While mobile apps have become the preferred way businesses and customers choose to interact, communicate, and transact, the adoption of mobile app protection remains surprisingly low worldwide. No matter the industry or country, most apps are not shielded from attacks, leaving customers to assume they are downloading secure, frequently tested apps when they are not. This is not only frightening; it’s irresponsible and totally preventable.

Verimatrix’s internal data, combined with survey and roundtable findings gathered from our research partner, ISMG, unearthed several critical challenges that organizations face in securing their apps, along with potential actions that can be deployed to improve their application security posture. 

Let’s delve into some of these insights, exploring some of the key issues and discussing what can be done to enhance mobile app security, and by doing so, safeguard millions of unwitting consumers.

What we uncovered

1. An uptick in app usage and increasing attack signals

Mobile popularity has expanded the attack surface for companies that publish apps. In 2024 alone, we have seen a dramatic increase in branded attack kits available on the dark web, specifically targeting some of the world’s top brands. 

These kits, which are easily accessible and affordable to even low-skilled hackers, pose a huge threat to firms that rely heavily on mobile apps to drive their business. Verimatrix’s AI tools have seen a steady increase in app vulnerability signals such as known CVEs and even new, novel attacks.

The popularity and increased usage of mobile apps, the easy access to powerful attack tools, and the uptick in threat signals underscore the need for businesses to adopt a more proactive approach to cybersecurity. 

At the ISMG roundtable, cybersecurity experts from the healthcare and banking sectors highlighted how the increasing volume of cyber threats at the mobile endpoint is becoming a topic of growing concern. The discussions emphasized the importance of understanding and mitigating the risks associated with mobile apps, especially those running on unmanaged consumer devices. Yet, despite this awareness, many organizations remain slow to implement comprehensive app security measures.

2. Lack of threat detection and response for apps

Despite the heightened threat landscape, only a small fraction of organizations are utilizing advanced app security tools, such as monitoring of their connected app ecosystems. These solutions are crucial for quickly identifying new threats and mitigating vulnerabilities before they can be exploited. 

However, the survey revealed a substantial gap in the deployment of these layered security measures. Even more surprisingly, many participants did not know if they were performing regular penetration testing on their apps—an essential requirement in regulated industries like financial services and healthcare.

Why the shortfalls? Many CISOs and app developers we spoke to cited challenges integrating app security practices into their current software development lifecycle. Most recognized the need for security to be embedded at every stage of app development—from initial design to deployment—but few were doing it. 

On the topic of generative AI (GAI) in software development, tools like GitHub Copilot were cited as ways to accelerate the app development process but could also introduce new security challenges. There was a general concern that reliance on GAI for code generation, particularly among less experienced developers, could result in vulnerabilities going undetected, especially in open source libraries.

3. Limited security budgets and staffing resources

One of the most significant barriers to implementing robust app security measures is the limitation of budgets and resources. Some organizations struggle to allocate sufficient funds and qualified cybersecurity personnel to adequately protect mobile apps. 

Our ISMG survey and roundtable highlighted how these financial constraints are often used as a convenient excuse for not implementing app protection. However, the cost of not deploying security can be far greater, particularly if consumer PII data is compromised. The potential brand damage and financial loss can be significant, not to mention regulatory fines and customer churn.

4. Challenges in app visibility

A significant challenge in app security is the issue of visibility, particularly for organizations that do not develop their mobile apps in-house. 

Our survey revealed that only about 50% of organizations develop their apps internally, with the rest relying on third-party vendors. This reliance on external developers can lead to significant gaps in protection, as organizations may lack visibility into the security practices of their vendors if the vendor has been asked to secure the apps.

ISMG roundtable participants discussed the challenges of managing third-party risk and ensuring that their app development and publishing ecosystems were secure. The lack of insight into outsourced app development can leave businesses vulnerable to security blind spots. 

This is particularly concerning given the increasing complexity of app ecosystems, where interconnected systems and third-party supply chain libraries can introduce unseen vulnerabilities. 

Compounding this, mobile apps developed in-house did not always fall under the security purview of internal security teams—some actually fell under marketing or product. When app security did fall under the responsibility of internal security teams, it was often overshadowed by 20 other “more pressing” security needs, such as WAF, MDR, and XDR.

5. AI-driven threats and equal countermeasures

As artificial intelligence continues to increase in popularity and usage, cybercriminals are no doubt exploring new ways to accelerate the methods and scale of their stealth incursions. These AI-aided techniques could pose new levels of cyber risks that are difficult to anticipate and defend against, making them particularly concerning for mobile apps.

The security experts we spoke to discussed their fears of AI being used to exploit weaknesses in app code, bypass conventional security protocols, and even mimic legitimate user behavior to evade detection. AI-enabled defenses were cited as critical to combating AI threats, along with continuous monitoring and threat detection.

6. Lack of C-level priority

One of our most surprising and concerning findings was the lack of priority given to mobile app security at the C-level. In many organizations, other security issues take precedence, leaving app security underfunded and under-managed. 

This should be considered a dangerous oversight, especially considering that for many brands, mobile apps are a critical component of their business strategy. Application security may need to be elevated to a strategic priority within app-centric organizations. 

Integrating security into the app development process, such as by adopting a DevSecOps approach, could ensure that cybersecurity is not an afterthought. 

Another way to ensure apps get the C-level love they need is to hold staff accountable. With mobile app security often falling through the cracks due to a lack of clear ownership, organizations may want to establish clear lines of responsibility and ownership.

7. Balancing security and usability

A key theme that emerged from the ISMG roundtable was the challenge of implementing stringent security measures without compromising the customer experience. This is particularly important in the context of mobile apps, where a poor user experience, such as a slow app load time, could negatively impact a customer’s perception of the brand. 

Poor word-of-mouth can be avoided when users are satisfied with how easy the app is to use and how it functions over time.

Finding a middle ground where app protections can be implemented without evaluating the app’s usability was cited as an ideal balance. For example, multi-factor authentication can enhance security, but it must be user-friendly and should not introduce unnecessary friction. 

Another example is ease of deployment. Since apps need to be updated on a regular basis, zero-code solutions can be ideal for app developers to adopt, as new protective wrappers can be pushed into each new app release via a security-infused CI/CD process.

8. Disconnect between perception and independent testing

A revealing aspect of our surveys and conversations with security players was the disconnect between how organizations perceive the security of their own apps compared to the reality revealed by independent testing. 

While most respondents rated their own apps as moderately or highly secure, only a small percentage believed that other apps in the wild were secure. Independent studies suggest that over 90% of published apps are unprotected, indicating a significant gap between perception and reality.

This disconnect may point to a broader issue of overconfidence and complacency in app security. Many app-centric businesses believe that because they have not yet experienced a major attack against their apps, they are immune from harm. 

However, as our discussions revealed, an unpacked app doesn’t mean it’s safe and in the clear. The best security is proactive, rather than reactive, and organizations should regularly test and validate their cybersecurity measures to ensure they are effective.

What it takes to power through

The low adoption of mobile app protection across industries and geographies is a cause for concern, particularly as cyber threats continue to evolve and escalate rapidly. Insights gleaned from both Verimatrix and ISMG highlight the need for businesses to take a more proactive approach to mobile app security before it’s too late.

App safety tips:

The path forward means doing something instead of simply watching from a distance and doing nothing. Improving your app protection posture doesn’t require a comprehensive security approach out of the gate. Businesses just need to start. Transform one tip into reality. Then try another. And another. App safety!