VIA Knowledge Hub

VIA Knowledge Hub

VIA Knowledge Hub
VIA Knowledge Hub Podcast
Top three mobile security fails (and how to fix them)
0:00
-34:26

Top three mobile security fails (and how to fix them)

With Andrew Hoog, Co-founder of NowSecure
Oct 15, 2025
Share
Transcript

Think Apple and Google are doing deep security reviews of your app? Think again.

While the App Store and Google Play scan for known malware, they completely miss big security gaps like API misconfigurations and vulnerabilities in third-party tools. Mobile app security expert Andrew Hoog breaks down the top “gotcha” moments for mobile developers and the quick, actionable steps your team can take to secure your apps and protect your users.

Top three mobile security fails

  1. Skipping security reviews. Most teams either skip security reviews or use tools built for web apps. But web app scanners miss a whole range of mobile-specific vulnerabilities.

  2. Using sketchy third-party SDKs. Andrew estimates 60–70% of vulnerabilities come from free, well-documented SDKs, which are “like catnip” for developers. These can send unencrypted data, use weak keys, or leak user data to foreign entities.

  3. Ignoring AI risks. You, or the SDKs you rely on, might be using personally identifiable information (PII) in ways that break privacy laws, violate contracts, or erode user trust.

What you can do today

  1. Get the right tools. Use security tools built for mobile apps. Andrew recommends:

    • Radare (open-source reverse engineering toolkit, binary and static analysis)

    • Frida (open-source dynamic instrumentation toolkit)

    • Both have great documentation to get you started.

  2. Involve your team and stakeholders. Try NowSecure’s Mobile Application Risk Checker. It reports on sensitive data, privacy declarations, and network connections. Your app might already be listed! Start including mobile app security and privacy risks in your threat intel program.

  3. Leverage free learning resources. Explore OWASP Mobile Application Security, NowSecure Academy, or tools like Claude for contextual security insights.

About Andrew Hoog

Andrew Hoog is a developer’s go-to security person. He’s been in the trenches of mobile security and forensics for over a decade, building, breaking, and securing apps long before it was cool.

He co-founded NowSecure, wrote two books on mobile forensics and security, and holds three patents in the field. When he’s not deep in code or court (he’s also an expert witness in U.S. Federal Courts), he’s helping shape the future of mobile app security at NowSecure.

Andrew’s mission? Help developers build apps that are not just awesome but are secure by design.

See how VIA’s Zero Trust Fabric delivers military-grade authentication.

Try it free

© 2025 VIA
PrivacyTermsCollection notice
Start your SubstackGet the app
Substack is the home for great culture