Every smartphone in the world today is a potential spy equipped with more than 18 sensors like GPS, accelerometer, gyroscope and microphone that can be weaponized by cyberattackers who take advantage of poorly secured mobile apps.
With more than 7.2 billion smartphones in use and 255 billion app downloads in 2023 alone, the global mobile attack surface has expanded to unprecedented levels. Unlike traditional endpoints, mobile apps open up dozens of additional entry points ranging from insecure in-app browsers to vulnerable third-party software development kits (SDKs) buried deep inside code.
Ahead of his RSA Conference 2025 session, NowSecure Cofounder Andrew Hoog revealed startling insights from more than a half a million mobile application security assessments. His findings uncovered an abundance of security and privacy weaknesses that put businesses, governments and individuals at risk and demand immediate attention.
Dark Reading reported on Hoog’s analysis which found nearly one in five mobile apps had hardcoded encryption keys, nearly one in six had software components with known vulnerabilities and nearly two-thirds of apps used broken or weak encryption.
Why Mobile Apps Pose Unique Security and Privacy Challenges
Mobile apps introduce a different and complex security paradigm than traditional web applications. Unlike web apps, where servers and browsers are largely under enterprise control, mobile apps run on end-user devices that organizations don’t own, control and cannot easily monitor.
Both Android and iOS impose strict platform restrictions that make it tough to observe what’s happening under the hood. Adding to the complexity, mobile OSes are updated every year with major changes to core frameworks. Many apps are built with third-party SDKs that can harbor hidden vulnerabilities. In addition, newer languages like Swift and Kotlin have less support from security tools.
The Myth of Mobile App Store Security
Many developers — and even some security teams — mistakenly believe that submitting an app to publish in the Apple App Store or Google Play guarantees a thorough security and privacy review. It does not.
In reality, neither Apple or Google rigorously tests for vulnerabilities. App stores primarily focus on user experience, policy compliance and malware detection — not comprehensive security assurance. This misconception leaves gaps between what organizations assume about app safety and the hidden risks actually present.
As highlighted in Hoog’s RSA Conference 2025 talk, this false sense of security is particularly dangerous because it leaves enterprises blind to third-party mobile application security risk. Most organizations focus only on the apps they build and ignore the hundreds or thousands of third-party apps their users install — many of which have access to sensitive corporate data. Without dedicated mobile app vetting independent of the app stores, organizations are susceptible to supply-chain risks stemming from the mobile apps their employees use.
Nearly one in five mobile apps had hardcoded encryption keys, nearly one in six had software components with known vulnerabilities and nearly two-thirds of apps used broken or weak encryption.
The Biggest Mobile App Security Risks Found Across 500,000+ Assessments
The many factors outlined above all contribute to mobile app security, privacy and compliance risks for organizations — gaps that attackers can freely exploit. Many defenders remain at a disadvantage due to limited tools and visibility and lack of mobile application risk management programs.
Hoog’s assessment of more than 525,000 mobile apps between the period of January 2022 to February 2025 reveals several common problems that he anecdotally illustrated with real-world examples. These specific issues fail to meet one or more of the OWASP Mobile Application Security Verification Standard (OWASP MASVS), an industry standard set of security requirements.
1. Privacy Issues (OWASP MASVS-PRIVACY)
Apps often improperly store sensitive identifiers — like device fingerprints that may include real user names — and log them insecurely, violating privacy laws like GDPR, CCPA and COPPA.
- Missing Privacy Manifests: Apple and Google now require privacy attestations, and apps lacking them face blocked updates or removals, severely impacting business continuity.
2. Security Misconfigurations (OWASP MASVS-PLATFORM-1)
Apps often misuse platform security features, such as hardcoding cryptographic keys into the app binary or misconfiguring broadcast receivers, leaving them open to hijacking and data theft.
- Qardio Health iOS App: A hardcoded cryptographic key flaw was discovered in the Qardio Heath app, resulting in a CVE that exposed user data to interception risks.
- Unnamed App: NowSecure research discovered an app that leaked an OpenAI API key.
3. Untested Third-Party SDKs (OWASP MASVS-CODE-3)
Many apps rely heavily on third-party SDKs. More than 15% were found to include components with known vulnerabilities. Many are untested or lack assigned CVEs, making detection even more difficult.
- Pushwoosh SDK: Originally claiming to be U.S.-based, Pushwoosh was found to be a Russian company operating a major supply chain risk. Fake executive profiles were also uncovered.
- SourMint SDK: The malicious SourMint SDK was used to build a large-scale data exfiltration operation hidden inside consumer-facing apps. It harvested sensitive user information without consent.
4. Encryption Flaws (OWASP MASVS-CRYPTO-1)
Many apps rely heavily on third-party SDKs. More than 15% were found to include components with known vulnerabilities. Many are untested or lack assigned CVEs, making detection even more difficult. apps rely heavily on third-party SDKs. More than 15% were found to include components with known vulnerabilities. Many are untested or lack assigned CVEs, making detection even more difficult.
- DeepSeek iOS App: NowSecure researchers found multiple encryption and privacy flaws in the DeepSeek app, including use of outdated cryptography.
5. Reconnaissance (OWASP MASVS-RESILIENCE-3)
Many mobile apps fail to strip debug symbols from production builds, exposing sensitive metadata like class names, function names and variables. This makes it significantly easier for attackers to reverse engineer apps and identify vulnerabilities.
- My Security Account: CISA issued an advisory about the My Security Account app after finding that debug information exposed critical details attackers could exploit.
- SparkCat: The SparkCat malware uses Optical Character Recognition (OCR) to steal cryptocurrency and wallet data.
Action Plan: How to Reduce Mobile App Risk
In his presentation, Hoog outlined several actionable steps that security leaders and enterprise mobility managers can take to protect their organizations from common mobile application security and privacy risks.
Starting now:
- Inventory all mobile apps your organization builds, uses,or distributes. Use tools to quickly generate and enrich your app inventory.
- Categorize apps into groups based on business impact and risk profiles such as “No Sensitive Data,” “Handles PII,” or “Flagship App” to prioritize security efforts where they matter most.
Within three months:
- Align app testing to the OWASP MASVS framework to ensure comprehensive coverage of security and privacy controls.
- Implement dynamic mobile application security testing through open-source tools or commercial software like NowSecure Platform to detect runtime vulnerabilities missed by static assessments.
Within six months:
- Automate mobile DevSecOps testing in your development pipelines to assess every new release.
- Integrate mobile security findings into your enterprise risk dashboards for full visibility and executive reporting.
Build a Strong Mobile App Risk Management Program
Mobile apps introduce significant security and privacy risks that cannot be addressed through traditional approaches. Organizations must implement mobile app risk management programs to guard against reputational and operational risks that arise from security and privacy issues.
NowSecure Platform provides continuous automated mobile app security and privacy testing for the apps your organization develops and NowSecure Academy helps upskill developers insecure coding practices.
NowSecure Mobile App Risk Intelligence offers third-party mobile app risk assessment. Contact us to learn how these solutions can strengthen resiliences, reduce regulatory exposure and better guard against mobile threats that jeopardize your business.
