Application security , DevSecOps , Endpoint/Device Security , AI/ML Ring the alarm! Your IT security program has a mobile-app gap April 23, 2026 Share By Paul Wagenseil In a recent CRA podcast , NowSecure CEO Alan Snyder and host Adrian Sanabria discussed a critical shift in enterprise security: Mobile applications are central to both user engagement and to organizational risk. That's because as mobile internet usage surpasses "traditional" desktop web-browser access, security strategies need to adjust to address the unique characteristics and vulnerabilities of mobile ecosystems. We're growing ever more reliant on mobile apps, yet even seasoned security teams and software developers may not understand the complexity of their security risks. Because of this, we need to develop continuous, specialized protection for mobile application development — and to admit that mobile apps are how many customers exclusively access online services. "If your users trend younger, you're going to be 80%, 90% mobile," said Snyder. " If you don't interact with them on mobile, you may lose them as a customer demographic." Mobile first, desktop last This is a fundamental change in how online services are delivered and consumed. For hundreds of millions of people worldwide, mobile devices serve as both primary personal and primary business endpoints, often handling sensitive data such as financial information, geolocation, and communications. However, despite their importance, mobile apps are often poorly secured. Many applications fail to meet even basic security thresholds, with average security scores falling below acceptable standards. "The state of mobile-app security, unfortunately, is really poor," said Snyder. "We do a scale of one to 100 and we look at hundreds of thousands of apps, across millions of versions of those apps. The average score is below 50." A major contributor to this problem is the heavy reliance on third-party components . "Your average mobile app is 70% somebody else's code," said Snyder. "I've seen it as high as 90, and we've seen it as low as 50, but it's, on average, it's about 70% somebody else's code." Part of that external 70% is SDKs for analytics, advertising, and external services, but those are also the parts most vulnerable to corruption. Because these components inherit the permissions of the host app, they can access and potentially misuse sensitive data on the user's device, importing vulnerabilities that originate outside the app creator's direct control. Can you hear me? There's also limited visibility. Many organizations lack a clear inventory of the components within their mobile apps, making it difficult to assess exposure or respond to emerging threats . This is further intensified by the rapid pace of updates. Mobile apps frequently change, introducing new code and dependencies that may not be fully vetted. As a result, security cannot be treated as a one-time assessment but must be an ongoing process. "I don't let my apps auto-update," said Snyder. "I want to know what they're doing." "Your average app updates once a month. Your high-frequency apps, they're updating every couple of days," he added. "That's a lot of change. And that means it's a new app. It needs to be retested. You just don't know what changed." To address these challenges, Snyder and Sanabria advocated a risk-based approach to mobile-app security. Organizations should prioritize apps based on their business impact and the sensitivity of the data they handle, regardless of whether they are first-party or third-party. Continuous monitoring and validation are key as static analysis tools alone are insufficient. Traditional security testing tools designed for desktop or server applications are useful to an extent, but they often fail to detect the full scope of mobile-specific vulnerabilities. "They'll get you 30% of the way there. They will not get you all the way there," Snyder said. "To get all the way there, you need mobile-specific tooling, and our view is you absolutely need to see that data in motion, because data in your mobile app is moving to lots of different endpoints, whether it be advertising, whether it be crash analytics, whether it be all those third-party SDKs, and all of them have all the full rights and access of that app." Learning from its mistakes The podcast conversation also explored the emerging role of AI in mobile development and security. While AI can accelerate app creation, it often introduces new vulnerabilities for the simple reason that there's no clear guide on how to create a secure mobile app. "There is no training data on what a secure mobile app looks like," said Snyder. "I don't know why we would expect that AI could magically build a secure mobile app." Nevertheless, Snyder tried doing just that, vibe-coding a mobile app in about five hours, as he detailed in a recent NowSecure blog post . Then he ran the app through NowSecure's own security-testing tools — and it totally failed. "Atrocious. Terrible. Data in transit was open, 25 out of 100," he said. But then he tried something else. "I then took the NowSecure analysis, and I'm like, 'All right, you built the app. You fix the app,'" Snyder said. "I dropped it in and said, 'Go fix it yourself.' And it crushed it. … I didn't have to iterate back and forth. It was brilliant. It was so fun to watch it learn." Encouragingly, AI can also assist in remediation when combined with detailed security analysis, pointing toward a future of more automated and adaptive security practices. Mobile app security is no longer optional, but a foundational requirement for modern enterprises. Organizations must adopt continuous, mobile-specific security strategies, maintain visibility into app components, and manage third-party risks proactively. "Just get started with knowing what you have," recommended Snyder. "What apps do you have that you're putting sensitive data in — your organization has an obligation to protect those, whether they're first or third party — just start with that asset inventory and the risk, and then follow that program to understand how do you manage and mitigate that risk?" "Not all apps are created equal," he added. "You'll see that when you look at the business impact. But they're not the same as web apps. You cannot treat them the same." Paul Wagenseil Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com. Related Application security AI-driven attacks target governments, cloud agents, supply chains OWASP GenAI Security Project Team April 23, 2026 OWASP: AI-driven attacks hit government, cloud and supply chains at scale. Application security Ofcom investigates Telegram for child abuse material sharing SC Staff April 22, 2026 The investigation was prompted by evidence from the Canadian Centre for Child Protection and Ofcom's own assessment, which indicated the presence and dissemination of CSAM on Telegram. Network Security The browser is the battlefield: Why security must be where work happens Paul Wagenseil April 22, 2026 The browser is no longer just a tool. It's the primary battleground of enterprise security. Related Events Cybercast Protecting Application User Data for Better Privacy, Governance, and Compliance On-Demand Event Cybercast The Next Evolution of Application Security: AI- Accelerated DevSecOps On-Demand Event Cybercast Scaling secure software in the age of AI: Turning intelligence into action On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Anti-Malware Applet Cache Cramming Client Common Gateway Interface (CGI) Cookie DLL Injection Endpoint Security Extranet Fuzzing You can skip this ad in 5 seconds