AH: We tend to focus on flaws that would really impact the integrity of the data, the information about the individual … and there’s a whole bunch of ways that things can go wrong there.

Traditional things like a man in the middle attack, where developers struggle with how to implement encryption. There’s a couple of big mistakes that they make. One of them is they try to roll their own, which is a very bad idea, and they shouldn’t do that.

The second thing that developers tend to do is they will have test code that makes it easy for them to develop without all those security controls in place. Sometimes they’ll forget to re-enable all of the controls when they go to production, or they simply won’t understand how to do it properly. So there’s a lot of different things that can go wrong.

AH: It’s complicated significantly by the fact that mobile apps contain a lot of third-party code. The challenge folks have is not only did I write my application, but did the third-party library that I’m using properly write in their code and test it? When I make an update and they have a new SDK, is that one secure?

AH: There’s a lot of things that can go wrong:

• Your data not being protected in transit
• Leaving sensitive information on the device
• Configuration issues that will lead to your data being backed up or transmitted
• Leaving too many activities world-readable, world-accessible so that other apps on the phone can extract information

AH: NowSecure found the best way to deal with [mobile app security], coming from our forensics background, is in a very empirical way. You can do a bunch of testing of your code. You can do source code analysis and typically generate a lot of false positives. You spend a lot of time looking at the results. Or, you can simply look at your app in a hostile environment and then find out:

• Am I able to intercept the traffic?
• Do you leave sensitive data on the device?
• Could I do a sequel injection attack against your mobile app?

That empirical approach has allowed us to eliminate almost all false positives, but to also interrogate the application in a hostile environment — which is exactly what you need to do when you secure your app.

NowSecure believes mobile apps and mobile devices can be a more secure way for enterprises and agencies to operate. The important premise to that entire idea is that you make sure to vet your mobile apps ahead of time so when they are actively in a hostile environment, they’re able to thwart that attack.

What we find today is about 85% of the apps out there don’t successfully repel an attack. There’s a long way that the industry has to go. The great news is that we built a lot of tooling to help address that with automation.

Mobile app security is fundamentally about understanding and managing risk across the entire app ecosystem, not just the code itself, but how the app behaves, what data it accesses, and who it shares that data with.

A core focus is identifying exposures such as sensitive data leakage, insecure network communications, and vulnerabilities introduced through third-party libraries or SDKs. Modern mobile apps often rely on hundreds or thousands of external components, making software supply chain risk a critical concern, as even a single compromised dependency can introduce significant enterprise-wide exposure .

NowSecure emphasizes visibility into runtime behavior through both static and dynamic analysis, helping organizations see how apps actually transmit data, including potentially risky connections to external infrastructure or jurisdictions.

Equally important is the context around privacy, permissions, and emerging risks. Excessive or high-risk permissions—such as access to location, camera, or storage—expand the attack surface and increase the likelihood of sensitive data exposure or misuse.

The NowSecure platform also brings attention to newer risk domains like AI usage within apps, where opaque or poorly governed AI features can introduce compliance, regulatory, and data handling concerns.

Overall, the approach is risk-driven and aligned to standards like OWASP MASVS, enabling security teams to prioritize issues across key categories such as storage, networking, and privacy, and make informed decisions about whether an app is safe for enterprise use.

Common mobile app security threats center on data exposure, weak protections, and ecosystem complexity. Many apps suffer from insecure data storage and transmission, along with poor encryption and key management practices that make sensitive information easy to access.

Authentication and authorization flaws can further allow unauthorized access to user accounts and backend systems. Beyond the app’s own code, risks are amplified by extensive use of third-party libraries and SDKs, introducing software supply chain vulnerabilities.

Additional concerns include misconfigured platform features, excessive permissions, and lack of protections against reverse engineering, all of which can expand the attack surface.

Together, these issues highlight the need for comprehensive, standards-based testing and a risk-driven approach to securing mobile apps in inherently untrusted environments.

The top 5 most common threats and vulnerabilities are:

1. Sensitive Data Exposure
2. Weak Encryption & Key Management
3. Insecure Authentication & Authorization
4. Software Supply Chain Vulnerabilities
5. Excessive Permissions & Privacy Risks