Mobile app security - a pen tester’s view

28/11/25 Wavenet
API Security

The real threat to mobile apps isn’t the app, it’s API security.

Chris Watt, an experienced Wavenet penetration tester, discusses mobile security…

Mobile applications have become an integral part of daily life. From social media and e-commerce to banking and smart device management, it’s hard to imagine functioning without them. Today, nearly all apps fall into two ecosystems, Google’s Android or Apple’s iOS, and both rely heavily on APIs to function.

For more than a decade, questions have been raised about mobile app security. This led to the creation of the OWASP Mobile Top 10, a regularly updated list of the most common vulnerabilities found in mobile applications (alongside the better-known OWASP Top 10 for web applications). However, whilst mobile applications themselves often carry some exploitable issues, I believe the biggest concern today is in API security, which underpins nearly every interaction between mobile apps and their servers.

Two layers of mobile app testing

Penetration testing of mobile apps generally examines two areas:

  • Local behaviour: how the app interacts with the device and file system on which it’s installed.
  • Remote behaviour: how the app communicates with its associated API over the internet.

In practice, this structure is not unique to mobile apps. Much like web applications accessed through a browser (e.g. Amazon or online banking), mobile apps rely on servers to provide the data and functionality they need. As a result, you would be hard pressed to find any app installed on any device that did not communicate with one or more APIs. This makes API security a critical part of mobile application testing.

From my experience, and in line with many industry observations, the most severe vulnerabilities uncovered during mobile app penetration tests are rarely tied to the app’s local, on-device behaviour. Instead, they almost always stem from weaknesses in the APIs the app depends on. There are clear reasons why this is the case, which I’ll explore in more detail.

Before we get into those, it’s worth clarifying the attacker’s objective when targeting an app on a device: primarily, it is to steal user data, which can then be exploited in subsequent attacks.

How an attacker targets a mobile app

The primary goal of an attacker is to steal or manipulate data. To do this via the local app, an attacker typically needs to use one of these approaches:

  1. Obtain a physical device that is both unlocked and ideally rooted/jailbroken.
    Or
  2. Develop a malicious app that interacts with the target app and then convince users to install it.

Neither of the two primary attack routes, physical device compromise or malicious app installation, comes without significant difficulty.

The issues attackers face with physical device compromise…

One reason lies in the low probability of an attacker obtaining a lost or stolen device that is both unlocked and rooted/jailbroken. Modern Android and iOS devices strongly encourage security measures such as PINs, patterns, or biometric authentication, with clear warnings during setup about the risks of not enabling them. Even if an attacker were to gain access to such a device, the ideal scenario, extracting user data, becomes more practical only if the device is rooted or jailbroken. Because relatively few devices are in this state, the likelihood of exploiting them as an attack route is reduced further.

The issues attackers face with malicious app installation…

The second route, creating and distributing a malicious app, also presents barriers. It requires at least basic coding skills, and often advanced knowledge of the target app’s internal functionality. The attacker must also find a way to convince users to install the malicious app, often through social engineering. While large-scale campaigns could yield significant amounts of sensitive data (as demonstrated by the number of malicious apps already in circulation), the attack chain is still complex, with multiple points where the effort may outweigh the potential reward.

Exceptions may exist if a vulnerable app exposes data under normal operating conditions, and while this can and does happen, in most scenarios, this form of attack is difficult, making it more likely to occur in targeted or opportunistic contexts rather than at scale.

Why attacking APIs is easier and more rewarding

Intercepting an app’s traffic to its API can also present challenges, but in practice this is generally easier to achieve than exploiting the app directly on a device.

Here’s why APIs frequently present a much more attractive target:

  • Familiar attack surface: API traffic is, the majority of the time, just web traffic, and attackers have decades of experience exploiting web applications.
  • Broader impact: compromising an API can expose data for many users at once, rather than relying on access to individual devices.
  • Different pathways: mobile apps often use slightly different API endpoints or communication methods than a website equivalent, creating unique vulnerabilities that may not exist within the associated web application.

This highlights why API security is, arguably, the greater concern for mobile applications today.

Attacking API’s still has its caveats

Intercepting and manipulating API traffic isn’t always straightforward. Security controls such as SSL pinning can raise the barrier to entry. However, compared to the challenges of obtaining physical possession of a user’s device in a suitable state, or distributing malicious apps, APIs remain the easier, and often far more impactful attack vector. Strong API security measures can mitigate these risks.

Conclusion

Mobile apps are everywhere, but their greatest security risk, more often than not generally lies not in the apps themselves, but in the APIs they depend on. A compromised API is a single gateway to user data, business logic, and critical systems, making it one of the most important assets to defend. Leveraging experts like us ensures these critical connections remain secure, giving both businesses and users peace of mind.

Need some help?

We provide comprehensive mobile security and API protection services, helping you identify and address vulnerabilities before attackers can exploit them. We’re CHECK and CREST approved, with our specialists holding some of the most recognised certifications in the industry, including CREST and cyber scheme certifications . We can help with:

  • API penetration testing: simulating attacks to uncover weaknesses in API endpoints, authentication, and data handling.
  • Secure connectivity solutions: ensuring data transmitted between apps and APIs is encrypted and protected from interception.
  • Continuous monitoring: detecting unusual API activity or potential breaches in real time, reducing response time to threats.
  • Compliance and best practices guidance: helping organisations meet industry standards and regulatory requirements for mobile security.

By partnering with us, you can protect the critical bridge between your mobile apps and the servers they rely on, reducing the risk of large-scale data exposure and strengthening overall security posture. Emphasising API security ensures your mobile apps remain safe from the most common and impactful threats.

Chris Watt PictureChris Watt, Penetration Testing Service Delivery Lead

Chris Watt has been in the Penetration Testing arena for 13 years, specialising in web application and API security for most of that time. For the last few years, he has been steadily branching out into other types of security, including advanced infrastructure and mobile app testing.

Ready to test your mobile security?

Talk to us More on penetration testing

Cyber Security, Penetration Testing, CyberGuard, Blogs

Latest blogs

See all posts
accountancy
The impact of technology in accountancy

Neil Hall, leading strategy consultant at Wavenet, provides timely advice to accountancy firms, to help solve their top technology challenges.

Read more
Hands above a laptop keyboard pointing to a rising digital-growth icon emerging from a strategic growth plan page beside the laptop.
The CEOs guide to strategic growth

From industry insight to impact: winning moves for 2026 2026 is not a typical planning cycle, it is a structural shift. AI is becoming a core drive or enterprise value1, cyber risk now sits firmly on the board agenda, and regulatory pressure is reshaping how organisations scale and compete. The leaders pulling ahead are those who move fast, secure their digital core, and align technology with growth.

Read more
azure-cloud
Managed Azure Services: Why your business needs them for growth and efficiency

As more organisations move their workloads to the cloud, Managed Azure Services have become essential. They provide expert support for your Azure environment, helping businesses reduce costs, strengthen security, and focus on what matters most - growth and innovation. What are Managed Azure Services? Managed Azure Services refer to the professional administration, optimisation, and monitoring of Microsoft Azure cloud resources. A managed service provider (MSP) handles critical tasks such as: Cost and resource optimisation Security and threat protection Compliance management (GDPR, ISO, HIPAA) 24/7 monitoring and issue resolution Technical support and cloud governance This allows businesses, including SMBs to access enterprise-grade cloud expertise without hiring specialist in‑house teams. Why businesses choose Azure expert managed services providers Companies partner with Azure experts because of the specialised skills, cost benefits, and strategic guidance they bring. Key reasons include: Deep technical expertise in Azure architecture, automation, and security Reduced costs vs. maintaining a full internal IT team Predictable monthly pricing for easier budgeting Tailored cloud strategies aligned to business goals Proactive monitoring to prevent downtime For growing businesses, especially in competitive regions like Daisy and the surrounding areas, working with a certified Azure MSP ensures your cloud environment is optimised from day one. Cost optimisation and predictable IT spending One of the biggest advantages of Managed Azure Services is the ability to control and reduce cloud costs. Providers offer: Continuous resource monitoring Automated scaling Regular cost reporting Elimination of unused or oversized resources With fixed or tiered pricing models, organisations benefit from predictable IT spending and improved ROI. Enhanced security and compliance Security remains a top concern for any business operating in the cloud. An Azure managed services provider ensures: Advanced threat detection & protection Automated updates and patching 24/7 security monitoring Compliance with standards like GDPR, ISO 27001, and HIPAA Regular vulnerability assessments This is particularly important for regulated industries and UK businesses handling sensitive customer data. 24/7 support, monitoring & incident response Managed Azure services provide: Real-time performance insights Immediate alerting Rapid incident response Proactive issue prevention This results in higher uptime, fewer disruptions, and smoother operations. Scalability, flexibility & future-proofing Azure’s cloud platform is built for scale — and managed services make that scalability seamless. Benefits: Automatic resource scaling Flexible capacity for seasonal or unpredictable workloads Access to the latest Azure features and innovations Support for long‑term digital transformation This helps businesses remain agile and competitive in a fast‑moving digital marketplace. Improved operational efficiency through automation Azure enables automation for: Backups Updates Deployments Monitoring Disaster recovery Automating routine tasks reduces human error, increases productivity, and accelerates project timelines. Access to the latest technology & expert guidance Working with an Azure expert ensures your business always has access to: Cutting-edge cloud technology Best‑practice architecture Strategic cloud roadmaps Ongoing staff training This combination empowers your team and boosts overall digital capabilities. Business continuity, disaster recovery & high availability Azure Managed Services include: Custom disaster recovery plans High-availability architectures Geo-redundant backups Fast recovery times (RTO/RPO) This ensures your business remains operational — even in the event of outages or cyber incidents. Strategic value: Innovation, agility & digital transformation Managed Azure Services support: Rapid deployment of new solutions Process modernisation Cloud-native innovation Agility to respond to market changes This makes them a key driver for long‑term growth. Unlock the full potential of Azure Managed Azure Services give businesses the tools to operate more efficiently, securely, and cost-effectively. With expert support, by partnering with Wavenet, your organisation can: Reduce cloud costs Strengthen security Improve performance Enhance scalability Accelerate digital transformation

Read more
cyber security Q&A
Cyber security in action: key questions and expert insights

What keeps security leaders awake at night? This Q&A answers the most common and most critical cyber security questions raised in our Cyber Security in Action webinar. It delivers clear, expert advice on preventing the attacks that cause the greatest disruption, helping organisations turn complexity into confident, informed action.

Read more
checkout till
3 ways retailers can reduce downtime with retail connectivity

Downtime is more than a technical inconvenience in retail. When systems go offline, sales stop, queues build, staff become frustrated, and customers lose confidence in the brand. From card payments failing at the till to stock systems not updating in real time, even short periods of disruption can have an outsized impact on revenue and customer experience.

Read more