When Frederick County, Maryland, reviewed a mobile app used by its fire and rescue team, it passed every traditional check. The app connected to an ultrasound device, looked legitimate and had been approved.
Binary-level analysis told a different story: the app was exposing protected health information, violating HIPAA in ways that no privacy label, MDM policy or manual review would have surfaced. The county was facing potential regulatory penalties for an app they had vetted.
This is the core problem with how most enterprises manage third-party mobile app risk today. Approval processes exist. Tools are in place. But those tools are reading what apps claim to do, not what they actually do. The gap between those two things is where real risk lives.
Frederick County Information Security Lead Rich Campbell described it this way:
“We needed a repeatable and defensible way to make app approval decisions, especially given the scale of requests we receive. NowSecure helped us resolve a significant issue where an ultrasound device application used by our fire and rescue team was found to expose PHI data — a risk that could have led to millions in HIPAA penalties.”
NowSecure recently announced Mobile App Risk Intelligence (MARI) to address this growing governance gap — read the full announcement.
Why Does Your Security Stack Miss Third-Party Mobile App Risk?
Security and mobility teams often rely on existing tools to manage third-party mobile app risk but those tools were built for different problems.
App store privacy labels depend on vendor self-disclosure, which rarely reflects how apps actually behave at runtime. Mobile Device Management (MDM) — software that enforces policies on employee devices — and Unified Endpoint Management (UEM) platforms extend that control across all device types. Both enforce device-level policy, but they don’t inspect what apps are doing under the hood — what code they execute, what servers they connect to or what data they transmit to high-risk jurisdictions.
Mobile Threat Defense (MTD), a category of tools that monitor devices for active threats, adds value by detecting threats after deployment, but they don’t answer the critical question upfront: should this app be trusted in the enterprise at all? It tells you when a fire has started. It doesn’t tell you that the app you’re about to install is made of gasoline.
Even manual reviews fall short. Mobile apps update frequently, and each update can introduce new SDKs, endpoints or data flows that weren’t present in the original review.
The problem isn’t that these tools are bad at what they do. It’s that they’re all working from the same limited input: whatever the app or its vendor decided to tell you. Privacy labels are self-reported. In a world of complex third-party SDKs and AI-driven code, vendors often don’t even know what their own apps are doing.
Mobile Device Management (MDM) enforces device policy, not app behavior. Manual reviews depend on documentation that may be incomplete, outdated or wrong. The compiled binary doesn’t care what the vendor disclosed. It just runs. And when you analyze it directly, you find things — connections to undisclosed endpoints, embedded SDKs with their own data flows, AI components handling sensitive information — that would never surface any other way.
The risk itself isn’t new. What’s changed is the ability to systematically see and measure it.
What Does Effective Third-Party Mobile App Risk Management Require?
To manage third-party mobile app risk effectively, organizations need more than isolated tools — they need a complete, scalable approach grounded in real evidence. The exposure pattern is consistent across sectors. Healthcare, financial services and retail all face the same gap between what apps disclose and what they actually do.
First, every finding must include business context. It’s not enough to know that an app connects to an external server. Security teams need to understand what data is being transmitted, where it’s going and what regulatory or compliance exposure that creates.
Second, visibility has to extend across the full risk surface. Mobile app risk doesn’t live in one place — it appears in network connections to untrusted endpoints, in third-party SDKs with vulnerable dependencies, in permissions that grant excessive device access, and increasingly in AI or LLM components processing sensitive data without disclosure.
Third, risk prioritization must scale. Large enterprises can’t manually triage thousands of findings across dozens, hundreds or even thousands of apps. They need severity-based prioritization grounded in evidence, along with policies that automatically enforce decisions across their app portfolio.
Finally, teams need visibility at the portfolio level, not just the individual app level. When apps connect across multiple regions and embed dozens of components, understanding risk requires the ability to identify patterns. For instance, organizations should know which apps connect to high-risk jurisdictions or introduce compliance exposure across business units.
How Does Binary-Level Mobile App Analysis Work?
Most security tools observe apps from the outside — monitoring network traffic, enforcing device policies, or checking app store metadata. Binary-level analysis works differently. It examines the compiled app code directly, running the app on real iOS and Android devices to observe what it actually does: what data it collects, where it sends it, which third-party components it activates and what those components do in turn.
NowSecure Mobile App Risk Intelligence (MARI) combines static, dynamic, interactive and API security testing techniques against the binaries. This means findings reflect observed behavior, not vendor disclosure.
This approach surfaces the evidence security teams need to make informed decisions:
- Actual data collection and transmission behavior
- External endpoints and geographic data flows
- Third-party SDKs and hidden dependencies
- AI and LLM components, including those not disclosed by vendors
Because MARI operates before deployment, it enables teams to approve or block apps before they ever reach employee devices. This shifts mobile app risk management from reactive to proactive.
How Does NowSecure MARI Surface Mobile App Risk?
What sets this approach apart is not just visibility but actionable insight.
Every finding includes clear, plain-language business impact alongside technical evidence and CVSS (Common Vulnerability Scoring System) scoring, the industry-standard 0-10 severity scale. This allows security teams to communicate risk effectively to executives, auditors, and compliance stakeholders without additional translation.
MARI also provides comprehensive visibility across the mobile app risk surface:
- Maps external endpoints with geographic context
- Identifies connections to high-risk jurisdictions
- Catalogs embedded SDKs and libraries
- Detects permissions and tracking domains that may introduce privacy or compliance concerns
- Identifies hidden AI components, ensuring your sensitive data isn’t being fed into a third-party’s training model without your knowledge
To support governance at scale, teams can define policies that automatically flag or block apps based on specific criteria, such as the use of certain SDKs or connections to restricted regions.
Finally, MARI delivers interactive, portfolio-level insights. Instead of static reports, teams can explore data flows, compare risk across apps and prioritize remediation based on severity. This improves mobile app risk management across the enterprise.
Closing the Third-Party Mobile App Risk Gap
The Frederick County finding wasn’t the result of a sophisticated attack. It was the result of an approved app doing something no one had verified it wasn’t doing. The more common failure isn’t a breach. It’s an approved app doing something no one thought to check.
Binary-level analysis doesn’t eliminate mobile app risk. It makes the risk visible before it becomes a liability. For organizations managing dozens or hundreds of third-party apps across a workforce, the shift from assumption to evidence is the difference between a defensible program and an exposure waiting to be discovered.
Common Questions About Third-Party Mobile App Risk
What is third-party mobile app risk?
Third-party mobile app risk refers to the security, privacy and compliance exposures introduced by apps an organization didn’t build but allows on employee devices. These apps may collect sensitive data, connect to external servers or embed components that operate without enterprise oversight.
How is binary-level analysis different from MDM or MTD?
MDM enforces device policies but doesn’t inspect what an app actually does. MTD detects threats after an app is deployed. Binary-level analysis examines the compiled app code before deployment to reveal actual data flows, network connections and third-party SDK dependencies — answering whether an app should be trusted at all.
What does NowSecure MARI detect that other tools miss?
MARI surfaces hidden data collection behavior, connections to high-risk geographic endpoints, embedded AI and LLM components not disclosed by vendors and third-party SDK vulnerabilities — all by analyzing the compiled app binary on real devices rather than relying on vendor self-reporting.
What are the compliance risks of unvetted mobile apps?
Unvetted apps can expose regulated data including PHI, PII and financial records to unauthorized third parties. This creates potential violations of HIPAA, GDPR and other regulations, with penalties that can reach into the millions. The Frederick County (Md.) case in this article illustrates a real-world example involving PHI exposure.
How often should enterprises review third-party mobile apps?
Mobile apps update frequently, and each update can introduce new SDKs, endpoints or data flows. A continuous or policy-automated review process is more effective than periodic manual audits, which quickly become outdated.
See What Your Mobile Apps Are Actually Doing
NowSecure MARI helps organizations identify hidden data flows, third-party risks and compliance exposure before apps reach employee devices. Request a MARI demo to assess third-party mobile app risk in your environment.
