Mobile app protection took center stage in a recent webinar, “Mobile Application Security Relay,” hosted by Komodo Sec and Verimatrix. The event brought together Alex Dick from Verimatrix and Ellen Shaatiel, a penetration tester at KomodoSec, to share best practices for protecting mobile apps—focusing especially on Android. The event was named to describe the back-and-forth flow between penetration testing and real-time protection and monitoring.
Shaatiel started the discussion by explaining why Android faces unique protection challenges. As an open-source platform, Android encourages innovation; however, its openness also makes it a prime target for cyberattacks.
“The Android operating system is open source, and everything that you do there and everything that happens there is known to everyone and to attackers as well,” she said. With Android powering half of the world’s mobile devices, its widespread use and loose app permissions give hackers plenty of opportunities to exploit.
Trojans are the biggest threats to unprotected Android apps
Nowadays, one of the most common threats Android users encounter is malware, particularly Trojans. These malicious programs disguise themselves as legitimate apps; they take advantage of Android’s features to steal sensitive information.
Shaatiel pointed out a tool called Zombinder that attackers use to insert harmful code into seemingly trustworthy apps. She said, “Zombinder is available on the black market, and it’s very easy to use… Trojans are normally disguised as an innocent application or a modded application, and it’s had Trojans put into it.”
Shaatiel continued, “Trojans use overlay attacks to attack banks, to attack other applications like Netflix, to give them your credit card. And obfuscation, again, won’t protect against that. That’s an external application trying to attack your application with an overlay. And the same thing goes for accessibility abuse, where an application takes control of your phone. All of these are just not covered by obfuscation.
The risks go beyond just individual users. Businesses that don’t prioritize app protection run the risk of losing sensitive data and intellectual property.
During the webinar, Shaatiel discussed just how easy it is to uncover critical information—such as API keys and backend URLs—in apps that lack adequate protection measures. She used a reverse-engineering tool called JADX to demonstrate how vulnerabilities can be exploited with minimal effort. For businesses, this kind of exposure stresses why a strong protection approach is essential.
Shaatiel emphasized, “But attackers don’t just use Trojans to attack users; they also try to attack the company that’s creating the application. Whether that be through the open source nature of these applications, you can decode them and see what’s written inside of them. If there are any secrets or keys inside, you can use them to attack the company, get into their AWS, and do all sorts of stuff.”
Code obfuscation is a must, but it’s not enough
A lot of developers use code obfuscation to try to protect their apps, but Shaatiel pointed out its limitations. “A skilled attacker can still reverse engineer this. And if I wanted to understand what’s going on here, I could do it quite easily.”
Although obfuscation can discourage less experienced attackers, it often falls short against advanced tools and techniques. To illustrate this, Shaatiel presented a weather app she had created specifically for the webinar. Even though the app’s code was obfuscated, sensitive data like API keys remained exposed and vulnerable to skilled attackers.
Her demonstration drove home a crucial point: effective app protection requires a multi-layered approach, not just a single line of defense. “Multi-layered security is required in Android and in iOS. You need security, not just from the device but all the way from your servers and APIs to the device. And you can’t achieve that without testing your applications, without making sure that they’re protected with a lot of layers… you really want to waste someone’s time in every single way possible. But more than that, you want to see that, right?”
Introducing Alex’s presentation, Shaatiel said, “I think what we’ve seen during this webinar so far is how important a unified approach is to the myriad of threats in the market and the vulnerable applications. We need to have a unified approach both from attackers and protectors.”
Verimatrix’s three-pronged approach
Alex Dick introduced Verimatrix’s solution to these challenges: a comprehensive protection strategy built around prevention, detection, and correction.
1. Prevention
Verimatrix goes beyond basic tools with advanced techniques such as code scrambling, control flow restructuring, and anti-tamper mechanisms.
“The protections we apply are preventative. So we’re hardening the application. We’re making sure that there’s little understanding of how it operates,” Alex explained. These methods make it far more difficult for attackers to reverse-engineer or tamper with apps. Hardening an app can also slow down attackers. “As an attacker, as somebody who’s trying to get at your secrets, getting through this kind of obfuscation is going to take me a lot of time.”
2. Real-time detection
Detecting and addressing threats before they can escalate is a crucial aspect of mobile app protection. It enables developers to identify and respond to threats as they happen.
Verimatrix provides user-friendly dashboards that monitor app activity, flag suspicious behavior, and assess risks based on their severity. These tools prioritize threats; this factor allows businesses to focus on the most urgent issues and allocate resources effectively.
Developers can quickly detect vulnerabilities like API abuse or network manipulation, thereby stopping potential breaches before they escalate. By offering real-time insights, Verimatrix helps teams refine their measures to stay ahead of new and changing threats.
3. Correction
Recognizing that no system can be completely hack-proof, Verimatrix places a strong emphasis on limiting the damage if an attack occurs.
“What we look at there is to add additional layers and measures to protect that,” Alex said. Verimatrix tools give developers the ability to remotely disable compromised apps or block devices showing suspicious activity, which helps to reduce the impact of potential breaches. “We want to make the journey, the job of someone who’s trying to attack it, as difficult as possible to waste as much time as possible on that application.”
A side-by-side comparison shows how Verimatrix stands out
One of the webinar’s highlights was Shaatiel’s side-by-side comparison of 3 apps: an unprotected app, an obfuscated app, and one protected by Verimatrix. The differences were dramatic. While the first 2 apps left sensitive data wide open, the Verimatrix-protected app presented significant obstacles for attackers.
By encrypting key information and embedding protection measures directly into binary files, Verimatrix made it exceptionally difficult for hackers to break in without investing enormous amounts of time and resources. “The more layers, the more protections we put in, the more work that has to be applied by the reverse engineers,” Alex said.
But both Shaatiel and Alex emphasized that mobile app security isn’t just about protecting the app—it extends to backend servers, APIs, and all other connected systems. “We need encryption; we need secure APIs on our backend and on our servers. We need runtime monitoring to make sure it’s not rooted, to make sure there’s no hooking, and to make sure there’s no tampering,” Alex said. Regular testing and thorough validation are key to catching vulnerabilities before attackers do.
While the webinar focused on Android, iOS wasn’t left out of the conversation. Although Apple’s ecosystem is often regarded as more secure, it’s far from invulnerable.
Jailbroken iPhones, for instance, can expose users to many of the same threats that rooted Android devices face. For apps handling sensitive data, adopting a multi-layered shielding approach is just as essential on iOS as it is on Android.
The driving need for better mobile app security in high-stake industries
Certain industries—like finance, media, and automotive—face even greater risks. These sectors handle extremely sensitive data; this factor makes them attractive targets for cybercriminals. In addition, regulatory requirements like PCI DSS, GDPR, and DORA push businesses in these fields to adopt rigorous measures.
For companies in these industries, protection must be a top priority and not a secondary concern. “A breach isn’t just a technical problem—it can result in financial losses, reputational damage, and legal consequences,” Alex noted. Comprehensive protections are essential for safeguarding not only customer data but also the trust and credibility that businesses depend on.
Mobile apps have become central to most people’s lives and livelihoods, and their protection will only become more critical in the years ahead. “A layered approach that combines prevention, detection, and correction offers the best defense against today’s threats and those yet to emerge,” Alex explained.
By investing in advanced protections, companies can create apps that are ultimately more resilient. “So as a job, I will help the customers understand what the threat is and what is potentially necessary for their application,” Alex explained. “Developers who prioritize these principles can build apps that not only protect users but also stand the test of time.”
