerability. The script, classic mobile code, executes automatically in the browser, escapes the sandbox through the flaw, and downloads a ransomware payload, a drive-by download attack. The same risk appears in a phishing email carrying a Word document whose embedded macro, another form of mobile code, runs on open and fetches malware. In both cases, controls like patching, macro blocking, and script restrictions are what stand between the remote code and full compromise.

Learn More About Mobile Code:

Ready to Get Certified?

Mobile Code is one of the topics you'll master in the CISSP Boot Camp.

CISSP Boot Camp →