Mobile apps are leaking your data—and most users don’t even know it

In a year marked by record-setting data breaches, new research has uncovered just how much of the risk is hiding in plain sight—on your smartphone.

According to cybersecurity firm Zimperium, more than 1.7 billion people had their personal data compromised in 2024 alone. That’s a 312% spike from 2023, amounting to a jaw-dropping $280 billion in estimated financial losses. The culprit? A widespread and largely invisible threat: insecure mobile apps.

Their new report, Your Apps Are Leaking: The Hidden Data Risks on Your Phone dives deep into the vulnerabilities baked into thousands of popular work apps—many used daily in corporate environments.

Alarming Findings from Inside the App Stores

Zimperium’s zLabs team analyzed over 54,000 mobile applications—including both iOS and Android—and what they found is enough to make any IT manager lose sleep.

Among the key findings:

• 62% of apps analyzed rely on cloud services, which, while convenient, often lack proper security.

• 103 Android apps were using unprotected or misconfigured cloud storage—including 4 apps ranked in the Play Store’s top 1000.

• 10 apps were found to contain exposed AWS cloud credentials, which could allow hackers to read, delete, or even ransom data.

• 88% of all apps, and 43% of the top 100, used cryptographic methods that don’t follow best practices—a glaring weakness in their security foundations.

These issues leave sensitive data exposed not just to casual snoopers, but to sophisticated cybercriminals looking to steal information for identity theft, blackmail, or targeted attacks.

The Real-World Impact: From Cloud Gaps to Crypto Flaws

The fallout from these vulnerabilities isn’t just theoretical. In one high-profile example, a major car manufacturer leaked data on 260,000 customers due to a single misconfigured cloud setting.

Even more concerning, the report highlights that many apps still rely on outdated or flawed encryption practices, including:

• Hardcoded cryptographic keys

• Insecure random number generators

• Use of obsolete algorithms like MD2

These weaknesses allow attackers to bypass protections meant to shield data both in transit and at rest, exposing businesses to legal, financial, and reputational risks.

Why Businesses Should Be Paying Attention

For companies using a Bring Your Own Device (BYOD) policy, the risks multiply. Employees might install apps that appear harmless but are riddled with vulnerabilities. Once inside a device connected to the corporate network, a weak app can become a hacker’s backdoor into sensitive files, systems, or customer data.

The average cost of a breach? $4.88 million. And two of the most common causes are the very issues flagged in the report: compromised credentials and cloud misconfigurations.

What Can Be Done

Their advice is clear: “We cannot change the apps, but we can choose which apps we allow to ensure our data’s security.”

Companies must adopt better mobile app governance by:

• Monitoring for misconfigured cloud storage and exposed API keys

• Vetting cryptographic practices and rejecting apps using outdated methods

• Evaluating third-party SDKs for embedded risks

The message is simple but urgent: Your phone might be leaking data you thought was safe—and until organizations get serious about mobile app security, the damage will keep spreading.