RSAC 2025: Top Mobile App Security Flaws Discussed
Share
Commentary
RSAC 2025: Top Mobile App Security Flaws Discussed
May 15, 2025
Table of Contents
At the RSA Conference 2025 in San Francisco, NowSecure co-founder Andrew Hoog delivered a sobering reality check: many mobile applications on both the Apple App Store and Google Play suffer from serious security vulnerabilities. This echoes what I and many in the app protection community have been emphasizing for years: app store presence does not guarantee security.
Organizations must take proactive ownership of their mobile app security, as relying solely on app store vetting leaves critical gaps that can put users and data at risk.
It’s apparent that a large percentage of mobile app developers don’t yet understand that although consumers may not yet fully appreciate the true value of a properly protected mobile app, the benefits of stellar protection will likely become more obvious to their organization as threats keep getting more devastating.
The top 5 most critical mobile app security risks between 2022 and 2025
In his session titled “525,600 Assessments Later: Top Mobile App Risks Since 2022,” Hoog presented results from more than half a million mobile app security evaluations completed between January 2022 and February 2025. The findings show that widespread and reproducible security vulnerabilities exist in the majority of tested mobile apps.
Here are the five most critical security risks discovered in mobile applications:
Failure to properly protect user privacy
A majority of iOS applications lack the Apple-required purpose strings, which inform users about the use of their personal data, including location. Multiple applications send or store device identifiers through insecure methods that may involve appending the user’s name to the device name.
These methods violate privacy laws such as GDPR and CCPA, which leads to increased risks for users.
Misconfigurations that leak sensitive data
Alarmingly common developer errors include hardcoding cryptographic keys and misconfigured broadcast receivers. Nearly 20% of apps contained hardcoded credentials. Certain applications stored usernames and passwords in accessible files, which attackers or even researchers could retrieve.
Vulnerable and untested third-party SDKs
Third-party code amounts to about 60% of the code in an average application but remains largely untested. Three-quarters of apps demonstrated weaknesses from third-party SDKs, and 15% utilized components with known security flaws.
Developers frequently overlook the number of transitive dependencies, which include nested third-party components existing within their applications.
Outdated or broken encryption
More than 60% of applications protect sensitive information through encryption methods that remain outdated or insecure. Developers often reuse initialization vectors while depending on compromised encryption methods such as Triple DES.
Hoog pointed out the necessity for post-quantum cryptography because current systems use algorithms that have been compromised for two decades.
Lack of resilience against reverse engineering
More than 75% of applications failed to remove debug symbols from their code, which enables attackers to reverse-engineer and exploit these apps. The use of exposed APIs combined with hardcoded URLs increases security risks.
Takeaway
It’s a common misconception that simply having an app in a major app store guarantees security. In reality, app store presence does not equal protection.
As cybersecurity leaders, we advise organizations to start by thoroughly inventorying their mobile apps and assigning risk levels to each one. This foundational step should be followed by implementing robust frameworks like OWASP MASVS for continuous security testing throughout the app lifecycle.
It’s important to recognize that Apple and Google are not responsible for ensuring the security of every app in their stores; they simply don’t have the incentive or capacity to do so. The responsibility for app security ultimately lies with the developers and the organizations that own these apps.
To truly safeguard users and data, mobile app developers must take ownership of their app security, proactively testing and protecting their applications at every stage. Relying on app store checks alone is not enough; comprehensive, ongoing security measures are essential.
Stay informed and secure
Get the latest insights on emerging cyber threats and in-app security measures to protect your mobile apps. Stay one step ahead of hackers by signing up for our newsletter now!
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Commentary
RSAC 2025: Top Mobile App Security Flaws Discussed
Table of Contents
At the RSA Conference 2025 in San Francisco, NowSecure co-founder Andrew Hoog delivered a sobering reality check: many mobile applications on both the Apple App Store and Google Play suffer from serious security vulnerabilities. This echoes what I and many in the app protection community have been emphasizing for years: app store presence does not guarantee security.
Organizations must take proactive ownership of their mobile app security, as relying solely on app store vetting leaves critical gaps that can put users and data at risk.
It’s apparent that a large percentage of mobile app developers don’t yet understand that although consumers may not yet fully appreciate the true value of a properly protected mobile app, the benefits of stellar protection will likely become more obvious to their organization as threats keep getting more devastating.
The top 5 most critical mobile app security risks between 2022 and 2025
In his session titled “525,600 Assessments Later: Top Mobile App Risks Since 2022,” Hoog presented results from more than half a million mobile app security evaluations completed between January 2022 and February 2025. The findings show that widespread and reproducible security vulnerabilities exist in the majority of tested mobile apps.
Here are the five most critical security risks discovered in mobile applications:
A majority of iOS applications lack the Apple-required purpose strings, which inform users about the use of their personal data, including location. Multiple applications send or store device identifiers through insecure methods that may involve appending the user’s name to the device name.
These methods violate privacy laws such as GDPR and CCPA, which leads to increased risks for users.
Alarmingly common developer errors include hardcoding cryptographic keys and misconfigured broadcast receivers. Nearly 20% of apps contained hardcoded credentials. Certain applications stored usernames and passwords in accessible files, which attackers or even researchers could retrieve.
Third-party code amounts to about 60% of the code in an average application but remains largely untested. Three-quarters of apps demonstrated weaknesses from third-party SDKs, and 15% utilized components with known security flaws.
Developers frequently overlook the number of transitive dependencies, which include nested third-party components existing within their applications.
More than 60% of applications protect sensitive information through encryption methods that remain outdated or insecure. Developers often reuse initialization vectors while depending on compromised encryption methods such as Triple DES.
Hoog pointed out the necessity for post-quantum cryptography because current systems use algorithms that have been compromised for two decades.
More than 75% of applications failed to remove debug symbols from their code, which enables attackers to reverse-engineer and exploit these apps. The use of exposed APIs combined with hardcoded URLs increases security risks.
Takeaway
It’s a common misconception that simply having an app in a major app store guarantees security. In reality, app store presence does not equal protection.
As cybersecurity leaders, we advise organizations to start by thoroughly inventorying their mobile apps and assigning risk levels to each one. This foundational step should be followed by implementing robust frameworks like OWASP MASVS for continuous security testing throughout the app lifecycle.
It’s important to recognize that Apple and Google are not responsible for ensuring the security of every app in their stores; they simply don’t have the incentive or capacity to do so. The responsibility for app security ultimately lies with the developers and the organizations that own these apps.
To truly safeguard users and data, mobile app developers must take ownership of their app security, proactively testing and protecting their applications at every stage. Relying on app store checks alone is not enough; comprehensive, ongoing security measures are essential.
Stay informed and secure
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Share this cybersecurity insight
Other cybersecurity insights
Cybersecurity Threat Roundup #22: Copybara, Crocodilus, Lucid, and more
SparkKitty: A Silent Threat in ‘Trusted’ Apps
WestJet Breach Shows Why Downtime Is a Business Killer
Darcula’s Digital Playbook: The Global Scam That’s Redefining Mobile Threats