Quokka Research Finds Widespread Mobile App Security Failures Across Android and iOS
Analysis of 150,000 apps reveals persistent vulnerabilities exposing enterprises to data theft, account compromise, and infrastructure risk
SAN JOSE, CA / ACCESS Newswire / April 28, 2026 / Quokka, a leader in mobile app risk and security, today released new research analyzing more than 150,000 mobile applications, revealing that widespread, well-understood security vulnerabilities continue to expose enterprises to significant risk across both Android and iOS ecosystems.
The report, The State of Mobile App Security 2026, finds that foundational security weaknesses are pervasive, creating exploitable pathways for attackers to intercept sensitive data, access enterprise systems, and compromise infrastructure.
Among the most surprising findings:
HTTP URLs were found in 94.3% of Android apps and 61.7% of iOS apps, exposing data in transit;
Unencrypted sockets present in 89.1% of Android apps, creating direct network-level exposure;
Hardcoded cryptographic keys in 47.8% of Android apps and 17.6% of iOS apps, putting all users at risk if extracted;
50+ apps identified with hardcoded AWS credentials, and
Critical CVEs in third-party components impacting 11% of Android apps and 13% of iOS apps. The analysis also found high severity CVEs in 65% of Android and 14% of iOS apps.
While these vulnerabilities are well documented and largely preventable, Quokka’s analysis shows they continue to persist at scale. Unencrypted communication is a clear example. Despite being a basic security control, HTTP traffic without encryption remains widespread across mobile applications, leaving sensitive data exposed in transit.
Among the most severe findings were more than 50 mobile apps containing hardcoded AWS credentials embedded directly in their compiled binaries. These exposures create a direct path for attackers to access production databases, sensitive customer data, and, in extreme cases, gain root-level control over cloud infrastructure. Even a single instance of this type of vulnerability represents an unacceptable level of exposure.
Beyond individual vulnerabilities, the report points to systemic risk in the mobile software supply chain. Quokka’s analysis shows that a significant percentage of apps contain critical and high-severity vulnerabilities in third-party components, many of which have remained unpatched for years. The persistence of these vulnerabilities reflects gaps in how security is integrated into development and procurement processes.
“This research shows that two strategic steps need to be taken. First, organizations need to incorporate more security testing earlier in the app development process to prevent risks from reaching customers,” said Nikolaos Kiourtis, Chief Technology Officer at Quokka. “Second, enterprise security teams should not implicitly trust mobile apps, even when sourced from official marketplaces. Organizations need visibility into how apps behave, what data they access, and where that data is transmitted. Without that visibility, mobile apps remain a massive attack vector for the modern enterprise environment.”
Quokka’s The State of Mobile App Security 2026 report provides detailed analysis of these vulnerabilities and outlines practical steps organizations can take to reduce risk and improve mobile security posture.
About Quokka
Quokka is a global leader in mobile security, trusted by Fortune 500 companies and government agencies to protect against mobile threats. With a history of innovation and collaboration with the U.S. Federal Government, Quokka has been recognized by Gartner, NVTC, and Global InfoSec for advancing mobile app security. The company combines deep research expertise with proven technology to help organizations safeguard their mobile ecosystems with confidence. To learn more, please visit www.quokka.io.
Media Contact
Sarah Hawley
Mockingbird Communications
+1 480-292-4640
sarah@mockingbirdcomms.com
SOURCE: Quokka
View the original press release on ACCESS Newswire