How to remotely access a LAN network (embedded) device without port forwarding?<>
This question is an exact duplicate of:
To use MQTT you will need a broker that is accessible from both inside the network and outside.
So assuming you host your own broker you will need to set up port forwarding to allow access to it from the mobile device. The other option would be host the broker on a cloud service.
Security can be handled by doing MQTT over SSL and using client side certificate authentication so only your client application can connect to broker.