New Research Shows Mobile App Security Incidents are Now Widespread

Mobile application teams have long understood that releasing software to devices they do not control introduces security risk. What has changed is how often those risks are materializing, and how directly they are affecting both customers and backend systems.

A new global survey of 1,360 mobile app developers and security leaders, conducted by independent research firm TrendCandy, found that 72% of organizations experienced at least one mobile app security incident in the past year. These incidents are no longer isolated technical events. Sixty-five percent of respondents reported customer churn or app uninstalls as a direct result of mobile app security issues.

The findings point to a growing gap between how mobile apps are built, deployed, and protected — and how they are actually being attacked.

Client-side weakness is driving modern attacks

Mobile apps operate outside traditional enterprise security boundaries. Once an app is released, it runs on devices the organization does not own and cannot fully control. Attackers increasingly take advantage of this reality by targeting the app itself rather than attempting to break operating system (OS) protections.

The survey shows that 63% of organizations were aware of unauthorized modding, cloning, or tampering of their mobile apps within the past 12 months. At the same time, most organizations note increasing exposure to backend and API abuse.

These two trends are closely linked. Attackers reverse engineer mobile apps to understand business logic, extract secrets, or manipulate requests. They then use that knowledge to abuse APIs and backend services in ways that traditional server-side controls often do not detect. Despite this growing risk, less than half of respondents said they actively monitor API activity tied to mobile applications.

As a result, many organizations lack the visibility needed to identify attacks early or respond quickly. The research found that fragmented visibility across client and server environments significantly increases time to remediation, compounding both operational and business impact.

Why many teams still rely on incomplete protection

Most development and security teams understand that mobile app security matters. However, the survey reveals a disconnect between that awareness and the protections organizations actually deploy.

Nearly half of respondents still believe that OS protections alone are sufficient to secure mobile apps. Fifty percent believe iOS apps are inherently more secure than Android apps, and 44% say OS-level security is “enough” on its own.

These assumptions persist even as incidents continue to rise. Time-to-market pressure plays a major role. The majority of respondents cited speed as the top barrier to stronger mobile app protection, and 38% believe security slows development. More than half of developers admitted they have shipped code they knew was vulnerable in order to meet deadlines.

Organizational dynamics also contribute. Seventy-two percent of security leaders reported difficulty getting developer buy-in, while nearly three quarters of developers said skills gaps on their teams are slowing progress. In many organizations, security and development priorities remain misaligned, despite shared responsibility for outcomes.

AI is accelerating delivery, and expanding risk

The fast adoption of AI-assisted development tools is further reshaping mobile security challenges. According to the survey, 96% of mobile developers now use AI when building apps or SDKs. While these tools accelerate development, they also introduce new uncertainty.

Eighty-one percent of respondents said AI-generated code has introduced new vulnerabilities, and 70% reported that AI-written mobile apps are harder to maintain. More than half of developers said they are unsure how to secure AI-generated code effectively.

This combination of faster releases, less predictable code, and limited security guidance increases reliance on trust assumptions that attackers are quick to exploit.

What teams say they actually want

Despite these challenges, the research shows strong alignment on what organizations need moving forward. The majority of respondents said they prefer security that spans the entire software development lifecycle, rather than isolated tools applied late in the process. Most also said shared dashboards and unified visibility improve collaboration between development and security teams.

Importantly, teams that have adopted multi-layered protection are already seeing results. Ninety-six percent of respondents using multi-layered mobile app protection reported fewer security incidents.

When asked about investment priorities, respondents cited protecting intellectual property, preventing API abuse, defending against reverse engineering, and meeting compliance requirements as their top drivers. These priorities reflect a shift away from perimeter-focused thinking toward client-aware security models.

Multi-layered security without sacrificing speed

The research makes one trend clear: multi-layered, full-lifecycle mobile app protection is quickly becoming the baseline expectation for teams operating at scale.

Effective mobile app security spans the entire development lifecycle and extends into production. It combines automated testing during development with multiple layers of protection applied to every build and every session. These layers typically include code hardening to resist reverse engineering, runtime defenses to detect tampering and dynamic attacks, and app attestation to ensure that only legitimate, untampered apps can access backend services. Continuous threat monitoring completes the picture by providing real-world visibility into how applications can be attacked after release.

Together, these capabilities help organizations close the trust gap created when apps operate outside controlled environments. They also challenge a long-standing assumption that stronger mobile security inevitably slows development. While some teams still worry about performance impact or stability, most respondents expressed a clear preference for automated, SDLC-wide security that integrates cleanly into existing workflows.

Modern mobile security tooling increasingly reflects that expectation. Protections are designed to fit directly into CI/CD pipelines, allowing teams to strengthen defenses without delaying releases or degrading user experience.

Download the full report

Mobile app security incidents represent a routine risk with direct consequences for customer trust, revenue, and backend exposure. The full research report explores these findings in depth and details what effective, scalable mobile security looks like in practice today.

Download The Rise of Client-Side Risk and the Trust Gap to access the complete data and insights.