Estimates show the number of people who had personal data compromised increased by 312% from 2023 to 2024.
Zimperium’s zLabs researchers examined 17,333 Android and iOS mobile apps obtained from the official app stores and being used by the firm’s own enterprise customers’ employees. This follows an estimated increase of 312% in the number of individuals who had personal data compromised in 2024: from 419 million in 2023 to 1.7 billion in 2024 (figures from the Identity Theft Resource Center (ITRC).
With personal mobile phones increasingly being used within business environments, these numbers are likely to grow, and the consequent threat to business systems will increase.
The two most common app weaknesses discovered by the researchers include misconfigured use of cloud storage, and use of poor cryptography.
From the mobile apps examined, 83 Android apps (4 from within Google Play Store’s top 100 popularity list) were found to use unprotected or misconfigured cloud storage. In some of the stores the file indexes are world viewable, and in others the content can be accessed without credentials. Since criminals are continuously scanning the internet for such unprotected repositories, this is a serious threat to the data they contain.
Ten Android apps expose credentials to AWS cloud services – allowing attackers to read data and possibly write false data into the store.
“Misconfiguration in cloud storage and exposed credentials is the same as leaving the front door open and saying the house is safe,” comments Boris Cipot, senior security engineer at Black Duck. “This is an open invitation for attackers to steal data simply by exploiting sloppy security configurations or application security.”
Encryption is the most common and effective method of protecting data; but only if it is done properly. “It is the foundation of secure communication and data storage,” comments Cipot. However, the researchers found that 92% of all the apps it tested do not follow best practices – and 5% of the top 100% contain high severity cryptography flaws. These flaws include hardcoded keys, outdated algorithms, and insecure random number generators.
“This is alarming,” adds Cipot. “The presence of hardcoded keys and outdated algorithms are especially dangerous as they can be the reason for exposed high-volume data to be compromised.”
While iOS is often thought to be more secure than Android, especially with apps obtained from Apple’s App Store, Nico Chiaraviglio, chief scientist at Zimperium, comments that this is not necessarily so in these areas. “We see similar issues on both platforms.”
This all results in a huge problem for companies. Staff efficiency is welcomed, and it is impossible to fully prevent people using their mobile phones at work. The practice is growing and is likely to increase. Even when staff obey their own good practices and only install apps from the official Android and Apple app stores, they may well be inadvertently and unknowingly introducing vulnerabilities to both their own personal and the company’s wider confidential data.
The potential risks to enterprises include data exposure, compliance violations, reputational damage, and resultant financial costs.
Related: Android Update Patches Two Exploited Vulnerabilities
Related: North Korean Hackers Distributed Android Spyware via Google Play
Related: Apple Patches First Exploited iOS Zero-Day of 2025
Related: New iOS Security Feature Reboots Devices to Protect User Data: Reports
