Unlike web applications, mobile apps ship API endpoints and calling logic onto untrusted devices—offering attackers the opportunity to reverse-engineer code, tamper with or clone apps, intercept and replay traffic, and exploit compromised or fake devices to make malicious API calls appear legitimate.  According to Zimperium, traditional defences, such as firewalls, gateways, proxies, and API key check tools, are designed for perimeter security and cannot adequately protect against these in-app threats.

The scale of mobile API risk

Indicating the scale of the risk, based on Zimperium’s analysis, the the extent of its findings on the exposure is as follows:

• API exposure inside apps – 1 in 3 Android apps and more than half of IOS apps leak sensitive data.

• Client-side tampering – Attackers use widely available tools to intercept and alter API calls before they reach backend systems.

• Compromised devices – 3 of every 1,000 mobile devices are already compromised, while 1 in 5 Android devices encounters malware in the wild.

• SSL pinning blind spots – Even with pinning, nearly 1 in 3 Android finance apps and 1 in 5 IOS travel apps remain vulnerable to man-in-the-middle attacks.

“APIs don’t just power mobile apps, they expose them,” said Krishna Vishnubhotla, vice president of product solutions at Zimperium. “Traditional security tools can’t stop attacks happening inside the app itself. Protecting APIs now requires in-app defences that secure the client side.”

Closing the gap: New security imperatives

Zimperium notes two critical approaches that it recommends enterprises must adopt to safeguard mobile apps and APIs:

• API Hardening – Shielding endpoints, tokens, and business logic inside the app through code obfuscation, secure storage, and runtime defences.

• App Attestation – Validating that every API call originates from a genuine, untampered app running on a trusted device—not from an emulator, clone, or compromised environment.

“As mobile apps continue to drive business operations and digital experiences, securing APIs from the inside out is critical to preventing fraud, data theft, and service disruption,” added Vishnubhotla.