A significant share of mobile applications are exposing sensitive information through insecure APIs, leaving users and businesses vulnerable to attack.
The 2025 Zimperium Global Mobile Threat Report, published today, revealed that one in three Android apps and more than half of iOS apps leak data that can be exploited.
Nearly half of all apps still contain hardcoded secrets such as API keys, which allow attackers to reverse-engineer and misuse them once the apps are published.
Mobile Apps as a Growing Attack Surface
The report found that client-side weaknesses are fueling new avenues for abuse. Attackers can tamper with apps, intercept traffic and exploit compromised devices to bypass defenses.
Additional key findings include:
-
1 in 400 Android devices is rooted, and 1 in 2500 iOS devices is jailbroken
-
3 in every 1000 mobile devices are already compromised
-
1 in 5 Android devices encounters malware in the wild
-
Nearly 1 in 3 Android finance apps and 1 in 5 iOS travel apps remain open to man-in-the-middle attacks, despite SSL pinning
“Mobile apps don’t just consume APIs—they expose them,” the report stated.
“Without visibility into the app and device making the call, attackers can […] map and manipulate api behavior by modifying app code […] extract secrets and tokens by reverse engineering the app [and] exploit device-level controls to simulate real usage.”
Read more on API security risks: 99% of Organizations Report API-Related Security Issues
Perimeter Defenses Aren’t Enough
Traditional tools, such as firewalls, API gateways and web application firewalls, can block certain threats at the perimeter, but they cannot determine if traffic is originating from a genuine app or a tampered clone. This blind spot allows attackers to spoof identity, location and device identifiers, making malicious API calls look legitimate.
“From a security perspective, we need to ensure that mobile devices have basic protections, not just for the organization, but also for the users themselves,” Randolph Barr, CISO at Cequence Security, said.
“At a minimum, this means ensuring a screen lock is enabled, updates are applied in a timely manner and that devices are not rooted or jailbroken.”
Closing the Gaps
Zimperium’s report emphasized that protecting APIs must start within the mobile app itself. It highlighted two essential approaches:
-
API hardening: Protecting endpoints, tokens and business logic with obfuscation, secure storage and runtime defenses
-
App attestation: Validating that every API call comes from a genuine, untampered app running in a trusted environment
“Today, we are facing a concerning reality: many enterprise mobile apps still lack basic protections such as code obfuscation, secure storage and updated third-party libraries,” explained Vishrut Iyengar, senior solutions manager at Black Duck.
“These weaknesses remain exploitable even in managed enterprise environments.”
David Matalon, CEO at Venn, echoed Iyengar’s views: “The traditional perimeter is gone, and the Bring-Your-Own-Device reality for remote workers requires a shift in strategy: from securing the device to securing the work itself.”
