- How to disable ACR on your TV (and stop companies from spying on you)
- I expected this cheap multitool to be a waste of money, but it's my new a toolbox essential
- Have The Last Word Against Ransomware with Immutable Backup
- Multi-channel Secure Communication
- Apple's bold idea for no-code apps built with Siri - hype or hope?
92% of Mobile Apps Found to Use Insecure Cryptographic Methods
A new analysis of over 17,000 enterprise mobile apps has revealed critical security flaws that could put millions of users and companies at risk.
According to a new report from Zimperium, Your Apps are Leaking: The Hidden Data Risks on your Phone, these vulnerabilities include misconfigured cloud storage, hardcoded credentials and outdated cryptographic practices.
The report shows that mobile apps, particularly those used in business environments, are leaking sensitive information at an alarming rate.
In particular, the researchers analyzed 17,333 mobile work applications from official app stores (6037 for Android and 11,626 for iOS), uncovering serious security issues in both Android and iOS ecosystems.
Among their most concerning findings:
- 83 Android apps were found to use unprotected or misconfigured cloud storage
- 10 Android apps contained exposed credentials to Amazon Web Services (AWS)
- 92% of all analyzed apps used weak or flawed cryptographic methods
- 5 of the top 100 apps had high-severity cryptographic flaws, such as hardcoded keys and outdated algorithms
These vulnerabilities can expose data in transit and at rest, leaving companies open to unauthorized access, data manipulation or extortion without a traditional ransomware attack.
“Misconfiguration in cloud storage and exposed credentials is the same as leaving the front door open and saying the house is safe,” said Boris Cipot, senior security engineer at Black Duck.
“This is an open invitation for attackers to steal data simply by exploiting sloppy security configurations.”
The Cost of Oversight
The growing dependence on mobile devices in enterprise settings, especially in bring-your-own-device (BYOD) environments, has also significantly increased the attack surface for cybercriminals.
In 2024 alone, data breaches impacted more than 1.7 billion people, resulting in an estimated $280bn in financial losses.
Cloud integration, while essential for scalability, introduces risks when cloud APIs and SDKs are not securely implemented.
Some apps ranked in the top 100 on the Google Play Store had storage directories exposed to the public, making them vulnerable to ongoing scans from malicious actors.
Cryptographic weaknesses compound the threat. The use of outdated algorithms like MD2 and insecure random number generators means that even encrypted data may not be safe.
“Cryptography is the foundation of secure communication and data storage,” Cipot added.
“If flawed cryptographic algorithms are used, or no protection is applied, then this is a highly alarming state.”
A Path Forward for Enterprises
To address these risks, Zimperium recommended enterprises take the following steps:
- Identify and resolve misconfigured cloud storage settings
- Detect and rotate exposed credentials and API keys
- Validate cryptographic methods and avoid outdated or insecure algorithms
- Monitor third-party SDKs for known vulnerabilities
“Cloud adoption has unlocked massive potential for organizations,” said Rom Carmel, co-founder and CEO of Apono.
“[But] to stay resilient in today’s dynamic threat landscape […] security teams must adopt a defense-in-depth strategy: eliminate standing access, enforce least privilege and limit what compromised identities can actually do.”
