API security
cloud security
Cyber landscape
Cybersecurity
AI Security
May 28, 2025

Your Mobile Apps May Not Be as Secure as You Think…

In 2025, most of us are reliant on our mobile devices for everything from communication to transportation and commerce. But the applications that are powering these functions are leaving users open to risk…

Your Mobile Apps May Not Be as Secure as You Think…

It is no secret that many of us would be helpless without our mobile devices. Similarly, our mobile devices would be helpless without APIs. APIs are what allow mobile applications to communicate with one another, and send and receive requests between platforms, such as between your phone and the mobile application's cloud platform. 

If these APIs aren’t secure, the information you are putting into your mobile applications- which can include location data, banking details, and other PII- isn’t secure, either. 

A recent report from Zimperium revealed that mobile applications often fail to follow best practices around authentication and authorization, which leads to critical vulnerabilities for the user. 

A secure application should use placeholder tokens instead of direct access through a login. Best practices around authentication such as session-based authentication and header-based authentication can also help ensure only authenticated users are gaining access.

Session-based authentication uses sessions to track authenticated user activity and stores information about the usage, creating a unique identifier to store information about the user. This information is kept in a cookie that can be sent to each server where a request is made, and these servers can in turn check if the session ID matches the authenticated user.

Header-based authentication uses HTTP headers to authenticate the user on a separate server externally, sometimes a web gateway or proxy server.

However, some developers use hard-coded API keys as a shortcut, meaning the token is the same for each user of the app. This is a bad practice when it comes to cybersecurity, because it means that if one user is compromised, they effectively all are. Even AI systems will not let you hardcode API keys, as they have been programmed against it for security reasons.

As we see in the tables below from the Zimperium report, both Android and ios applications have a whole host of vulnerabilities, however Android seems to be significantly worse, particularly in regards to the Hardcoded API keys.

Source: Zimperium
Source: Zimperium

The numbers are staggering- between 5 and 9 percent of Android applications use Hardcoded API keys. This percentage is alarmingly highest (8.7%) for lifestyle apps, which include journaling, meditation, planning apps, and some social media.

For iOS applications, this number is slightly lower, between 1.6-3.6%, however, when you think about the sheer number of applications and installations of those applications out there, this is still too high. 

In addition to these applications that use Hardcoded API keys, there are many other glaring vulnerabilities brought to light in the Zimperium report

For example, large percentages of Android applications and smaller but still significant percentages of iOS applications are still using vulnerable encryption algorithms. 

And on the whole, both iOS and Android applications have a startlingly large percentage that leak sensitive data. 

For iOS, the biggest culprit are travel applications, of which around 59% leak sensitive data, which is more than half, and financial applications follow closely behind at 54%. This is even more worrying considering the types of PII these apps handle. 

For Android, entertainment apps such as social media have the highest percentage of data leakage, around 42.8%, which is close to half, and travel and lifestyle apps are close behind.

Overall, our mobile applications are not nearly as secure as we would hope, especially given how reliant most of us are on these apps day to day. Many of them still use outdated practices such as Hardcoded API Keys which can compromise authentication for many users at once. In 2025, it is a travesty that these applications have not addressed these critical vulnerabilities. Individual users have little control over their data and the average consumer is not adequately prepared for a PII breach.

The best things we can do in this current cyber landscape are…

  • Staying vigilant
  • Changing passwords frequently
  • Installing 2-factor authentication whenever possible
  • Updating applications frequently to ensure you are using the most recent and secure version.

If you want to take control of your organization’s cybersecurity posture, see how FireTail can help you today. Schedule a demo or join our free tier to learn more.

Lina Romero

Related posts

When AI Turns Against Us
June 4, 2025

When AI Turns Against Us

Computers going rogue used to be the stuff of science fiction. But in 2025, it is becoming real. Join us in this blog as we investigate some cases where Artificial Intelligence has behaved like it has a mind of its own…

Read more
The Sequential Kill Chain for AI
May 30, 2025

The Sequential Kill Chain for AI

We’ve talked before about Mean Time To Attack, or MTTA, which has grown alarmingly short for new vulnerabilities across the cyber landscape. In this blog, we’ll dive into the “how” and “why” of this…

Read more
LLM03: Supply Chain
May 21, 2025

LLM03: Supply Chain

The OWASP Top 10 List of Risks for LLMs helps developers and security teams determine where the biggest risk factors lay. In this blog series from FireTail, we are exploring each risk one by one, how it manifests, and mitigation strategies. This week, we’re focusing on LLM03: Supply Chain vulnerabilities.

Read more

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!