Mobile app security - a pen tester’s view

28/11/25 Wavenet
API Security

The real threat to mobile apps isn’t the app, it’s API security.

Chris Watt, an experienced Wavenet penetration tester, discusses mobile security…

Mobile applications have become an integral part of daily life. From social media and e-commerce to banking and smart device management, it’s hard to imagine functioning without them. Today, nearly all apps fall into two ecosystems, Google’s Android or Apple’s iOS, and both rely heavily on APIs to function.

For more than a decade, questions have been raised about mobile app security. This led to the creation of the OWASP Mobile Top 10, a regularly updated list of the most common vulnerabilities found in mobile applications (alongside the better-known OWASP Top 10 for web applications). However, whilst mobile applications themselves often carry some exploitable issues, I believe the biggest concern today is in API security, which underpins nearly every interaction between mobile apps and their servers.

Two layers of mobile app testing

Penetration testing of mobile apps generally examines two areas:

  • Local behaviour: how the app interacts with the device and file system on which it’s installed.
  • Remote behaviour: how the app communicates with its associated API over the internet.

In practice, this structure is not unique to mobile apps. Much like web applications accessed through a browser (e.g. Amazon or online banking), mobile apps rely on servers to provide the data and functionality they need. As a result, you would be hard pressed to find any app installed on any device that did not communicate with one or more APIs. This makes API security a critical part of mobile application testing.

From my experience, and in line with many industry observations, the most severe vulnerabilities uncovered during mobile app penetration tests are rarely tied to the app’s local, on-device behaviour. Instead, they almost always stem from weaknesses in the APIs the app depends on. There are clear reasons why this is the case, which I’ll explore in more detail.

Before we get into those, it’s worth clarifying the attacker’s objective when targeting an app on a device: primarily, it is to steal user data, which can then be exploited in subsequent attacks.

How an attacker targets a mobile app

The primary goal of an attacker is to steal or manipulate data. To do this via the local app, an attacker typically needs to use one of these approaches:

  1. Obtain a physical device that is both unlocked and ideally rooted/jailbroken.
    Or
  2. Develop a malicious app that interacts with the target app and then convince users to install it.

Neither of the two primary attack routes, physical device compromise or malicious app installation, comes without significant difficulty.

The issues attackers face with physical device compromise…

One reason lies in the low probability of an attacker obtaining a lost or stolen device that is both unlocked and rooted/jailbroken. Modern Android and iOS devices strongly encourage security measures such as PINs, patterns, or biometric authentication, with clear warnings during setup about the risks of not enabling them. Even if an attacker were to gain access to such a device, the ideal scenario, extracting user data, becomes more practical only if the device is rooted or jailbroken. Because relatively few devices are in this state, the likelihood of exploiting them as an attack route is reduced further.

The issues attackers face with malicious app installation…

The second route, creating and distributing a malicious app, also presents barriers. It requires at least basic coding skills, and often advanced knowledge of the target app’s internal functionality. The attacker must also find a way to convince users to install the malicious app, often through social engineering. While large-scale campaigns could yield significant amounts of sensitive data (as demonstrated by the number of malicious apps already in circulation), the attack chain is still complex, with multiple points where the effort may outweigh the potential reward.

Exceptions may exist if a vulnerable app exposes data under normal operating conditions, and while this can and does happen, in most scenarios, this form of attack is difficult, making it more likely to occur in targeted or opportunistic contexts rather than at scale.

Why attacking APIs is easier and more rewarding

Intercepting an app’s traffic to its API can also present challenges, but in practice this is generally easier to achieve than exploiting the app directly on a device.

Here’s why APIs frequently present a much more attractive target:

  • Familiar attack surface: API traffic is, the majority of the time, just web traffic, and attackers have decades of experience exploiting web applications.
  • Broader impact: compromising an API can expose data for many users at once, rather than relying on access to individual devices.
  • Different pathways: mobile apps often use slightly different API endpoints or communication methods than a website equivalent, creating unique vulnerabilities that may not exist within the associated web application.

This highlights why API security is, arguably, the greater concern for mobile applications today.

Attacking API’s still has its caveats

Intercepting and manipulating API traffic isn’t always straightforward. Security controls such as SSL pinning can raise the barrier to entry. However, compared to the challenges of obtaining physical possession of a user’s device in a suitable state, or distributing malicious apps, APIs remain the easier, and often far more impactful attack vector. Strong API security measures can mitigate these risks.

Conclusion

Mobile apps are everywhere, but their greatest security risk, more often than not generally lies not in the apps themselves, but in the APIs they depend on. A compromised API is a single gateway to user data, business logic, and critical systems, making it one of the most important assets to defend. Leveraging experts like us ensures these critical connections remain secure, giving both businesses and users peace of mind.

Need some help?

We provide comprehensive mobile security and API protection services, helping you identify and address vulnerabilities before attackers can exploit them. We’re CHECK and CREST approved, with our specialists holding some of the most recognised certifications in the industry, including CREST and cyber scheme certifications . We can help with:

  • API penetration testing: simulating attacks to uncover weaknesses in API endpoints, authentication, and data handling.
  • Secure connectivity solutions: ensuring data transmitted between apps and APIs is encrypted and protected from interception.
  • Continuous monitoring: detecting unusual API activity or potential breaches in real time, reducing response time to threats.
  • Compliance and best practices guidance: helping organisations meet industry standards and regulatory requirements for mobile security.

By partnering with us, you can protect the critical bridge between your mobile apps and the servers they rely on, reducing the risk of large-scale data exposure and strengthening overall security posture. Emphasising API security ensures your mobile apps remain safe from the most common and impactful threats.

Chris Watt PictureChris Watt, Penetration Testing Service Delivery Lead

Chris Watt has been in the Penetration Testing arena for 13 years, specialising in web application and API security for most of that time. For the last few years, he has been steadily branching out into other types of security, including advanced infrastructure and mobile app testing.

Ready to test your mobile security?

Talk to us More on penetration testing

Cyber Security, Penetration Testing, CyberGuard, Blogs

Latest blogs

See all posts
ai-security
How AI‑powered cyber attacks are evolving in 2026 - and how to defend against them

Artificial intelligence has redefined the cyber threat landscape. What once required coordinated teams of skilled attackers can now be executed at machine speed, with AI automating everything from reconnaissance to exploitation. In 2026, UK businesses face a level of cyber risk that is faster, more adaptive, and harder to detect than at any time in the past decade.

Read more
Placeholder thumbnail
The NHS leader’s CAF & DSPT checklist: cyber resilience, compliance, and assurance in 2026

For NHS Trust leaders, meeting the demands of cyber security assurance has never been more urgent. With the Data Security and Protection Toolkit (DSPT) now aligned to the Cyber Assessment Framework (CAF), NHS organisations now need to demonstrate not only whether controls are in place, but how effective they are in practice.

Read more
online banking
Why financial services firms need advanced connectivity & security in 2026

The UK financial services sector entered 2026 as one of the most digitally advanced industries in the world. Mobile banking dominates customer interactions, neobanks (a bank that only operates online and has no network of physical locations) continue to disrupt traditional models, and AI is rapidly expanding across fraud prevention, analytics, and customer experience. But with rapid digital acceleration comes increased cyber risk, regulatory pressure, and infrastructure demands. Financial institutions now require advanced connectivity and robust security to stay operational, competitive, and compliant.

Read more
msp it
Top 10 questions to ask before choosing an MSP in the UK (2026)

Choosing a Managed Service Provider (MSP) is one of the most important technology decisions a UK business will make in 2026. With MSPs now responsible for cyber security, cloud management, remote working, data protection, and everyday IT operations, selecting the wrong partner can create major business, financial, and regulatory risks.

Read more
windows-11
Understanding Windows 10 Extended Security Updates (ESU) - what your business needs to know in 2026

As of 14 October 2025, Microsoft officially ended free security updates for Windows 10. Organisations that continue operating Windows 10 devices today - in 2026 - are now doing so in a post‑support environment, relying either on paid Extended Security Updates (ESU) or accepting increasing cyber risk. Windows updates are the backbone of endpoint security, identifying new vulnerabilities and closing them before attackers exploit them. Since the end of support deadline passed, unpatched vulnerabilities accumulate quickly, creating growing exposure across any estate still running Windows 10. Continuing with Windows 10 in 2026 can lead to: Higher cyber‑attack risk, particularly ransomware Compliance issues (Cyber Essentials, ISO 27001, GDPR, FCA/financial sector requirements) Reduced software compatibility with modern applications and security tools Increased helpdesk overhead due to outdated hardware and OS issues For organisations, this is no longer preparation for a future deadline - it’s about reducing risk now and completing the transition to a modern, supported operating system. Your organisation’s options in 2026 Businesses now have three strategic pathways depending on their hardware, budget cycle, and deployment readiness. 1. Upgrade existing compatible devices to Windows 11 If your current hardware meets Microsoft’s requirements, upgrading remains the fastest and most cost‑effective way to move away from Windows 10 ESU dependency. Benefits include: Ongoing security updates Modern protection (TPM 2.0, enhanced kernel security, improved identity protection) Support for AI‑powered features and future Microsoft roadmaps Lower risk and long‑term stability If your business has Windows 10 machines still capable of upgrading, this should be the first route explored. 2. Refresh your estate with Windows 11‑ready devices Many Windows 10 machines still in use in 2026 are now five to eight years old, and often: Fall below modern security standards Cause productivity bottlenecks Increase support tickets Consume disproportionate IT resources A structured hardware refresh offers: Predictable lifecycle management Improved reliability and performance Standardisation across departments Compatibility with modern security and MDM tooling Wavenet supports staged refresh programmes aligned with fiscal planning, ensuring minimal business disruption. 3. Continue using Windows 10 with Extended Security Updates (ESU) Microsoft’s Windows 10 ESU programme is still available, but it is: Paid per device, per year Increasing in cost each year (designed to encourage migration) Security‑only - no features or performance improvements A temporary safety net, not a long‑term strategy ESU is most appropriate when: Line‑of‑business applications are not yet Windows 11 certified You need additional time for a phased rollout Budget cycles are delaying upgrades or refresh Remote / operational environments require longer transition periods Most organisations still using ESU in 2026 should plan to exit it within the next 12–24 months. Assessing your Windows 11 readiness in 2026 At this stage, businesses need more than a simple device‑level compatibility check. A comprehensive analysis includes: Hardware readiness across the estate Application and vendor compatibility Driver and firmware validation Intune / MDM alignment Security baselines and policy impacts User profile and data considerations Deployment sequencing and pilot planning Wavenet offers full readiness assessments to provide a clear view of which devices can be upgraded, which require replacement, and where ESU may remain temporarily necessary. Why 2026 is a critical year for migration With the end of support now behind us, delaying migration further increases: Security exposure Operational risk Compliance penalties ESU costs End‑user frustration from aging hardware A well‑structured migration programme delivers: A secure, modernised endpoint environment Lower long‑term support cost Improved employee experience Better alignment with Microsoft’s cloud and security roadmap Many organisations are now accelerating migration to remove the remaining Windows 10 footprint entirely. How Wavenet supports your Windows 11 journey Wavenet provides end‑to‑end Windows 11 migration services, including: Estate discovery & readiness assessment Hardware lifecycle planning and procurement Application compatibility testing Managed upgrade or Autopilot deployment Configuration, security baselines, and Intune alignment ESU planning (where absolutely necessary) Phased rollouts with minimal disruption Whether you’re upgrading compatible devices, refreshing your estate, or transitioning off ESU entirely, Wavenet ensures a smooth, secure, and controlled migration.

Read more