Privacy, Data Security, Application security, DevSecOps

Three mobile AppDev privacy risks – and how testing catches them in advance

(Adobe Stock)

COMMENTARY: Mobile applications have become essential infrastructure for business operations and customer engagement. As mobile adoption accelerates, privacy risks are expanding in ways many organizations struggle to keep up with and manage.

From dangerous permissions to opaque third-party code, mobile apps are rife with risks that can lead to compliance penalties, reputational harm, and security breaches.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Regulators have raised the stakes considerably. Google recently agreed to a $1.375 billion settlement with the Texas Attorney General, while Healthline reached a $1 billion settlement under the CCPA. With 20 states passing privacy regulations and more pending, regulators are clearly getting serious about data privacy.

Hidden data flows drive mobile privacy risk

Recent research analyzing more than 183,000 mobile applications reveals significant gaps between what apps claim to do with user data and their actual behavior. These disconnects expose organizations to regulatory violations and loss of customer trust at a time when both carry substantial consequences. The common threat vectors include:

Dangerous permissions: These privileges lets hackers access sensitive information such as storage, SMS, camera, microphone, photos, or precise location. It’s not simply that these permissions exist, but that many apps request far more access than their core functionality requires. Combined with tracking behaviors, these elevated entitlements create significant opportunities for sensitive data to leak or get exploited by third parties.

For enterprises, this creates governance challenges. End users rarely understand the full scope of access they consent to when agreeing to a mobile app's terms of service, yet enterprises remain accountable when over-permissioned apps mishandle sensitive corporate or personal data on employee or customer devices.

Selective disclosure: Like web apps, mobile apps integrate numerous third-party software development kits (SDKs) and APIs to deliver functionality ranging from analytics to payments, advertising to crash reporting. It’s a common practice and the vast majority of mobile apps are built using third-party components that often contain data collection behaviors or vulnerabilities the primary developer may not fully understand or control.

These components often contain hidden data flows – pathways for information collection and sharing that occur beneath the application's surface code. Even if an enterprise tests its own code rigorously, it remains accountable for the behavior of embedded third-party components. Risk assessments that stop at first-party code leave critical gaps that adversaries and regulators can exploit.

Although external components are regularly used to build mobile apps, traditional security testing methods are not designed to identify the privacy risks they introduce. Unless the app developer does dedicated privacy testing, they may never know these data leaks exist.

Unknown and unregulated use of AI: Artificial intelligence adds another layer of complexity to the mobile app risk landscape. Of 183,000 apps analyzed in 2025, 18.3% use AI functionality. More critically, 3,541 of these apps transmit data to AI endpoints, and some transmissions were observed traveling unencrypted to cloud services.

The risks here are multifaceted. Sensitive data are often intercepted in transit or accessed once stored in AI services. AI models themselves may inadvertently leak training data through adversarial prompts, exposing sensitive information to other users. Furthermore, as AI capabilities expand in consumer and enterprise applications, the potential for unintended data exposure grows proportionally.

AI-powered features require substantial data to function effectively, and the integration points between mobile apps and AI services create new attack surfaces and data exfiltration pathways. With inadequate privacy controls, sensitive business information, user data, and proprietary algorithms are likely to be exposed to unauthorized parties.

Why traditional security testing falls short

Mobile application security testing has traditionally focused on identifying vulnerabilities like insecure data storage or flawed authentication mechanisms. While essential, security testing remains fundamentally different from privacy testing. Static analysis tools can examine code, but miss runtime behaviors. Dynamic testing can identify network traffic, but struggles to correlate data flows with specific SDKs and business logic. This creates systematic blind spots where privacy violations persist undetected across development cycles.

Addressing mobile app privacy requires comprehensive privacy testing that examines the complete lifecycle of data within applications—from collection through transmission to ultimate destination—with particular attention to third-party components.

Organizations must also bridge gaps between development, security, and privacy teams. They can’t make privacy afterthought addressed late in development cycles. Much like with security testing, mobile apps also need specialized privacy testing that catches issues before they reach production.

Clearly, the cost of unaddressed privacy risk has risen fast. But given the highly-personal data that resides in mobile apps, in addition to regulatory fines and litigation, it can very quickly lead to the erosion of customer trust that no settlement can fully repair.

Just ask Neon, which went offline about a week ago – and has stayed that way for now – when a security flaw let anyone access the phone numbers, call recordings, and transcripts of any other user.  

Alan Snyder, chief executive officer, NowSecure

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds