As someone leading a mobile cybersecurity team, I’ve seen far too many apps offer only the illusion of security. Most defenses are surface-level—meant to look reassuring rather than truly protect.
The average user assumes a password or biometric prompt means their data is safe. But those visible safeguards are just the outer layer of the onion. Peel that back, and it becomes clear: we’re living in an era of deceptive confidence. Unless we confront that illusion and begin building for the war happening at the code level, brands with apps are effectively leaving the front door wide open.
Let me explain.
When backend security isn’t enough
The Marks & Spencer cyberattack in Great Britain serves as an important warning. Attackers managed to breach the company’s systems by exploiting system weaknesses in third-party services and using social engineering tactics even though the company utilized enterprise-grade backend infrastructure. The security breach stopped company operations while leaking customer details and wiping out hundreds of millions in company value.
And M&S is far from alone.
This kind of breach reveals a hard truth: backend defenses remain ineffective when attackers breach the application layer. The application sector has become a critical target for cyberattacks, particularly within the fintech, healthcare, and government industries. The defenses at the application layer have not kept pace with the increasing threat level.
Surface-level security creates a false sense of safety
Ask the average user what makes a mobile app secure, and you’ll hear familiar answers: passwords, encryption, maybe multi-factor authentication. These visible security features provide a comforting sense of safety—but they only guard the front door.
Once someone—whether user or attacker—is inside the app, that sense of protection often disappears. The reality is that most app defenses don’t go any further.
This is where the illusion becomes dangerous. Many apps still lack runtime protection. They can’t detect when they’re being reverse-engineered, cloned, or tampered with. Most don’t even recognize when they’re running on a compromised device like a rooted or jailbroken phone. And attackers know it. They’ve adapted their tactics to exploit these blind spots because they know your app isn’t watching.
The reliance on app store evaluations and regulatory standards leads organizations to believe they meet security standards when they actually don’t. An app’s approval by a store review or fulfillment of compliance requirements does not guarantee its security. Compliance is not security. Visibility is.
You can’t secure what you can’t see
The security model that protects networks and data centers along with backend systems fails to meet current requirements. Mobile applications function beyond corporate boundaries in unreliable settings on personal electronics through insecure network connections. This results in an attack surface that traditional security tools cannot easily detect, which remains both fragmented and unpredictable.
App developers prioritize fast development cycles and smooth user experiences while often neglecting security aspects. Applications contain hardcoded sensitive information such as API keys and encryption tokens. Logging mechanisms expose sensitive data. Third-party SDKs introduce supply chain risk. The list goes on.
The most trusted applications remain those that we have the least security understanding of.
Your app doesn’t care what you’re doing—but it should
Modern security must move beyond simply verifying who has access. It’s no longer enough to ask who is in the app—we must now ask what they’re doing. Cybercriminals have become experts at masquerading as legitimate users through stolen credentials and hijacked sessions, enabling them to carry out malicious activity undetected.
To close this gap, behavioral visibility is essential. Understanding how an app is being used in the real world—through runtime insights—exposes threats like credential stuffing, device tampering, bot-driven automation, and user impersonation. This is where the real battle is being fought—not at login, but during live app interactions.
Too many apps stop protecting once a user is inside. They give the illusion of security while overlooking ongoing threats. That illusion is dangerous.
Your apps are lying to you. It’s time to start listening to what they’re actually doing and build a security posture that sees through the deception.
Stay informed and secure
Get the latest insights on emerging cyber threats and in-app security measures to protect your mobile apps. Stay one step ahead of hackers by signing up for our newsletter now!
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Commentary
Your Apps Are Lying to You
Table of Contents
As someone leading a mobile cybersecurity team, I’ve seen far too many apps offer only the illusion of security. Most defenses are surface-level—meant to look reassuring rather than truly protect.
The average user assumes a password or biometric prompt means their data is safe. But those visible safeguards are just the outer layer of the onion. Peel that back, and it becomes clear: we’re living in an era of deceptive confidence. Unless we confront that illusion and begin building for the war happening at the code level, brands with apps are effectively leaving the front door wide open.
Let me explain.
When backend security isn’t enough
The Marks & Spencer cyberattack in Great Britain serves as an important warning. Attackers managed to breach the company’s systems by exploiting system weaknesses in third-party services and using social engineering tactics even though the company utilized enterprise-grade backend infrastructure. The security breach stopped company operations while leaking customer details and wiping out hundreds of millions in company value.
And M&S is far from alone.
This kind of breach reveals a hard truth: backend defenses remain ineffective when attackers breach the application layer. The application sector has become a critical target for cyberattacks, particularly within the fintech, healthcare, and government industries. The defenses at the application layer have not kept pace with the increasing threat level.
Surface-level security creates a false sense of safety
Ask the average user what makes a mobile app secure, and you’ll hear familiar answers: passwords, encryption, maybe multi-factor authentication. These visible security features provide a comforting sense of safety—but they only guard the front door.
Once someone—whether user or attacker—is inside the app, that sense of protection often disappears. The reality is that most app defenses don’t go any further.
This is where the illusion becomes dangerous. Many apps still lack runtime protection. They can’t detect when they’re being reverse-engineered, cloned, or tampered with. Most don’t even recognize when they’re running on a compromised device like a rooted or jailbroken phone. And attackers know it. They’ve adapted their tactics to exploit these blind spots because they know your app isn’t watching.
The reliance on app store evaluations and regulatory standards leads organizations to believe they meet security standards when they actually don’t. An app’s approval by a store review or fulfillment of compliance requirements does not guarantee its security. Compliance is not security. Visibility is.
You can’t secure what you can’t see
The security model that protects networks and data centers along with backend systems fails to meet current requirements. Mobile applications function beyond corporate boundaries in unreliable settings on personal electronics through insecure network connections. This results in an attack surface that traditional security tools cannot easily detect, which remains both fragmented and unpredictable.
App developers prioritize fast development cycles and smooth user experiences while often neglecting security aspects. Applications contain hardcoded sensitive information such as API keys and encryption tokens. Logging mechanisms expose sensitive data. Third-party SDKs introduce supply chain risk. The list goes on.
The most trusted applications remain those that we have the least security understanding of.
Your app doesn’t care what you’re doing—but it should
Modern security must move beyond simply verifying who has access. It’s no longer enough to ask who is in the app—we must now ask what they’re doing. Cybercriminals have become experts at masquerading as legitimate users through stolen credentials and hijacked sessions, enabling them to carry out malicious activity undetected.
To close this gap, behavioral visibility is essential. Understanding how an app is being used in the real world—through runtime insights—exposes threats like credential stuffing, device tampering, bot-driven automation, and user impersonation. This is where the real battle is being fought—not at login, but during live app interactions.
Too many apps stop protecting once a user is inside. They give the illusion of security while overlooking ongoing threats. That illusion is dangerous.
Your apps are lying to you. It’s time to start listening to what they’re actually doing and build a security posture that sees through the deception.
Stay informed and secure
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Share this cybersecurity insight
Other cybersecurity insights
Cybersecurity Threat Roundup #22: Copybara, Crocodilus, Lucid, and more
SparkKitty: A Silent Threat in ‘Trusted’ Apps
WestJet Breach Shows Why Downtime Is a Business Killer
Darcula’s Digital Playbook: The Global Scam That’s Redefining Mobile Threats