New research from Zimperium shows mobile apps are now a main target for data breaches. More than half of iOS apps leak sensitive information, while one-third of Android apps do the same. This includes personal details like names, emails, and other identifiers. The study highlights that attackers can intercept API calls and make them appear legitimate.
iOS apps were thought to be safer, but the findings suggest otherwise. Enterprises relying on mobile apps for work face serious risks. The combination of personal and business data on phones increases the stakes. Security tools like firewalls and gateways cannot fully protect against these in-device threats, which makes in-app security a priority.
Table of Contents
How APIs can create vulnerabilities
Basically, mobile apps expose API endpoints directly on devices, which attackers can tamper with. Hackers can intercept traffic, modify requests, and make malicious calls look authentic. Traditional protections like SSL or API key checks are not enough to stop these attacks. Zimperium’s Krishna Vishnubhotla explains that in-app defenses are now required to secure the client side.
For example, nearly one-third of Android finance apps and one-fifth of iOS travel apps remain vulnerable. Client-side tampering can give attackers access to sensitive systems without leaving obvious traces. Companies need to assume that devices are not fully trusted and design apps with strong in-app security controls.
Storage issues
Beyond APIs, apps often mishandle sensitive data locally. Zimperium found console logging, insecure local storage, and external storage usage are widespread problems. Six percent of the top 100 Android apps write personally identifiable information to console logs, and four percent write it to external storage accessible by other apps. Even private local storage can become a liability if the device is compromised.
These practices leave data exposed to hackers who gain access to the device, increasing the risk of identity theft and corporate data loss. Security teams must audit apps to ensure sensitive information is stored safely and not easily accessible.
What about the actual Malware and the infected devices
The report also notes that three in every 1,000 mobile devices are already infected, and one in five Android devices encounter malware in the wild. Infected devices increase the chance of API exploitation and unauthorized access. This shows that mobile platforms cannot rely solely on OS-level security. Users often download legitimate apps that have hidden vulnerabilities or outdated security practices.
Combining insecure apps with malware-infected devices creates a perfect storm for data breaches. Organizations should implement device management policies and encourage regular updates to reduce exposure. Awareness of the threat landscape is key for both personal and corporate devices.
What can Developers do?
Protecting mobile apps now requires both technical and operational measures. Developers should secure client-side API calls, use proper encryption, and avoid logging sensitive data in consoles or external storage. Enterprises need to monitor devices, enforce updates, and apply mobile threat defense tools. Users should be cautious about app permissions and avoid installing unnecessary apps.
The study makes it clear that mobile apps are a critical security concern. iOS may appear secure, but its apps leak sensitive data at high rates. Combining secure coding, device hygiene, and awareness is the only way to reduce risk and prevent sensitive information from falling into the wrong hands.
