Collection of Private Data Makes Mobile Apps Fat Target for Hackers By John P. Mello Jr. April 9, 2025 5:00 AM PT ADVERTISEMENT Proven Customer Acquisition Strategies for SMB Software Firms Discover proven tactics for scaling products, winning customers, and staying ahead. Get your free copy of the SMB Software Playbook for Expansion & Growth. Download Today. Mobile applications are quietly attracting more and more malevolent attention — and for good reason. They contain a trove of private information about their users. In the iOS universe alone, 82.78%, or about 1.55 million apps, track private user data, according to the trends tracker Exploding Topics. Mobile apps have also proven to be particularly vulnerable attack surfaces for cybercriminals. “Invisible” points of ingress and egress inside mobile apps can be compromised before legacy security tools even detect a breach. Those points include API calls, background syncing, and push notifications. Satish Swargam, principal security consultant at Black Duck Software, an application security company in Burlington, Mass., explained that a mobile user can grant permissions in mobile apps. “Most users do not diligently apply the permissions and broadly grant permissions, allowing malicious apps to exploit these invisible points,” he told TechNewsWorld. What’s more, legacy tools often don’t identify suspicious behavior until it’s too late. AI-powered fraud can bypass multi-factor authentication, exploit memory-related bugs and vulnerabilities, and hijack transactions in real time. “AI has changed the entire landscape for protecting mobile consumers, mobile transactions, mobile revenue, and mobile experiences. It’s lowered the barrier to creating attacks,” said Tom Tovar, CEO of Appdome, maker of a security and integration platform for mobile developers and enterprise professionals, in Redwood City, Calif. “I think we’ve seen a real dark renaissance around the use of AI to create attacks, enhance them, amplify them, and levy them against more and more consumers more easily than ever,” he told TechNewsWorld. “If you’re in the defense business, it’s an amazing time,” he said. “But if you’re just an average everyday consumer, it’s a pretty scary time.” “AI-powered attacks both in the real world and with mobile apps are making it easier and faster for threat actors to compromise systems,” added Chris Hills, chief security strategist at BeyondTrust, a maker of privileged account management and vulnerability management solutions in Carlsbad, Calif. “AI trained for malicious purposes can easily scan, discover, expose, and exploit flaws much more quickly than a normal human could ever,” he told TechNewsWorld. “This is why the fight to harness AI for good purposes is so important.” Mobile App Design Lacks Built-In Security Mobile apps are tempting targets for threat actors because they’re everywhere and packed with valuable information, said T. Frank Downs, senior director of proactive services at BlueVoyant, an enterprise cybersecurity company in New York City. “Think about all the personal data your apps have access to — from your location and contacts to your financial details,” he told TechNewsWorld. “With everyone constantly glued to their phones, the potential for data harvesting is enormous. Plus, the mobile app landscape is so diverse, with lots of operating systems and app stores, making it challenging to roll out security measures that fit every scenario.” In addition, many mobile apps aren’t securely designed. “Apps leak everything attackers need without resistance,” maintained Chris Wingfield, senior vice president for innovations at 360 Privacy, a digital privacy and security services provider in Nashville, Tenn. “Mobile apps constantly emit soft identifiers such as install IDs, ad SDK metadata, and analytics payloads that expose device location and fingerprinting data,” he told TechNewsWorld. “None of it was designed for security, as it was originally designed for attribution.” “Threat actors don’t need root access,” he said. “They just need the data exhaust. And mobile applications give it to them quietly, at scale, across millions of sessions. It’s one of the most reliable recon surfaces in use today.” Tovar maintained that the security model for mobile applications is designed around regulatory compliance, not stopping fraud, account takeovers, or scams. “It’s a perfect place for attackers to spend their time,” he said. “They’re going to follow the money, and if more people are transacting on unprotected mobile applications, it’s a veritable green field for attackers,” he added. Security Gaps Leave In-App Activity Exposed Blackhat hackers are also taking advantage of many organizations’ focus on backend security at the expense of endpoint security. “Many existing schemes focus on backend analytics or user behavior signals, which don’t detect or stop threats occurring directly on the device or within the app,” explained Kern Smith, vice president of global solutions engineering at Zimperium, a mobile security company headquartered in Dallas. “This leaves gaps for malware, runtime manipulation, and credential theft,” he told TechNewsWorld. Downs acknowledged that server-side protections and analyzing user activity to catch odd behavior are crucial security measures, but added, “They often miss the mark when it comes to securing the app itself — things like app logic, data storage, and communication can still be vulnerable. This backend-heavy approach can leave some doors wide open for attackers who know how to circumvent traditional defenses.” That approach also ignores what many malicious actors are really seeking. “Most protection schemes still assume the threat is credential-based,” Wingfield said. “However, modern targeting can start before an account even exists.” “Ad SDKs, analytics tools, and attribution networks quietly collect a stream of metadata — IP-based geolocation, device model, OS version, time zone, motion events, and ad IDs,” he explained. “That telemetry leaves the app immediately — unencrypted, unaudited, and often unnoticed,” he noted. “None of it hits the backend, so traditional fraud tools don’t see it, and behavioral models don’t flag it,” he continued. “Meanwhile, that stream gets stitched together across apps to map movement, infer routines, and cluster identities by place and pattern. The gap isn’t just technical; it’s conceptual. We’ve been protecting credentials while the telemetry is what’s being harvested.” Server-Side Risks Still Dominate Mobile Threats Nevertheless, there’s a solid rationale for focusing on backend apps and APIs. “The mobile app has data for one user. The server side has data for all users,” said Jeff Williams, CTO and co-founder of Contrast Security, a runtime security company in Los Altos, Calif. “While there are some interesting risks on the client side, almost all of the critical risks are on the server side,” he told TechNewsWorld. “The risk is very asymmetric, and most of it falls on the server.” “Opportunities for direct attacks on a mobile app are pretty limited,” he added. “Generally, attackers don’t listen for connections. They reach out to servers instead.” Eric Schwake, director of cybersecurity strategy at Salt Security, an API security provider in Palo Alto, Calif., maintained there is a trend toward integrating in-app protection alongside traditional backend security measures. “This trend arises from the understanding that mobile applications are becoming increasingly susceptible to attacks that circumvent backend defenses and strike directly at the app,” he told TechNewsWorld. “In-app protection enhances security by reinforcing the app against tampering, reverse engineering, and runtime attacks,” he said. “This method is essential to tackle the changing threat landscape and defend against advanced attacks aimed directly at the app.” John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John. Leave a Comment Click here to cancel reply. Please sign in to post or reply to a comment. New users create a free account. Related Stories More by John P. Mello Jr. view all More in Mobile Apps