A new Sept. 18 report from Zimperium highlights that once APIs are embedded into app code, they become visible and exploitable, turning every app into a potential attack surface.Zimperium’s researchers found that nearly half of mobile apps still contain hardcoded secrets written directly into an app's source code, such as API keys, making them significant security risks.The researchers also found that 24% of Android and 60% of Apple iOS apps have no protection from reverse engineering. And 1 in 3 Android apps and more than half of iOS apps leak sensitive data.“Mobile devices increasingly function as both endpoints and development environments, so they’ve become a primary vector for attackers,” said Vishrut Iyengar, senior solutions manager at Black Duck. “Today, we are facing a concerning reality: many enterprise mobile apps still lack basic protections, such as code obfuscation, secure storage, and updated third-party libraries. These weaknesses remain exploitable even in managed enterprise environments.”Iyengar said security teams should no longer treat mobile as an isolated or secondary concern. Teams must test mobile apps continuously, on real devices, and incorporated into a broader application security strategy. Iyengar said this strategy should cover proprietary code, third-party SDKs, and open-source components to ensure complete risk coverage and application security without compromise.David Matalon, chief executive officer at Venn, said today’s risks go well beyond just mobile. Matalon said as more employees work remotely from home offices or while traveling, they’re not only using personal phones, they’re also using personal laptops, often over unsecured networks.“The traditional perimeter is gone, and the BYOD reality for remote workers requires a shift in strategy: from securing the device to securing the work itself,” said Matalon. “Today’s technology enables organizations to isolate and protect work from any personal use on the same computer, even if the network or device is compromised. It’s time to stop asking ‘if’ work data and apps will be exposed on a personal device, and start planning for when it happens.”Darren Guccione, co-founder and CEO at Keeper Security, added that for mobile devices, deploying real-time mobile threat detection and ensuring devices and applications are updated with the latest security patches can proactively defend against threats.“Strong encryption and automated patch management can further protect devices,” said Guccione. “MDM tools that enforce compliance and restrict data access based on device health ensure a well-rounded mobile security strategy that goes beyond relying on OS updates alone.”
Application security, Identity, Endpoint/Device Security

Nearly half of mobile apps contain hardcoded secrets

(Adobe Stock)

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



