A growing number of mobile apps are exposing users—and their employers—to serious cybersecurity threats due to weak security practices. From misconfigured cloud storage to outdated encryption, the risks are widespread and deeply concerning, especially for businesses with employees using personal devices at work.
According to Zimperium’s zLabs, a recent scan of over 17,000 mobile apps downloaded from official Android and iOS app stores revealed significant vulnerabilities. These weren’t obscure or fringe apps either—they’re apps regularly used by employees in corporate settings. And the findings come at a time when data breaches are exploding in scale. The Identity Theft Resource Center reports a staggering 312% increase in compromised personal records, skyrocketing from 419 million in 2023 to 1.7 billion in 2024.
One of the key culprits? Personal smartphones used in the workplace. While convenient, this practice dramatically widens the attack surface for enterprises. Even when employees only install apps from trusted sources like Google Play or the Apple App Store, they may still unknowingly expose sensitive data to attackers.
Researchers uncovered two main categories of app weaknesses: misconfigured cloud storage and flawed encryption.
Let’s start with cloud storage. Zimperium identified 83 Android apps—four of which are among Google Play’s top 100 most downloaded—that use improperly secured cloud buckets. In many cases, these storage locations are openly accessible, allowing anyone on the internet to browse files or even retrieve sensitive data without logging in. Some apps even store AWS credentials in plain sight, which could allow attackers to read or modify cloud-stored data.
In simple terms, it’s like leaving the front door wide open and claiming the house is secure. Boris Cipot, a senior security engineer at Black Duck, warns that these sloppy configurations are a golden opportunity for cybercriminals, who are constantly scanning the web for such vulnerabilities.
Encryption, a cornerstone of secure data handling, isn’t faring much better. Despite being a basic best practice, 92% of apps tested failed to follow proper encryption standards. Alarmingly, 5% of the top 100 most popular apps contained serious cryptographic issues—such as hardcoded encryption keys, outdated algorithms, and insecure random number generators.
These flaws don’t just weaken an app’s defenses—they can completely unravel them. Once a bad actor finds a hardcoded key or exploits a known algorithm flaw, large volumes of data can be instantly compromised. Cipot stresses that such oversights are especially dangerous in a business context, where a single breach could have massive consequences.
While iOS is often perceived as more secure than Android, that perception doesn’t hold up in this case. Zimperium’s chief scientist Nico Chiaraviglio explains that both platforms suffer from similar security lapses. Whether it’s an iPhone or Android, vulnerabilities are equally prevalent.
And that’s what makes this issue so concerning. Many companies now support, or even encourage, a bring-your-own-device (BYOD) culture. But when employees use apps with hidden security flaws, they can unknowingly put corporate systems, data, and compliance at risk.
The consequences for organizations are severe. Data leaks can result in hefty fines for compliance violations, erosion of customer trust, and reputational damage that’s hard to undo. Add to that the operational disruption and cleanup costs, and the price of weak app security becomes painfully clear.
The takeaway? Businesses need to rethink how they evaluate mobile app usage in the workplace. A slick user interface or strong reviews on an app store isn’t enough. Behind the scenes, many apps fall short of even the most basic security standards—posing a serious threat not just to users, but to the companies they work for.
