The apps aren’t alright. Or at least that is the word amongst security execs at the RSAC 2025 Conference who believe there are fundamental issues and mistakes being made by mobile app developers when it comes to security best practices.
NowSecure Co-founder Andrew Hoog presented “525,600 Assessments Later: Top Mobile App Risks Since 2022” at the conference in San Francisco on Wednesday, revealing a litany of common issues in apps from the official Apple and Google Play app stores. Several of the top issues affect more than 75% of the apps tested, revealing the extent of the issue.
“People think mobile apps are being tested – they’re not,” Hoog stated, saying that the belief that apps from public app stores have been sufficiently vetted for security is a “myth.”
The more than half a million assessments were conducted by Hoog and the NowSecure team between January 2022 and February 2025.
The apps were assessed for violations of the
OWASP Mobile Application Security Verification Standard (OWASP MASVS), which is the industry standard for mobile app security, adopted by the National Institute of Standards and Technology (NIST), Google Android and several other standardization, certification and governmental institutions.
Here were the top five issues uncovered by these assessments:
5. Insufficient resilience against static analysis
“Understanding the internals of an app is typically the first step towards tampering with it,” states the description for OWASP MASVS standard MASVS-RESILIENCE-3.
The NowSecure team discovered that many applications lack sufficient resilience against static analysis and reverse engineering, due to problems such as failure to strip debug symbols, API information and hardcoded URLs from their code.
Hoog noted that it’s “very easy” for attackers to install an application’s code, and debug symbols in particular can be used to help de-obfuscate code and reveal details such as class names, function names and global variables.
Overall, nearly three-quarters of the tested apps left debug symbols in their code, 87% had API discovery issues and 68% exposed hardcoded URLs.
In a real-world example of the potential consequences of app reverse engineering, the My Security Account app was recently the subject of a
CISA Industrial Control Systems (ICS) advisory due to an exposed API that could reveal information about others users via a
broken object level authorization (BOLA) exploit, Hoog explained.
Similar security flaws can also aid cybersecurity researchers in “flipping the tables on the attacker,” such as in the example of
SparkCat mobile malware that was spread through fake AI, Web3 and food delivery apps in the Apple and Google app stores. Kaspersky researchers discovered that debug symbols left in the fake apps’ code revealed the attacker’s home directory paths.
4. Outdated and insecure encryption methods
More than 60% of the apps encrypted sensitive data, such as passwords and keys, using cryptography methods that were insecure or outdated, NowSecure found.
About a third reused initialization vectors for encryption and 20% used hardcoded static values for cryptography, making decryption easy for attackers, Hoog said. These flaws fall under the OWASP standard MASVS-CRYPTO-1.
NowSecure
found that the DeepSeek iOS app, which was the most downloaded app in the Apple App Store for several days in late January 2025, contained many cryptography flaws, including the use of outdated Triple DES encryption, hardcoded encryption keeps and reuse of initialization vectors.
Hoog said organizations should not only be keeping their cryptography methods up-to-date, but be looking ahead and considering the use of post-quantum cryptography (PQC) to protect sensitive app data from future attacks.
“We have people using algorithms that have been broken for 10 or 15 or 20 years. What we really need to be having people think about is what’s going to protect us 15 or 20 years into the future,” Hoog said.
3. Untested and vulnerable third-party SDKs
Hoog estimated, based on NowSecure’s research, that about 60% of code in apps comes from third-party sources other than the app developer.
Typical mobile app tests use static source code analysis to look for security flaws, but when developers lack access to the source code of the third-party software develop kits (SDKs) they use, “the majority of the code that we see in mobile apps isn't tested at all,” Hoog said.
About 84% of apps tested by NowSecure were flagged for potential weaknesses due to use of third-party SDKs or frameworks. Additionally, 15% contained third-party components with known vulnerabilities, failing OWASP standard MASVS-CODE-3.
Hoog noted many of these flaws, like one in an outdated version of libpng found in 13% of the tested apps, come from transitive dependencies, where a third-party component contains another third-party component, and so on.
Potentially dangerous SDKs can quickly proliferate through the mobile app supply chain, as seen with the suspicious
Pushwoosh SDK in 2022 and other Android or iOS SDKs.
2. Misconfigurations leak sensitive data
One of the most prevalent security flaws noted in the presentation was the failure to protect context registered broadcast receivers, a violation of OWASP standard MASVS-PLATFORM-1. This issue falls under the broader category of security misconfigurations, or “common mistakes that developers make,” as Hoog describes it.
Hardcoded cryptographic keys, found in nearly 20% of apps, were highlighted as having an especially high risk to leak sensitive data. Hardcoded API keys for AI services such as OpenAI and Anthropic, while only seen in about 1 out of 1,000 apps, were also noted to be a growing problem.
In a recent case, CISA released an
ICS medical advisory for the Qardio Heart Health app, which had a property list (plist) file containing usernames and passwords for the app’s backend services hardcoded into the app.
1. Failure to properly protect user privacy
Privacy continues to be a serious mobile app security concern, with countless free apps relying on extensive data collection in order to remain profitable. Hoog’s team found more than 75% of iOS apps were missing purpose strings that inform the user when protected resources like location are being accessed, despite requirements from Apple to include these strings.
Another major problem is the insecure storage and transmission over the internet of device identifiers, which many developers may not consider to be sensitive personal information. However, particularly on iOS, device identifiers commonly include user’s names — “Andrew Hoog’s iPad,” for example.
”What people don’t realize is based on how your user has configured their device, you may be inadvertently collecting things that would trigger under GDPR, CCPA and anything of that sort,” Hoog explained.
Overall, NowSecure found potentially sensitive information in HTTP cache databases on about 40% of apps, and HTTP requests in network traffic on nearly 1 out of every 10 apps. These issues fall under OWASP standard MASVS-PRIVACY.
A real-world example of the potential consequences of insecure user data collection and storage practices is the
Gravy Analytics breach of January 2025, which put the data of users of dozens of popular apps such as Tinder, Candy Crush and MyFitnessPal at risk.
How to get a hold on your mobile app attack surface
With all of these mobile app weaknesses coming to light, Hoog urged organizations to inventory all if the apps they use and create, and begin categorizing them by risk level based on the amount and types of sensitive data involved.
Hoog open-sourced a tool on GitHub called
export-intune-apps that can help with the inventory process, and the open source tool
MobSF by Ajin Abraham was also highlighted as a way to gain extensive information about each app, which will aid in security assessments.
Once their apps have been categorized by risk level, organizations can use OWASP MASVS as a guide for what kind of security testing should be conducted for each category.
As apps are continuously updated, organizations should establish a workflow to regularly test and ensure no new concerns arise from new versions.
“Apple and Google aren’t incentivized to do this level of testing. They need to make sure there isn’t malware, and there isn’t egregious breaking of their rules,” Hoog concluded. “If you come up with a technique to continually test your mobile apps, you’re going to significantly reduce the overall security and privacy risk at your organization.”
(Updated on 6/09/2025: An update to this article removes the name of a vendor who disputes an assertion made by Andrew Hoog, co-founder and board member of NowSecure, alleging that a previous version of its product was unsafe.) 
