The State of Mobile App Security 2022
Osterman Research Report

Findings Reveal Both the Increased Importance of Mobile Apps and The Relative Lack of Focus on Runtime App and Data Protection
Mobile apps have become key tools for businesses to serve customers, earn revenue, and enable remote work by employees. Over the last two years, mobile apps have become critical to success for the majority of businesses.
In this report, we present the findings of a survey into the state of mobile app security in 2022, encompassing survey respondents from across the United States and the United Kingdom. The survey and white paper were commissioned by Approov.

A 30 minute webinar on July 26 will reveal additional findings.
Download a Full Copy of the Report and Watch a Video Summary of the Findings
Key Takeaways from the report:
- Three out of four respondents report that mobile apps are now “essential” or “absolutely core” to their success: This is three times higher than two years ago.
- Secure development practices are essential but offer only partial protection: They do not eliminate the threat of run-time attacks against mobile apps and APIs.
- Run-time attacks against APIs that render mobile apps non-functional prove costly to 75% of organizations: Attacks include data theft via API abuse, fake account creation, and credit fraud, among others.
- Organizations lack visibility into run-time threats against mobile apps and APIs: 60% of organizations report that they do not have visibility to run-time threats against mobile apps and APIs.
- Reducing threats arising due to hardcoded API keys is a priority: With about half of mobile apps storing API keys as hard coded secrets, the use of more than 30 third-party APIs per mobile app creates a significant run-time threat space. 55% of respondents place high priority on removing the need to store API keys and other hard coded secrets in mobile apps.
- Organizations prioritize accelerating time-to-market for new features over security: One half of respondents report that for competitive reasons, their organizations may ship apps with known insecurities, and two fifths of respondents report that their organization’s security processes for both third-party and in house developers are weak and insufficient.