80% of smartphone usage is through mobile apps which are often highly connected to web services, have payment capabilities, and contain personal data. Personal handsets are granted access to corporate networks and are frequently lost or stolen. These factors and more puts mobile at a higher risk from malicious activity compared to most other computing environments.


Mobile devices are a favorite target for hackers and the most common route is through mobile software and apps. Full of personal and payment data residing in the OS or within individual apps, this data is usually not secured properly because of the abundant use of clear text files.


Mobile app developers are constantly rushing to get apps to market, which comes with serious security implications. In addition, users themselves allow exploitation by not taking simple steps such as adding a device password or by downloading software from untrusted sources.

Top attacks include

Harvesting credentials

Intercepting sensitive data

Diverting revenue

Employing a “shift-left” approach in application security is vitally important when it comes to mobile app development. A rush to launch results in poorly planned design and a failure to foresee potential user cases that require secure coding. Regular testing from the beginning of the development process is crucial, especially using white box testing methods such as SAST.


of organizations sacrificed mobile security in 2019.


Verizon’s 2020 Mobile Security Index estimates that 43% percent of organizations sacrificed mobile security in the rush to market. This compromise allowed easy exploitation through a vast array of vulnerabilities. The challenge to secure mobile apps doesn't simply lie within the mobile device source code, it also rests in client server systems where data is transmitted back and forth.

When testing for mobile application security, the server side is often forgotten. This allows various attacks on users such as phishing emails. Poor security in data communication between the client and the server can lead to extensively compromised data.

Commonly used attack methods

Improper input/output validation

Listed in the top 25 CWEs, improper input/output validation is a common mobile application vulnerability, especially when interacting with servers. When the input is not validated, attackers can craft their own input allowing a data breach.

Insecure data protocols

Insecure data protocols is a significant issue with mobile apps for both storage and transmission. Passwords, payment details, personal information and messages are all at risk.

Session expiration

Poorly implemented or non-existent session expiration. After a user signs out of an app, the identifiers should be invalidated. If not, an attacker could potentially use those identifiers to impersonate the user and exploit the system.

Xcalibyte’s Solutions

Confirm Validation

Xcalscan identifies both the client and server side applications, where validation and sanitization is missing. Guidance is provided to help developers remediate vulnerabilities.

Identify Insecure Data

Xcalscan identifies where cryptographic algorithms should be used. This is achieved by using rules based on best practice.

Confirm Session Expiry

Xcalscan analyzes code based on data flows across different procedures and can detect when a program fails to invalidate identifiers after session expiry.

In Android app development, Java is the most preferred language. Xcalscan’s scanning engine uses a high number of CERT Java rules to address vulnerabilities that are common in Java.


HISENSE – Smart Home Appliances

Juhaolian is a subsidiary of Hisense, known for smart home appliances, electronic equipment and intelligent information systems. Juhaolian is at the heart of Hisense's smart home solutions by providing communication technologies between devices and the cloud.

Read the Case Study

UISEE – Autonomous Vehicles

UISEE focuses on creating future-oriented mobility and logistics solutions. Using AI, they help reshape how people live in an eco-friendly urban lifestyle through utility, safety and inclusive experiences.

Read the Case Study

HORIZON – AI Processors

Horizon provides customized solutions in the field of intelligent driving. With their proprietary AI processor and computing platform, Horizon offers external environment perception, in-vehicle multi-modal interaction and high-precision map modeling.

Read the Case Study


Contact us