APIs, the invisible engines powering modern mobile apps, are fast becoming one of the biggest security liabilities in enterprise technology.
That’s the warning from Zimperium’s 2025 Global Mobile Threat Report, which describes mobile applications as an “attack surface hiding in plain sight.”
The report shows just how exposed most apps really are. Nearly half still contain hardcoded secrets like API keys. A third of Android apps (and more than half of iOS apps) leak sensitive data.
Even more worrying, 24% of Android and 60% of iOS apps lack protection against reverse engineering, making it easy for attackers to extract tokens, map API endpoints, and manipulate traffic.
The risks are amplified on compromised devices: one in 400 Android phones is rooted, and one in 2,500 iOS devices is jailbroken. That gives bad actors full control to tamper with apps, intercept communications, and automate fraud.
Finance and travel apps, in particular, remain dangerously exposed, with one in three Android finance apps and one in five iOS travel apps still vulnerable to man-in-the-middle attacks.
Traditional API security measures (gateways, proxies, and firewalls) were built for perimeter defense. But as Zimperium notes, they fall short in untrusted mobile environments where adversaries operate directly on the client side.
Tools like Frida and Xposed allow traffic manipulation before it even leaves the device. Meanwhile, SSL pinning, while designed to prevent man-in-the-middle attacks, also hampers visibility for API gateways.
Protecting APIs only at the perimeter is not enough, the report warns.
The solution, it says, is to extend protection into the app itself: hardening APIs against reverse engineering and requiring every request to prove it comes from a genuine, uncompromised app and device.
That means combining runtime defenses, code obfuscation, and secure key storage with app attestation, so backends can block traffic from clones, emulators, and compromised devices.
Schema validation alone, the report stresses, cannot defend against business logic abuses such as price manipulation or unauthorized access.
Protection for Users, Too
Randolph Barr, Chief Information Security Officer at Cequence Security, says from a security perspective, we need to ensure that mobile devices have basic protections, not just for the organization, but also for the users themselves.
“At a minimum, this means ensuring a screen lock is enabled, updates are applied in a timely manner, and that devices are not rooted (Android) or jailbroken (iOS). The real challenge is perception as users often see Mobile Device Management (MDM) as invasive, and executives sometimes see it as an unnecessary cost or a productivity hindrance.”
Reframe MDM as a Protective Meaure
The way forward is communication, Barr adds. “Security leaders need to reframe MDM as a protective measure that benefits everyone. For employees, that means emphasizing that MDM helps safeguard their personal data as much as company data, and clarifying that it does not equate to “spying.” For executives, the message should be tied to business risk and accountability, unmanaged devices increase the likelihood of breaches, regulatory fines, and reputational harm.”
Additionally, he says MDM and BYOD programs will increasingly need to integrate AI-driven app vetting and behavioral analysis into their security stack.
These corporate tools can do what the app stores won’t:
- Perform enhanced due diligence on installed apps by leveraging AI to analyze metadata, behavior, and network traffic
- Enforce ownership transparency checks by using AI to map developer identities and flag hidden ties.
- Monitor data flow and storage behavior on the device, identifying apps that may exfiltrate data
- Apply real-time app behavior analysis to detect threats post-installation
- Provide continuous monitoring and re-evaluation of app risk as threat landscapes evolve
While MDM and BYOD controls are not a silver bullet, incorporating AI into these solutions can strengthen a layered security approach, raising the bar for attackers and reducing organizational risk, even when app stores fall short, Barr says.
“Furthermore, security leaders must build resilience while enabling innovation. They need to communicate the value of controls like AI-enhanced MDM not just as risk mitigation, but as enablers of secure digital agility. If Apple and Google won’t prioritize user protection through better enforcement, enterprises will have to fill that gap themselves with smarter, adaptive tools that protect both data and business continuity.”
Lacking Basic Protections
Vishrut Iyengar, Senior Solutions Manager at Black Duck says because mobile devices increasingly function as both endpoints and development environments, they have become a primary vector for attackers. “Today, we are facing a concerning reality: many enterprise mobile apps still lack basic protections such as code obfuscation, secure storage, and updated third-party libraries. These weaknesses remain exploitable even in managed enterprise environments.
“Security teams should no longer treat mobile as an isolated or secondary concern. Mobile apps must be tested continuously, on real devices, and incorporated into a broader application security strategy. This strategy should cover proprietary code, third-party SDKs, and open-source components to ensure complete risk coverage and application security without compromise.”
Securing the Work Itself
David Matalon, CEO at Venn, says that as more employees work remotely from home offices or while traveling, they’re not only using personal phones but also personal laptops, often over unsecured networks. The traditional perimeter is gone, and the Bring-Your-Own-Device (BYOD) reality for remote workers requires a shift in strategy: from securing the device to securing the work itself.
“Today’s technology enables organizations to isolate and protect work from any personal use on the same computer, even if the network or device is compromised. It’s time to stop asking ‘if’ work data and apps will be exposed on a personal device, and start planning for when it happens.”
Strong Encryption, Automated Patch Management
Darren Guccione, CEO and Co-Founder at Keeper Security adds that for mobile devices, deploying real-time mobile threat detection and ensuring devices and applications are updated with the latest security patches, can proactively defend against threats. “Strong encryption and automated patch management can further protect devices. MDM solutions that enforce compliance and restrict data access based on device health ensure a well-rounded mobile security strategy that goes beyond relying on OS updates alone.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.