Approov Predicted 7 Mobile Cybersecurity Trends for 2025 - Did They Happen?

Here at Approov, we always like to look ahead and try to predict what will happen in mobile cybersecurity in the coming year. Mobile app security is an issue which must be taken seriously, and having some insight into key trends is important, in order to be prepared.You can read our predictions for 2025 here. Our predictions for next year are coming shortly. 

Other key players often provide their predictions but rarely look at whether these actually occur. Why is that? Perhaps because being proven wrong is embarrassing?

We wanted to do things a little differently so let's see what we predicted for 2025 and compare that with what actually happened. 

In my next blog I will give our actual predictions for next year: 2026

What We Predicted for 2025 - and Did It Happen?

We made seven predictions for 2025 - Here they are: let's break them down.

1. Alternative app stores are so 2024! “Direct to consumer” will be the new trend in 2025

We were a little ahead of ourselves on this one. The EU’s Digital Markets Act (DMA) did force Apple to open iOS to alternative app stores in Europe in early 2025 and Epic, AltStore, and others launched or expanded in the EU, but adoption is still limited by concerns of trust and security … and by resistance from Apple and Google.  Direct-to-consumer (D2C) distribution, although possible, has remained niche and most mainstream consumer apps did not abandon the app stores.

What Happens Next: This trend is only delayed and there is still an urgent need to evaluate  a cross-platform security solution, independent of app stores: one which makes it easy for you to embrace new approaches and platforms.

2. AI Will Continue to be Adopted by Hackers … and Security Teams

This one definitely happened. AI didn’t change the rules of cybersecurity in 2025 — but it definitely had a major impact. 

Attackers used it to lower the bar for API abuse:

• Tools like LLM-assisted decompilers and Frida script generators made it easier for low-skill attackers to Identify mobile app logic, extract hardcoded secrets or tokens and automate API abuse workflows
• Attackers used LLMs to generate natural language API inputs and evade WAFs/bot protection (Why Traditional WAF Rules are Obsolete in 2025) and mobile-focused botnets increasingly mimicked real mobile traffic using AI-tuned emulation.
• In 2025  AI-generated responses.started to be used in smishing and voice phishing. Multiple reports (e.g., ThreatLabz, Mandiant) detailed AI-generated phishing infrastructure and chatbot-based scam flows in mobile apps and SMS campaigns.

 Defenders used AI  to raise the bar for detection:

• API security platforms (Salt, Noname, etc.) emphasized LLM-backed anomaly detection in 2025 feature releases.
• Vendors like Microsoft, SentinelOne, and CrowdStrike all released AI assistants that directly supported SOC analysts.
• Tools like NowSecure, AppSweep, and even  GitHub Advanced Security added AI-driven scan interpretation to speed up mobile code reviews.

What Happens Next: The organizations that successfully defended against the emerging API threats were the ones who didn't trust the client and verified every mobile interaction in real time.

3. 2025 Will Be When API Keys in Mobile Apps Are Properly Secured

OK, we were too optimistic with this one: The GitGuardian 2025 Secrets Sprawl Report found that over 23 million new secrets (including API keys) were leaked on GitHub in 2024–25, and multiple academic papers and reports show that mobile app source code — particularly Android APKs — continues to leak secrets. Google and Apple improved static secret detection during app reviews, but it is still extremely rare for apps to be rejected because of exposed secrets. If I was being generous, I would say that awareness of the issue has grown, but clearly an industry-wide shift toward runtime secrets protection is yet to materialize. The persistence of leaked secrets only compounds the issue.

What Happens Next: There is no longer any reason or excuse to expose keys and secrets in mobile app code. Approov enables  just-in-time secret delivery based on app attestation, which eliminates the issue.

4. Cross-Platform Development Will Be The Way Forward For Mobile Apps

Broadly, this was correct. Flutter and React Native both saw strong growth in 2025  and continued dominance as top choices for mobile developers, Flutter in fintech and e-commerce, and React Native in smaller enterprises. Xamarin, now .NET MAUI, maintained a niche in enterprise ecosystems tied to Microsoft. Capacitor, Expo, and Unity also played roles in specific verticals like gaming. However, despite Huawei’s efforts HarmonyOS remained mostly isolated to China in 2025.  Major Western frameworks like Flutter and React Native do not yet offer official support for HarmonyOS as of Q4 2025. HarmonyOS of course remains critical for Chinese mobile app deployments and we believe adoption in other regions will follow.

What Happens Next: Cross-platform development is now the norm, not the exception. But speed and cost-efficiency must not come at the expense of security. In 2025, the best teams adopted mobile security tools that worked seamlessly across platforms — proving that you don’t have to choose between agility and integrity. 

5. Open Source Scrutiny Will Increase

This one has proven to be very accurate, especially in the mobile and API security ecosystem. This year saw concrete regulatory movement, increased attention to supply chain threats, and a noticeable shift in how organizations think about open source software (OSS) risk in mobile apps:

• In 2025 Attackers intentionally targeted open source ecosystems with malicious package uploads (e.g., npm, PyPI, CocoaPods, Maven), and carried out credential theft, API abuse, or malware injection via libraries used in mobile apps. SDKs were bundled into apps unknowingly and only caught via runtime telemetry or post-breach. 
• The EU CRA Passed in 2024, with compliance deadlines beginning in 2025, requiring vendors to maintain a software bill of materials (SBOM) as does the French CNIL requirements. In the US, government agencies and critical infrastructure vendors began demanding attestations about OSS usage in third-party apps and APIs. 

What Happens Next: Teams started realizing that you can’t fully prevent open source risks — especially in mobile. As a result, runtime protection became more valued, in order to detect tampering or repackaging of apps using vulnerable libraries and to block API access from compromised or modified clients. Open source remains essential — but trusting what you pull from a registry without verifying it is no longer acceptable. You must verify your supply chain, and continuously verify runtime integrity of apps and devices, and validate  all your API traffic at run time.

6. Pinning Communications Channels Will Become The Norm

While the need for TLS certificate pinning is better understood and more widely discussed, full adoption of pinning — especially of dynamic pinning — remains inconsistent, particularly across mainstream consumer mobile apps. Despite OWASP MASVS and industry recommendations, many apps — even sensitive ones — do not use TLS pinning. Threat intelligence reports in 2025 confirmed that attackers are still intercepting and replaying mobile API traffic. MitM attacks targeting mobile apps remain common, especially on rooted/jailbroken devices, on public Wi-Fi environments and via repackaged apps or emulators. 

What Happens Next: The real breakthrough here will be the understanding that the biggest “Man-in-the-Middle” threat does not come from insecure Wi-Fi but from the “Man-in-the-Device” (Myths about MitM) :  MitM tools like mitmproxy, Proxyman, and Frida remain widely used in penetration testing but can also be employed by hackers for automated credential harvesting and session hijacking and API scraping. The argument against pinning was always operational complexity — not lack of value. In 2025, dynamic pinning finally removed that barrier for those who took security seriously. Now, there’s no good excuse to leave your mobile app traffic exposed to MitM attacks.

7. Breach reporting requirements will require more attention and investment

This one was entirely accurate and validated by multiple real-world developments this year, both in regulatory progression and in operational impact for mobile app teams.

Global Breach Disclosure Laws Got Stricter: 

• The EU NIS2 Directive came into effect in 2025 requiring notification of incidents within 24 hours and this covers mobile apps involved in finance, health, and utilities.
• In Japan the Act on the Protection of Personal Information (APPI) tightened rules around breach notification and cross-border data transfers.
• In Singapore in  2025 PDPA enforcement now requires that breaches must be reported within 3 days once deemed notifiable.
• In the USA, PCI DSS 4.0 compliance became mandatory for financial institutions in March 2025 and has explicit emphasis on incident response, logging, and breach communications. Also mobile channels must be monitored and included in breach response planning.

Actual breaches in 2025 demonstrated that teams were struggling to respond:

• Even when secrets are discovered, rotation in 2025 is still measured in weeks -  not hours - so hardcoded keys routinely outlive breaches.
• For apps without remote policy enforcement or attestation, blocking rogue versions was impossible without a new app release.
• Organizations without device-level telemetry lacked visibility into which clients were still behaving maliciously post-breach. Recent API‑security research and incident‑response data suggest that many organizations remain blind to ongoing client‑side abuse.

What Happens Next: In 2025, mobile security wasn’t just about prevention — it was about resilience. When a breach happens, you need the ability to rotate secrets, revoke tokens, and block rogue clients in minutes, not days. This must explicitly be part of the breach playbook, including procedures for rotating any secrets, API keys and certificates your app uses, including third-party API keys. All this, of course, without affecting genuine users.

Conclusion 

For 2025 we made 7 mobile cyber security predictions. 

As we have discussed in this blog, we were absolutely correct with four:

• The use of AI by attackers and defenders.
• The use and impact of cross-platform development tools for mobile apps.
• The risks of open-source code in mobile apps.
• The impact of new breach reporting regulations.

We were a little too optimistic about:

• Widespread deployment of pinning to prevent Man-in-the-Middle attacks.
• Elimination of API Keys from app code.

And there was one which we simply believe is delayed:

• Direct to consumer app delivery.

Watch this space for our mobile cybersecurity predictions for 2026! Contact us if you'd like to discuss this or talk to us about any aspect of mobile and API security.