Real-World Android App Security: Trends That Shouldn’t Be Ignored

TL;DR – Key Takeaways

• We looked at a sample of 25,000 top Android apps
• 14.79% of apps exhibited at least one high-impact issue
• Over 50% of apps use libraries with known high-severity CVEs

Before we move into the new year and analyze our findings from 2025, we’re taking a look back at a sample of 25,000 top Android apps across a variety of app categories, drawing on a curated sample representing trends in the ecosystem from 2020 to 2024. While we’re only presenting Android app data in this analysis, iOS apps show the same general practices. We will be publishing further research, including iOS apps, in the near future.

How the Analysis was Performed

We analyzed 25,000 Android apps using Quokka’s mobile app risk intelligence. Each analysis included:

• Pattern- and flow-based security analysis
• Misconfiguration detection
• Behavior analysis, including PII exposure and data leakages
• Supply chain and dependency analysis

Top Data Exposure and App Logic Risks

Of the 25,000 apps analyzed, 14.79% contained at least one high-impact issue. We’ve highlighted the most prevalent mobile app security issues discovered, ranging from inadvertent disclosure of personal information to dangerous deserialization practices that could enable attackers to execute arbitrary code. 

We also broke down the results by app-store category, calling out the categories with more than 300 analyzed apps and the highest percentage of apps containing at least one security finding. 

Possible PII (Personally Identifiable Information) exposure

• Definition: Data that can identify a person leaves the app’s trust boundaries. 
• Impact: Privacy violations, compliance exposure, targeted abuse. Mobile applications handling more sensitive data carry higher risks. Medical or financial apps present an understandably richer target. Of the 399 medical apps we analyzed, 26 (6.52%) were flagged for this. Of the 2,060 finance apps analyzed, 106 (5.15%) were flagged.

External Control of Shared Preferences 

• Definition: External input is used without sanitization to set a key or a value  in SharedPreferences. 
• Impact: Security vulnerabilities, unexpected app behavior, hijacking app behavior or configuration. 

Unsafe Intent extras

• Definition: External input is used to set Intent fields or extras. 
• Impact: Privilege confusion, data tampering, or triggering unintended component behavior. 

Possible plaintext crypto leakage

• Definition: Plaintext data is logged or transmitted without encryption.
• Impact: Possible interception and recovery.

Insecure deserialization

• Definition: The app uses untrusted data to deserialize objects, allowing an attacker to manipulate objects and inject malicious code or data.
• Impact: Arbitrary code execution and denial of service attacks.

Possible credential leakage

• Definition: Secrets, such as tokens or passwords, can be exposed through outputs like logs or files. 
• Impact: Possible account takeover and sensitive/PII leakage. 

Top Supply Chain Risks: High and Critical CVE Exposure

These findings underscore a significant security risk landscape where unpatched libraries create exploitable entry points for attackers. The prevalence of these vulnerable dependencies across such a large percentage of applications highlights an urgent need for comprehensive dependency management and remediation strategies.

Embedded library with a High-Severity CVE

• Definition: The app includes a third-party library that has a known high-severity vulnerability. High-severity CVEs have a CVSS score between 7.0 and 8.9.
• Impact: Compromise of user privacy, data integrity, or authentication flows. While exploitation may require certain conditions, attackers frequently target apps with unpatched dependencies because the entry point is already documented and understood.

Embedded library with a Critical CVE

• Definition: The app contains a third-party component affected by a critical-severity vulnerability. Critical-severity CVEs have a CVSS score between 9.0 and 10.0. 10.0 is the highest possible score.
• Impact: High likelihood of exploitation, including full device or account compromise. A Critical dependency creates a direct pathway for attackers, and patching or upgrading the affected library should be considered urgent.

Why These Patterns Persist

These issues often come from mistakes due to:

• Fast development cycles and a focus on features that deprioritizes security
• Third-party SDKs or libraries intended to save time that unintentionally introduce risk
• A complex mobile ecosystem with multiple platforms, OS versions, and device variations that need to be accounted for

Best Practices for Reducing Mobile App Risk

1. Lock Down Network Security

• Enforce TLS certificate validation
• Fail-closed on verification errors
• Use certificate pinning where justified

2. Stop Silent Data Leaks

• Remove verbose logging before release
• Encrypt sensitive data at rest

3. Treat Dependencies as Code

• Generate binary-level SBOMs
• Patch High and Critical CVEs before shipment

4. Use Context-Aware Protections

• Add runtime protections and device attestation for flows like payments or account recovery.

5. Scan / Test Before Releasing

• Re-scan each candidate build before publishing

How Quokka Helps Protect Against Mobile App Risks

We take the exact package your users install, regardless of in-app or run-time obfuscations, and look at how it behaves in the wild, which is why transport mistakes, noisy logs, risky interprocess communication, and similar slip-ups show up clearly instead of hiding behind build scripts.

For Apps You Publish

Designed for app development, Q-mast embeds security directly into your workflow to identify security, privacy, and compliance risks before the mobile app is released. With a design tailored for DevSecOps workflows, Q-mast supports continuous, automated security testing that aligns with tools like Jenkins, GitLab, and GitHub. 

Q-mast capabilities: 

• Automated scanning in minutes, no source code needed
• Analysis of compiled app binary, regardless of in-app or run-time obfuscations
• Precise SBOM generation and analysis for vulnerability reporting to specific library version, including embedded libraries
• Comprehensive static (SAST), dynamic (DAST), interactive (IAST) and forced-path execution app analysis
• Malicious behavior profiling, including app collusion
• Checks against privacy & security standards: NIAP, NIST, MASVS

For Apps Your Employees Use

Across your MDM-managed fleet, Q-scout looks at the mobile apps used and flags risky behavior before it becomes an incident. It provides evidence needed to confidently approve or block apps, ensuring compliance, safeguarding privacy, and protecting organizational assets from mobile threats. 

Get Started with Quokka

Submit a Demo Request to get a full analysis and personalized demo of Quokka.

FAQs

Q1. Why focus on compiled binaries instead of source code?
The compiled binaries reflect what’s actually shipped to users — not what’s intended in source code. This exposes risks hidden by dependency injection, highly-dynamic code, build scripts, misconfigurations, or outdated nested libraries that static source reviews miss.

Q2. What’s the biggest takeaway from analyzing 25,000 Android apps?
Over half contained at least one vulnerable library, and roughly 15% had risky behaviors like data leakage or unsafe configurations — showing how common these flaws are across everyday apps, not just fringe cases.

Q3. How can organizations reduce recurring mobile app risks?
Adopt continuous security testing in the CI/CD pipeline with tools like Q-mast, generate version-precise SBOMs, patch CVEs before release, and rescan every candidate build. These practices catch silent regressions and dependency drift before users are exposed.

To prevent employees from using risky mobile apps, companies can use Quokka’s Q-scout to vet mobile apps and detect threats before they reach the device. Q-scout seamlessly integrates with MDMs, giving security teams real-time visibility into the mobile apps installed across MDM-managed devices. App inventories are automatically ingested into Q-scout and continuously updated, allowing each app to be analyzed for security and privacy risks as soon as it is added, updated, or removed. This ensures that administrators always have an up-to-date, actionable view of mobile app exposure without manual effort.