Key Takeaways:
- Quokka’s data shows that mobile app vulnerabilities are widespread
- Known issues like weak cryptography still dominate app risk
- Third-party dependencies drive hidden, high-severity exposure
IMobile apps have quietly become one of the largest and least understood attack surfaces in the enterprise. They handle authentication, move sensitive data, and connect directly into corporate systems. Most organizations assume that apps from official stores meet a baseline level of security. The data says otherwise.
In our latest mobile security research, based on analysis of over 150,000 mobile applications, we found that fundamental security issues are not edge cases. They are the norm.
How widespread are mobile application security vulnerabilities?
These aren’t edge cases concentrated in sketchy apps from obscure developers. They’re widespread and present across categories and platforms. Some numbers that highlight this include:
- 94.3% of Android apps transmit data over unencrypted HTTP
- 50+ apps contain hardcoded AWS credentials
- Critical CVEs in third-party components were found in 11% of Android apps and 13% of iOS apps
Old vulnerabilities, still shipping in mobile apps
Unencrypted HTTP traffic is a beginner-level security concern, yet it appears in the overwhelming majority of mobile apps we analyzed. Cryptographic failures are similarly widespread. Broken cipher modes, hardcoded encryption keys, and weak algorithms that were retired years ago continue to appear in apps that handle authentication, payments, and health data. In some cases, apps were found using cryptographic configurations that have been explicitly prohibited in security guidance for over a decade.
The dependency problem runs deep
One of the most striking findings in this year’s security analysis came from examining third-party dependencies. When we generated Software Bills of Materials (SBOMs) for each app, we found that 65% of Android apps contain high-severity CVEs — and some of the vulnerabilities in active use were first disclosed in 2009.
The iOS picture is different but not better. Critical CVE exposure in iOS apps is concentrated in far more recent disclosures, with thousands of apps containing vulnerabilities first identified in 2023 and 2024. Speed of adoption cuts both ways: newer apps can also carry newer unpatched flaws.
When “low prevalence” still means catastrophe
Some of the most alarming findings weren’t the most common ones. We identified more than 50 mobile apps with hardcoded AWS credentials embedded directly in their compiled binaries. The prevalence is low. The potential impact is not.
A hardcoded cloud credential exposed in a mobile app isn’t a theoretical security risk. An attacker could gain access to production databases, customer data, and in the most extreme cases, root-level access to an organization’s entire cloud infrastructure. One app with this problem is one too many.
Why these mobile app security problems persist
Our full report goes deeper on the structural reasons these mobile app vulnerabilities persist year over year, including the role of developer education, legacy code accumulation, and the limits of app store review processes. The findings point to specific, actionable changes that both development teams and enterprise security organizations can make now.
Read the full 2026 report
The complete analysis covers major vulnerabilities, platform-by-platform breakdowns, SBOM findings, and a detailed mobile application security best practices guide for developers and enterprise security teams. Download the full report.
