Top three mobile security fails (and how to fix them)

Think Apple and Google are doing deep security reviews of your app? Think again.While the App Store and Google Play scan for known malware, they completely miss big security gaps like API misconfigurations and vulnerabilities in third-party tools. Mobile app security expert Andrew Hoog breaks down the top “gotcha” moments for mobile developers and the quick, actionable steps your team can take to secure your apps and protect your users.Top three mobile security fails* Skipping security reviews. Most teams either skip security reviews or use tools built for web apps. But web app scanners miss a whole range of mobile-specific vulnerabilities.* Using sketchy third-party SDKs. Andrew estimates 60–70% of vulnerabilities come from free, well-documented SDKs, which are “like catnip” for developers. These can send unencrypted data, use weak keys, or leak user data to foreign entities.* Ignoring AI risks. You, or the SDKs you rely on, might be using personally identifiable information (PII) in ways that break privacy laws, violate contracts, or erode user trust.What you can do today* Get the right tools. Use security tools built for mobile apps. Andrew recommends:* Radare (open-source reverse engineering toolkit, binary and static analysis)* Frida (open-source dynamic instrumentation toolkit)* Both have great documentation to get you started.* Involve your team and stakeholders. Try NowSecure’s Mobile Application Risk Checker. It reports on sensitive data, privacy declarations, and network connections. Your app might already be listed! Start including mobile app security and privacy risks in your threat intel program.* Leverage free learning resources. Explore OWASP Mobile Application Security, NowSecure Academy, or tools like Claude for contextual security insights.About Andrew HoogAndrew Hoog is a developer’s go-to security person. He’s been in the trenches of mobile security and forensics for over a decade, building, breaking, and securing apps long before it was cool.He co-founded NowSecure, wrote two books on mobile forensics and security, and holds three patents in the field. When he’s not deep in code or court (he’s also an expert witness in U.S. Federal Courts), he’s helping shape the future of mobile app security at NowSecure.Andrew’s mission? Help developers build apps that are not just awesome but are secure by design.See how VIA’s Zero Trust Fabric delivers military-grade authentication. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit www.viaknowledgehub.com

There are no comments yet.

Please log in to write the first comment.