• Politics

    Apple iOS apps are worse at leaking sensitive data than Android apps, worrying research finds – here’s what you need to know

    AnyFans Posted on

    By Efosa Udinmwen

    Copyright techradar

    Apple iOS apps are worse at leaking sensitive data than Android apps, worrying research finds - here's what you need to know

    Skip to main content

    Tech Radar Pro

    Tech Radar Gaming

    Close main menu

    the business technology experts

    België (Nederlands)

    Deutschland

    North America

    US (English)

    Australasia

    New Zealand

    View Profile

    Search TechRadar

    Expert Insights

    Website builders

    Web hosting

    Best web hosting
    Best office chairs
    Best website builder
    Best antivirus
    Expert Insights

    Don’t miss these

    Hackers are cracking mobile browsers to bypass security – here’s how they do it and how to stay safe

    Adversarial AI is coming for your applications

    You wouldn’t skip handwashing – so why skip mobile security hygiene?

    Thousands of organizations have a new, unexpected ’employee’ onboard – and it could be their single biggest security risk

    Criminals are targeting hundreds of legitimate banking & crypto apps using an advanced virtualization technique — here’s how to stay safe

    Massive leak of over 115 million US payment cards caused by Chinese “smishing” hackers – find out if you’re affected

    Over 250 malicious apps found targeting Android users in worrying attack – here’s how to stay safe

    ChatGPT hit by a zero-click, server-side vulnerability that criminals can use to siphon sensitive data – here’s how to stay safe

    Your employee logins are more valuable to criminals than ever – here’s how to keep them protected

    Hackers can now inject AI deepfakes directly into iOS video calls using this tool – here’s how to stay safe

    I am a chief security officer and here’s why I think AI Cybersecurity has only itself to blame for the huge problem that’s coming

    Major new malware strain targets crypto users via malicious ads – here’s what we know, and how to stay safe

    Insider breaches are a bigger security threat than ever before – here’s how your business can stay safe

    Cyber Security
    iOS 26: Apple releases “most significant security upgrade” to better protect you against mercenary spyware attacks

    A spy among us: rethinking cybersecurity in a hybrid world

    Apple iOS apps are worse at leaking sensitive data than Android apps, worrying research finds – here’s what you need to know

    Efosa Udinmwen

    25 September 2025

    Half of iOS apps and one-third of Android apps expose sensitive information

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

    (Image credit: Shutterstock)

    Report warns attackers can intercept API calls on iOS devices, and make them appear legitimate
    Traditional security tools fail to protect apps against in-device attacks
    Compromised mobile devices significantly increase the risk of API exploitation

    New research from Zimperium has claimed mobile apps are now the primary battleground for API-based attacks, creating serious risks of fraud and data theft for enterprises.

    The research shows 1 in 3 Android apps and more than half of iOS apps leak sensitive data, offering attackers direct access to business-critical systems.
    Even more worrying the report claims three of every 1,000 mobile devices arealready infected, with 1 in 5 Android devices encountering malware in the wild.

    You may like

    Hackers are cracking mobile browsers to bypass security – here’s how they do it and how to stay safe

    Adversarial AI is coming for your applications

    You wouldn’t skip handwashing – so why skip mobile security hygiene?

    The scale of mobile API vulnerabilities
    Unlike web applications, mobile apps ship API endpoints and calling logic onto untrusted devices, exposing them to potential tampering and reverse-engineering.

    This allows attackers to intercept traffic, modify the app, and make malicious API calls appear legitimate.
    Traditional defenses such as firewalls, gateways, proxies, and API key validation cannot fully protect against these in-app threats.
    “APIs don’t just power mobile apps, they expose them,” said Krishna Vishnubhotla, vice president of product solutions at Zimperium.

    Are you a pro? Subscribe to our newsletter
    Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
    Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
    “Traditional security tools can’t stop attacks happening inside the app itself. Protecting APIs now requires in-app defenses that secure the client side.”
    Client-side tampering is common, as attackers can intercept and alter API calls before they reach backend systems.
    Even SSL pinning, designed to prevent man-in-the-middle attacks, has gaps: nearly 1 in 3 Android finance apps and 1 in 5 iOS travel apps remain vulnerable.

    You may like

    Hackers are cracking mobile browsers to bypass security – here’s how they do it and how to stay safe

    Adversarial AI is coming for your applications

    You wouldn’t skip handwashing – so why skip mobile security hygiene?

    Beyond API exposure, many apps mishandle sensitive data on devices, as Zimperium revealed console logging, external storage, and insecure local storage are common problems.
    For example, 6% of the top 100 Android apps write personally identifiable information (PII) to console logs, and 4% write it to external storage accessible by other apps.
    Even local storage, although not shared, can become a liability if an attacker gains device access.
    The analysis also shows nearly a third (31%) of all apps and 37% of the top 100 send PII to remote servers, often without proper encryption.
    Certain apps incorporate SDKs capable of secretly exfiltrating data, recording user interactions, capturing GPS locations, and sending information to external servers.
    These hidden activities increase enterprise exposure and show that even apps from official stores can carry major security risks.
    “As mobile apps continue to drive business operations and digital experiences, securing APIs from the inside out is critical to preventing fraud, data theft, and service disruption,” added Vishnubhotla.
    How to stay safe

    Inspect apps for improper logging of sensitive information to prevent data leaks.
    Verify that local storage of data is encrypted and not accessible by other apps.
    Monitor network traffic to detect apps sending unencrypted personal information.
    Identify and remove malicious SDKs or third-party components embedded in apps.
    Review app permissions to ensure they align with intended functionality.
    Conduct regular audits of app behavior for potential breach vulnerabilities.
    Implement runtime protections to prevent tampering or reverse engineering of apps.
    Use code obfuscation to shield business logic and API endpoints from attackers.
    Validate that API calls come only from legitimate, untampered applications.
    Establish incident response procedures in case a mobile app compromise occurs.
    Use mobile security software that protects against malware and ransomware attacks.
    You might also like

    These are the best endpoint protection tools right now
    Take a look at our pick of the best password managers
    Nvidia AI sales to reach almost $400 billion by 2028, research claims – but then things will get a bit tricky for the world’s largest company

    Efosa Udinmwen

    Freelance Journalist

    Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master’s and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com

    You must confirm your public display name before commenting

    Please logout and then login again, you will then be prompted to enter your display name.

    Hackers are cracking mobile browsers to bypass security – here’s how they do it and how to stay safe

    Adversarial AI is coming for your applications

    You wouldn’t skip handwashing – so why skip mobile security hygiene?

    Thousands of organizations have a new, unexpected ’employee’ onboard – and it could be their single biggest security risk

    Criminals are targeting hundreds of legitimate banking & crypto apps using an advanced virtualization technique — here’s how to stay safe

    Massive leak of over 115 million US payment cards caused by Chinese “smishing” hackers – find out if you’re affected

    Latest in Security

    Jaguar Land Rover facing costs of “millions per week” following cyberattack – due to a lack of insurance cover

    OnePlus phone flaw could let devices send out unwanted text messages – so take care who you ping

    Under the radar – Google warns new Brickstorm malware was stealing data from US firms for over a year

    Cisco warns zero-day vulnerability exploited in attacks on IOS software

    Experts warn Supermicro motherboards can be infected with “unremovable” new malware – here’s what we know

    Python developers targeted with new password-stealing phishing attacks – here’s how to stay safe

    Latest in News

    Insta360 is sticking AI, ChatGPT, and Gemini into speakerphones with the Wave

    ChatGPT’s new Pulse feature will help you manage your day with handy visual updates

    Windows 10’s year of free updates now comes with no strings attached – but only some people will qualify

    Is Spotify Mix already overshadowed? This audio-mixing software lets you mix Spotify’s entire music library

    Sony unleashes another limited edition DualSense with the God of War 20th Anniversary model – and pre-orders start soon

    The Last of Us star Troy Baker is headed for MCM London Comic Con for a special ‘Songs: for Joel’ live performance

    LATEST ARTICLES

    Is Spotify Mix already overshadowed? This audio-mixing software lets you mix Spotify’s entire music library

    Insta360 is sticking AI, ChatGPT, and Gemini into speakerphones with the Wave

    Privacy-first, de-Googled smartphone looks a lot like a 12-year-old iPhone 5S with much better specs – but I don’t think it justifies its $1,400 price tag

    Windows 10’s year of free updates now comes with no strings attached – but only some people will qualify

    Save up to $600 on these top-rated RTX 50 series Razer Blade gaming laptops

    TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

    Contact Future’s experts

    Terms and conditions

    Privacy policy

    Cookies policy

    Advertise with us

    Web notifications

    Accessibility Statement

    Future US, Inc. Full 7th Floor, 130 West 42nd Street,

    Please login or signup to comment

    Please wait…

    You Might Also Like