- Report warns attackers can intercept API calls on iOS devices, and make them appear legitimate
- Traditional security tools fail to protect apps against in-device attacks
- Compromised mobile devices significantly increase the risk of API exploitation
New research from Zimperium has claimed mobile apps are now the primary battleground for API-based attacks, creating serious risks of fraud and data theft for enterprises.
The research shows 1 in 3 Android apps and more than half of iOS apps leak sensitive data, offering attackers direct access to business-critical systems.
Even more worrying the report claims three of every 1,000 mobile devices arealready infected, with 1 in 5 Android devices encountering malware in the wild.
The scale of mobile API vulnerabilities
Unlike web applications, mobile apps ship API endpoints and calling logic onto untrusted devices, exposing them to potential tampering and reverse-engineering.
This allows attackers to intercept traffic, modify the app, and make malicious API calls appear legitimate.
Traditional defenses such as firewalls, gateways, proxies, and API key validation cannot fully protect against these in-app threats.
“APIs don’t just power mobile apps, they expose them,” said Krishna Vishnubhotla, vice president of product solutions at Zimperium.
“Traditional security tools can’t stop attacks happening inside the app itself. Protecting APIs now requires in-app defenses that secure the client side.”
Client-side tampering is common, as attackers can intercept and alter API calls before they reach backend systems.
Even SSL pinning, designed to prevent man-in-the-middle attacks, has gaps: nearly 1 in 3 Android finance apps and 1 in 5 iOS travel apps remain vulnerable.
Beyond API exposure, many apps mishandle sensitive data on devices, as Zimperium revealed console logging, external storage, and insecure local storage are common problems.
For example, 6% of the top 100 Android apps write personally identifiable information (PII) to console logs, and 4% write it to external storage accessible by other apps.
Even local storage, although not shared, can become a liability if an attacker gains device access.
The analysis also shows nearly a third (31%) of all apps and 37% of the top 100 send PII to remote servers, often without proper encryption.
Certain apps incorporate SDKs capable of secretly exfiltrating data, recording user interactions, capturing GPS locations, and sending information to external servers.
These hidden activities increase enterprise exposure and show that even apps from official stores can carry major security risks.
“As mobile apps continue to drive business operations and digital experiences, securing APIs from the inside out is critical to preventing fraud, data theft, and service disruption,” added Vishnubhotla.
How to stay safe
- Inspect apps for improper logging of sensitive information to prevent data leaks.
- Verify that local storage of data is encrypted and not accessible by other apps.
- Monitor network traffic to detect apps sending unencrypted personal information.
- Identify and remove malicious SDKs or third-party components embedded in apps.
- Review app permissions to ensure they align with intended functionality.
- Conduct regular audits of app behavior for potential breach vulnerabilities.
- Implement runtime protections to prevent tampering or reverse engineering of apps.
- Use code obfuscation to shield business logic and API endpoints from attackers.
- Validate that API calls come only from legitimate, untampered applications.
- Establish incident response procedures in case a mobile app compromise occurs.
- Use mobile security software that protects against malware and ransomware attacks.
