After performing mobile application penetration tests for organizations across healthcare, financial services, retail, and technology, certain vulnerabilities show up over and over again. These are not obscure edge cases. They are common, exploitable, and present in apps that their owners believed were secure. Here are the mobile app vulnerabilities we find most frequently using our CyberOne MobileAssess platform and what you can do about each one.

Hardcoded Secrets in the Application Binary

This is the single most common finding in our mobile assessments. Developers embed API keys, authentication tokens, AWS credentials, Firebase configuration secrets, and sometimes database connection strings directly in the source code. They assume the compiled binary hides these values. It does not.

MobileAssess decompiles every APK and IPA to source code and scans for credential patterns across every file. In a typical assessment, we find between 3 and 15 hardcoded secrets. Some of these give attackers direct access to backend infrastructure, cloud storage buckets, or third-party services billed to your account.

The fix is to never store secrets in client-side code. Use secure backend APIs to broker access to sensitive services, store runtime configuration in secure server-side endpoints, and use platform-provided secure storage (Android Keystore, iOS Keychain) for any tokens that must persist on the device.

Cleartext HTTP Traffic

Despite years of industry push toward HTTPS everywhere, we still find mobile apps that send data over unencrypted HTTP connections. Sometimes it is the main API communication. More often it is a secondary endpoint, an analytics call, an image loading URL, or a third-party SDK that defaults to HTTP.

On Android, the Network Security Configuration can globally block cleartext traffic, but many apps set cleartextTrafficPermitted=true in their manifest for development convenience and never change it for production. Our platform flags this immediately along with every HTTP URL found in the application code.

Any data sent over HTTP can be intercepted by anyone on the same network. On public Wi-Fi, in coffee shops, airports, or hotels, this means credentials, personal data, and session tokens are visible to attackers running basic packet capture tools.

Weak or Deprecated Cryptography

Mobile apps frequently use cryptographic algorithms that were considered secure a decade ago but have known weaknesses today. We regularly find DES and 3DES encryption (broken), RC4 stream cipher (broken), MD5 and SHA-1 hashing for security purposes (collision attacks demonstrated), AES in ECB mode (leaks data patterns), and AES-CBC with PKCS padding (vulnerable to padding oracle attacks).

The most dangerous variant is when apps use these weak algorithms to protect authentication tokens or encrypt sensitive data at rest. An attacker who extracts the encrypted data from the device can often decrypt it using well-documented attacks.

MobileAssess checks for all deprecated algorithms and weak cryptographic patterns, including hardcoded encryption keys that render even strong algorithms useless. The fix is to use AES-256-GCM for encryption, SHA-256 or SHA-3 for hashing, and proper key management through platform keystores.

Exported Components on Android

Android applications are built from components: activities (screens), services (background processes), broadcast receivers (event handlers), and content providers (data access). Each component can be exported, meaning other apps on the device can interact with it.

We frequently find apps that export sensitive components without requiring any permissions. This means a malicious app installed on the same device can launch internal screens that should be private, trigger background services, send crafted broadcasts, or read data from content providers. In one assessment, an exported activity allowed bypassing the login screen entirely by launching an internal admin activity directly.

MobileAssess scans the Android manifest for every exported component and flags those that lack permission protection. The fix is straightforward: set android:exported=false for any component that does not need to be accessible to other apps, and require specific permissions for those that do.

Missing Certificate Pinning

Certificate pinning is a defense against traffic interception attacks where an attacker installs a rogue certificate on the device (through corporate MDM, compromised WiFi, or social engineering) and intercepts all HTTPS traffic. With pinning, the app only trusts specific certificates and rejects the rogue one.

Most apps we test do not implement certificate pinning at all. Those that do often implement it incorrectly, pinning only the leaf certificate (which rotates) instead of the intermediate CA, or implementing it in a way that can be bypassed with common tools like Frida or Objection.

For apps handling financial transactions, patient data, or authentication credentials, certificate pinning should be considered essential. The implementation varies by platform, but both Android and iOS provide native APIs for it.

Excessive Permissions

Mobile apps request permissions during installation or at runtime. Many apps request far more permissions than they need, either because developers copied boilerplate code or because a third-party SDK requires them. We regularly see apps requesting camera access, precise location, contacts, phone state, and external storage access when the core functionality does not require any of these.

Each unnecessary permission expands the attack surface. If a vulnerability in the app allows code execution, the attacker inherits every permission the app holds. MobileAssess audits every requested permission against the OWASP MASVS principle of least privilege and classifies dangerous permissions with risk-specific impact statements.

Insufficient Root and Jailbreak Detection

Apps that handle sensitive data should detect when they are running on a compromised device. Rooted Android devices and jailbroken iPhones have weakened security boundaries that allow other apps (or the user) to inspect and modify your app's data and behavior.

We find that most apps either have no root/jailbreak detection at all, or implement basic checks that are trivially bypassed with tools like Magisk Hide or Liberty Lite. While no detection is foolproof, layered checks that verify multiple indicators (system properties, installed packages, file system modifications, and binary integrity) make bypass significantly harder.

What This Means for Your Organization

If your business has a mobile app, there is a strong chance it has several of these vulnerabilities. The good news is that all of them are fixable, and most fixes are straightforward once you know the issues exist.

The approach we recommend is a baseline assessment using MobileAssess combined with manual expert testing, followed by a remediation cycle where your development team addresses findings by severity, and then a retest to verify the fixes work. For organizations that ship updates regularly, our continuous testing engagements catch regressions and new vulnerabilities as they are introduced.

These mobile vulnerabilities do not exist in isolation. They connect to your broader security posture including your network infrastructure, compliance requirements, and dark web exposure. A comprehensive approach covers all attack surfaces.

Ready to find out what is hiding in your mobile app? Contact our team or call 512-518-4408 to schedule a MobileAssess engagement.

Top Mobile App Vulnerabilities in 2026: What We Find in Every Pen Test