Think about the apps on your phone right now. Your banking app, your working email, the food delivery app: each one is talking to a server somewhere - sending and receiving data through messages sent through APIs, the underlying infrastructure that allows apps to communicate.
And here's the problem - hackers have determined that the APIs of mobile apps, when left visible and exploitable, can be a goldmine. Security outfit Zimperium has released a new report that reveals the scale of the problem:
- Nearly 50% of mobile apps contain hardcoded secrets like API keys embedded directly in the code
- 1 in 3 Android apps leak sensitive data
- More than half of iOS apps leak sensitive data
- 1 in 400 Android devices is rooted (with security restrictions removed) 1 in 2,500 iOS devices is jailbroken, opening the door for attacks
- 3 out of every 1,000 mobile devices are already compromised.
These are clearly alarming statistics, which Zimperium's discovery has confirmed that an alarming percentage of apps (24% of Android, and 60% of iOS) have no protection from reverse engineering.
API Breaches Look Worse
Amidst this, research firm Gartner claims that the typical API breach leaks at least ten times more data than a standard security breach. One of the most high-profile examples of this problem occurred in January 2023 when wireless network provider T-Mobile discovered it had suffered a major data breach affecting 37 million customer accounts.
In that T-Mobile breach, hackers exploited a vulnerable API to steal personal information including names, billing addresses, email addresses, phone numbers, dates of birth, and account details.
It took months for T-Mobile to recognise what the hackers had been doing; and shut down their access. This incident was particularly concerning because the API vulnerability allowed the hackers to scoop up customer data without proper authentication.
Necessary but not Sufficient
The message for app developers is clear—securing APIs at the network perimeter remains necessary, but it is not sufficient. Sometimes, the app itself increases the attack surface, and its secrets need to be properly hidden. Information like API keys, tokens, or passwords can be used to unlock potentially vast amounts of sensitive information, so they should not be put directly into an app's code.
The sensitive parts of an app, like its passwords and details of how it talks to its servers via the API, need to be appropriately protected so they cannot fall under the control of malicious hackers. Code can be scrambled or obfuscated to make it harder to read, keys can be stored securely, and runtime defences can notice if someone is trying to reverse engineer or tamper with an API interaction.
Further, apps should need to prove that they are the genuine article every time they talk to their servers. That way, a server can reject requests from a fake version of the app or one running on a hacked phone. Securing APIs isn't just about protecting servers; it's also about protecting the apps that use them.
With nearly half of mobile apps leaking secrets, a third of Android apps exposing sensitive data, and attackers actively exploiting vulnerabilities, the question is not whether mobile apps are being targeted. They already are. The question is whether the security strategy of the firms developing the apps your business relies upon has recognised the threat and acted upon it.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
