Personally identifiable information (PII), financial data, medical information, account credentials, intellectual property - What all these types of sensitive data have in common is that you need tight control over who can access them, regardless of whether they belong to you or your organization. And sure, you might be following the best practices, but what about the apps that you or your employees use? With the ever-growing dependence upon mobile devices in everyday business and personal activities, and especially with many companies opting for a BYOD policy, it is of particular importance to know how those apps might compromise your privacy and sensitive corporate data.
The stakes have never been higher. During 2024 alone, over 1.7 billion individuals had their personal data compromised—a staggering 312% increase from 419 million in 2023—leading to a total estimated financial loss of 280 billion dollars. As mobile devices become the primary gateway to digital services, they also represent an expanding attack surface for data leakage and breaches.
zLabs, our research team at Zimperium, conducted an extensive analysis of mobile applications to understand the scope and severity of these risks. We looked into 54,648 work apps (9,078 for Android and 45,570 for iOS) from official app stores which our customers found being used in their device fleets. The findings are alarming and highlight the critical need for comprehensive app vetting in enterprise environments.
Data leaks and data breaches happen when an unwanted actor obtains access to sensitive data. Though the terms in many cases can be used interchangeably, in general it is said that data leaks occur when sensitive information gets unintentionally exposed to the public—whether in transit, at rest, or in use. Unlike data breaches, which typically result from external intrusion attempts, data leaks often stem from negligence, poor security practices or inadequate data handling processes within the applications themselves.
Cloud integration has become ubiquitous in mobile app development, with 62% of all analyzed apps using some kind of cloud API or SDK. While cloud services offer scalability and convenience, they also introduce significant risks when improperly implemented:
The consequences of cloud misconfigurations can be devastating. In a recent incident, one of the world’s largest car manufacturers experienced a massive data breach affecting approximately 260,000 customers due to a misconfigured cloud environment. This incident demonstrates how even major corporations with substantial security resources can fall victim to basic cloud security oversights.
Encryption of sensitive data is critical. Unencrypted or poorly encrypted data can be exploited in two ways. In transit: through a man in the middle attack, for example, an attacker may be able to see the data going to and from servers. At rest: an attacker may achieve read permissions to a data repository, however, properly encrypted data is essentially useless to the attacker.
Properly encrypted data is useless to attackers, even when it is intercepted in transit or obtained from a cracked cloud storage
Our research found that 88% of all apps and 43% of the top 100 use one or more cryptographic methods that don't follow best practices. In some caseshigh-severity cryptography flaws such as:
These vulnerabilities create opportunities for attackers to intercept, decrypt, and exploit sensitive data, potentially leading to unauthorized access to enterprise systems and information.
For all types of organizations these cloud and cryptographic vulnerabilities create significant risks:
To avoid these risks, a company´s mobile device fleet manager needs to have visibility into app behavior patterns. In particular:
We cannot change the apps, but we can choose which apps we allow to ensure our data’s security.