Security Can Accelerate the Race for Better Mobile App UX

Michael Olechna
Guardsquare

Last year, the typical person on Earth spent more than 500 hours using mobile applications (a year-over-year increase of 5.8%) with an average of 26 different apps used per month (+9.2% YoY). These steady increases are evidence of an ongoing shift in consumer preference toward "mobile-first" experiences. For example, smartphones are now involved in nearly half of all retail purchases, and 75% of banking customers prefer mobile applications over online account access.

In response to the increasing demand for new mobile applications and advanced capabilities, developers have been prioritizing time-to-market, application performance, and user experience (UX) at the expense of security. A recent Enterprise Strategy Group survey of mobile app developers and security professionals uncovered that only 38% of organizations currently analyze their mobile applications for vulnerabilities on a weekly basis, while nearly 20% have a gap of a quarter or more between vulnerability tests.

To further accelerate delivery pipelines, more than half of organizations are already using AI coding agents in production, with another 78% planning to deploy them soon. But AI-generated code notoriously falls short in terms of technical debt, quality concerns, and maintainability issues — all of which can impact both user experience and mobile app security. Stanford research shows that AI-assisted coders are 80% more likely to write less secure code than coders without generative AI assistance.

Common security gaps across the mobile application software development lifecycle (SDLC) include:

  • Inconsistent or infrequent use of mobile application security testing (MAST)
  • Trusting default mobile device/OS protections post-release as sufficient protection
  • Using simple, single-layer code protection tools (i.e., wrappers)
  • Leaving APIs and application backends exposed
  • Waiting for a security incident instead of proactively analyzing real-time threats and regularly updating code

Security Is Part of the Mobile App User Experience

With everyday mobile apps (e.g., social media, maps, browsers, entertainment), most people don't give security a second thought. However, many users are concerned about tasks such as making retail purchases, managing finances, or accessing sensitive information (like personal medical records or confidential work communications). Unfortunately, those aren't the only kinds of mobile apps that need to be secured. For example, a recent modified version of the TikTok social video app included malware (dubbed "SparkKitty") that spied on users in search of credentials for cryptocurrency wallets.

Building and retaining user trust requires continuous and effective security throughout the useful life of a mobile app because they are increasingly attractive targets for attackers. Research into more than 156,000 iOS apps revealed over 815,000 hardcoded secrets, including thousands that are highly sensitive and could lead directly to breaches or data leaks. The number of detected Android-based malware samples increased by more than a quarter (27%) from Q4 2024 to Q1 2025.

Traditionally, the limitations of many mobile application security solutions have forced developers to "pick their poison" — trying (and often failing) to find a sweet spot between two different negative outcomes for their users: 

  • Security obstructs app functionality: the protections in place are not seamlessly integrated, which disrupts ease of use and/or degrades application performance for users.
  • Security proves to be ineffective: the protections fail to prevent an unwanted event, such as credential exposure, data leakage, unauthorized account access, fraud, compliance violations, or malware attacks.

Mobile app and SDK developers need to serve the needs of user experience, application performance, and security, without compromising on any one area. With the right tools and approach, security can help accelerate CI/CD pipelines and improve mobile application performance.

From "Unsafe at Any Speed" to "F1" Performance

Mobile app development is a bit like Formula One auto racing — the faster the engine goes, the better all the other systems need to be to keep everyone safe. Security isn't just about braking, but also steering, visibility, telemetry, and physical infrastructure within the chassis to protect the driver when unexpected incidents occur. It's a multi-layered system designed to work in lockstep with all the other parts of the machine, as well as the operator.

Effectively securing your mobile applications and SDKs creates a better user experience. Ultimately, the goal of mobile app security should be to protect both the intended functionality and the user's experience, without any tradeoffs.

In fact, some key performance metrics (e.g., crash rate, app start time, page load time) can be negatively impacted without rigorous and regular security testing throughout the development process. App publishers also need strong code protections post-release to prevent malicious tampering or unauthorized modifications that alter the designer's original UX (which ultimately degrade how the app was intended to operate).

Purpose-Built Mobile App Security in Your Pipeline

The pressure to accelerate development cycles isn't going away. Neither are the shiny new GenAI development tools that frequently introduce code flaws, open-source vulnerabilities, and even maliciously poisoned LLM content.

More than ever, developers need effective and practical security tools — ones that operate within this rapidly evolving reality by integrating into CI/CD pipelines at speed. They also need security that's purpose-built for the unique nature of mobile applications, not adapted solutions for web applications and/or mobile devices. This should include:

  • Relentless testing, at speed. Automated testing (MAST) that seamlessly integrates into CI/CD pipelines helps eliminate exposure to attacks that will disrupt normal mobile app operation. Combine these automated scans with thorough manual penetration tests before each release. Effective testing also helps identify potential compliance issues that can erode customer trust. Some testing tools can even help developers directly improve application performance by identifying unused code and libraries that increase application size and bog down efficient operation.
  • Multi-layered performance protection. Multi-layered code hardening (obfuscation and encryption techniques) plus runtime application self-protection (RASP) can protect apps from malicious tampering or unauthorized feature modifications that can disrupt optimized performance. RASP also offers dynamic defenses against targeted attacks to prevent mobile app downtime.
  • Cover your backend. Application attestation verifies that only your genuine app can access your APIs, while at the same time blocking clones, bots, and other unauthorized clients from exploiting backend logic or causing service disruptions. An effective app attestation solution should also prevent false positives that block genuine users from accessing their accounts.
  • Visibility helps avoid disruptions. Threat monitoring can provide real-time visibility into the application's attack surface to manage suspicious users and respond to potential security issues. In addition, it should provide actionable analytics that inform optimizations for both security and performance in version updates and future app releases.

Proactively integrating security across the mobile app SDLC offers a value-added benefit for users: peace of mind that the application has been thoroughly tested in development and remains comprehensively protected against attacks in the wild. It helps mobile app developers establish an environment that supports zero trust principles by tightly integrating security into development and operations workflows (also known as DevSecOps).

Test, Protect and Monitor — for the Win

Security shouldn't be a detour or a delay en route for mobile application and SDK developers. With purpose-built tools for testing, protection, and monitoring, mobile application security can become both an accelerator and a navigator that helps you build better, faster, and safer without any compromises.

Michael Olechna is Product Marketing Manager at Guardsquare

Related Links

Hot Topics

The Latest

When AI Becomes the Corporate OS

AI is becoming the operating system of the enterprise. It acts as an invisible coordination layer that understands intent, connects systems, and executes work across complex SaaS environments. Previously, employees had to click through multiple systems — CRM, ERP, support tools, collaboration platforms — to complete a single task. Now, instead of navigating each application manually, they can simply state what they need to accomplish ...

The $600 Billion Wake Up Call

In 2026, the cost of downtime or an outage is no longer just a technical inconvenience; it's a $600 billion wake up call for global businesses. As our digital ecosystems become  more interconnected, each touchpoint introduces new risks and multiplies the consequences when things go wrong. And the data is clear: aggregate downtime costs  for Global 2,000 companies have surged 50% since 2024, reaching a staggering $600 billion ...

Breaking Down Agentic AI Fragmentation and Complexity with Governance

Deloitte found that 74% of enterprises expect to deploy agentic AI solutions in the next 24 months. However, the rush to deployment is outpacing foundational work, though. Only 21% of enterprises have fully formed agent governance models in place. The result? AI agents deployed without guidance or governance begin to function as fragmented islands of complexity ...

Cloud Spend Is Rising and Cloud Optimization Is Key to Funding AI and Protecting Margins

Cloud spending is no longer viewed as a passthrough IT expense, but as a strategic financial lever that directly impacts innovation capacity, profitability and enterprise resilience, according to the CFO Cloud Cost Optimization Report from Azul ...

Building AI Agents That Build Trust

As AI moves from generating responses to performing actions, the need for trust increases exponentially. And as organizations enlist AI agents for increasingly sophisticated business processes, trust is going to be the single most important theme for spurring adoption. What can organizations do to build trustworthy AI agents? ...

Keys to Building a Partner Ecosystem That Scales

I've spent a lot of time in the channel, and one thing I keep coming back to is this: a partner program is only as good as what it looks like in the field. Many programs look great on paper, but when a partner is in front of a customer navigating a complex hybrid environment or trying to make the case for AI-powered observability, the gap between what a vendor promises and what it actually delivers becomes very clear, very fast ...

How AI Agents Are Reshaping DataOps for the Always-On Enterprise

Enterprises today operate in a real-time environment where uninterrupted access to trusted data has become a baseline expectation for users, applications and automated systems. Traditional DataOps models, built on manual effort and human triage, cannot keep pace with this always active demand. AI agents are emerging as the operational backbone, ensuring consistent data availability, reinforcing trustworthiness and enabling a level of scale that manual processes cannot achieve ...

AI Deepfakes: Rethinking Trust in the Workplace

For decades, trust in the digital workplace rested on familiar signals. We trusted faces on video calls, voices on the phone, and emails that appeared to come from people we knew. These cues felt human and intuitive. They anchored how decisions were made, approvals were granted, and access was authorized. AI-powered deepfakes have quietly broken that model ...

Nine in Ten Enterprises Plan Cloud Data Repatriation amid Rising Cloud Costs and Data Sovereignty Mandates

Cloud migration was supposed to be a one-way door. For most enterprises, it turns out it isn't. Cloud data repatriation is a real and growing trend. A new survey ... finds that 89% of organizations plan to expand their on-premises infrastructure footprint over the next two years — and 75% have already moved at least some workloads back from public cloud in the past 24 months. The findings point to a broad rethinking of where data belongs ...

Why ITOps Need Right-Sized AI, Not Bigger Models

Over the past few years, large language models (LLMs) have revolutionized the software industry. Given their ability to excel at multi-step reasoning, LLMs have helped enterprises streamline workflows and adapt to the unknown. However, employing such models comes with sky-high costs, latency issues, and limited flexibility. In the realm of IT operations, it is generally wiser to employ smaller, domain-specific models instead ...

Security Can Accelerate the Race for Better Mobile App UX

Michael Olechna
Guardsquare

Last year, the typical person on Earth spent more than 500 hours using mobile applications (a year-over-year increase of 5.8%) with an average of 26 different apps used per month (+9.2% YoY). These steady increases are evidence of an ongoing shift in consumer preference toward "mobile-first" experiences. For example, smartphones are now involved in nearly half of all retail purchases, and 75% of banking customers prefer mobile applications over online account access.

In response to the increasing demand for new mobile applications and advanced capabilities, developers have been prioritizing time-to-market, application performance, and user experience (UX) at the expense of security. A recent Enterprise Strategy Group survey of mobile app developers and security professionals uncovered that only 38% of organizations currently analyze their mobile applications for vulnerabilities on a weekly basis, while nearly 20% have a gap of a quarter or more between vulnerability tests.

To further accelerate delivery pipelines, more than half of organizations are already using AI coding agents in production, with another 78% planning to deploy them soon. But AI-generated code notoriously falls short in terms of technical debt, quality concerns, and maintainability issues — all of which can impact both user experience and mobile app security. Stanford research shows that AI-assisted coders are 80% more likely to write less secure code than coders without generative AI assistance.

Common security gaps across the mobile application software development lifecycle (SDLC) include:

  • Inconsistent or infrequent use of mobile application security testing (MAST)
  • Trusting default mobile device/OS protections post-release as sufficient protection
  • Using simple, single-layer code protection tools (i.e., wrappers)
  • Leaving APIs and application backends exposed
  • Waiting for a security incident instead of proactively analyzing real-time threats and regularly updating code

Security Is Part of the Mobile App User Experience

With everyday mobile apps (e.g., social media, maps, browsers, entertainment), most people don't give security a second thought. However, many users are concerned about tasks such as making retail purchases, managing finances, or accessing sensitive information (like personal medical records or confidential work communications). Unfortunately, those aren't the only kinds of mobile apps that need to be secured. For example, a recent modified version of the TikTok social video app included malware (dubbed "SparkKitty") that spied on users in search of credentials for cryptocurrency wallets.

Building and retaining user trust requires continuous and effective security throughout the useful life of a mobile app because they are increasingly attractive targets for attackers. Research into more than 156,000 iOS apps revealed over 815,000 hardcoded secrets, including thousands that are highly sensitive and could lead directly to breaches or data leaks. The number of detected Android-based malware samples increased by more than a quarter (27%) from Q4 2024 to Q1 2025.

Traditionally, the limitations of many mobile application security solutions have forced developers to "pick their poison" — trying (and often failing) to find a sweet spot between two different negative outcomes for their users: 

  • Security obstructs app functionality: the protections in place are not seamlessly integrated, which disrupts ease of use and/or degrades application performance for users.
  • Security proves to be ineffective: the protections fail to prevent an unwanted event, such as credential exposure, data leakage, unauthorized account access, fraud, compliance violations, or malware attacks.

Mobile app and SDK developers need to serve the needs of user experience, application performance, and security, without compromising on any one area. With the right tools and approach, security can help accelerate CI/CD pipelines and improve mobile application performance.

From "Unsafe at Any Speed" to "F1" Performance

Mobile app development is a bit like Formula One auto racing — the faster the engine goes, the better all the other systems need to be to keep everyone safe. Security isn't just about braking, but also steering, visibility, telemetry, and physical infrastructure within the chassis to protect the driver when unexpected incidents occur. It's a multi-layered system designed to work in lockstep with all the other parts of the machine, as well as the operator.

Effectively securing your mobile applications and SDKs creates a better user experience. Ultimately, the goal of mobile app security should be to protect both the intended functionality and the user's experience, without any tradeoffs.

In fact, some key performance metrics (e.g., crash rate, app start time, page load time) can be negatively impacted without rigorous and regular security testing throughout the development process. App publishers also need strong code protections post-release to prevent malicious tampering or unauthorized modifications that alter the designer's original UX (which ultimately degrade how the app was intended to operate).

Purpose-Built Mobile App Security in Your Pipeline

The pressure to accelerate development cycles isn't going away. Neither are the shiny new GenAI development tools that frequently introduce code flaws, open-source vulnerabilities, and even maliciously poisoned LLM content.

More than ever, developers need effective and practical security tools — ones that operate within this rapidly evolving reality by integrating into CI/CD pipelines at speed. They also need security that's purpose-built for the unique nature of mobile applications, not adapted solutions for web applications and/or mobile devices. This should include:

  • Relentless testing, at speed. Automated testing (MAST) that seamlessly integrates into CI/CD pipelines helps eliminate exposure to attacks that will disrupt normal mobile app operation. Combine these automated scans with thorough manual penetration tests before each release. Effective testing also helps identify potential compliance issues that can erode customer trust. Some testing tools can even help developers directly improve application performance by identifying unused code and libraries that increase application size and bog down efficient operation.
  • Multi-layered performance protection. Multi-layered code hardening (obfuscation and encryption techniques) plus runtime application self-protection (RASP) can protect apps from malicious tampering or unauthorized feature modifications that can disrupt optimized performance. RASP also offers dynamic defenses against targeted attacks to prevent mobile app downtime.
  • Cover your backend. Application attestation verifies that only your genuine app can access your APIs, while at the same time blocking clones, bots, and other unauthorized clients from exploiting backend logic or causing service disruptions. An effective app attestation solution should also prevent false positives that block genuine users from accessing their accounts.
  • Visibility helps avoid disruptions. Threat monitoring can provide real-time visibility into the application's attack surface to manage suspicious users and respond to potential security issues. In addition, it should provide actionable analytics that inform optimizations for both security and performance in version updates and future app releases.

Proactively integrating security across the mobile app SDLC offers a value-added benefit for users: peace of mind that the application has been thoroughly tested in development and remains comprehensively protected against attacks in the wild. It helps mobile app developers establish an environment that supports zero trust principles by tightly integrating security into development and operations workflows (also known as DevSecOps).

Test, Protect and Monitor — for the Win

Security shouldn't be a detour or a delay en route for mobile application and SDK developers. With purpose-built tools for testing, protection, and monitoring, mobile application security can become both an accelerator and a navigator that helps you build better, faster, and safer without any compromises.

Michael Olechna is Product Marketing Manager at Guardsquare

Related Links

Hot Topics

The Latest

When AI Becomes the Corporate OS

AI is becoming the operating system of the enterprise. It acts as an invisible coordination layer that understands intent, connects systems, and executes work across complex SaaS environments. Previously, employees had to click through multiple systems — CRM, ERP, support tools, collaboration platforms — to complete a single task. Now, instead of navigating each application manually, they can simply state what they need to accomplish ...

The $600 Billion Wake Up Call

In 2026, the cost of downtime or an outage is no longer just a technical inconvenience; it's a $600 billion wake up call for global businesses. As our digital ecosystems become  more interconnected, each touchpoint introduces new risks and multiplies the consequences when things go wrong. And the data is clear: aggregate downtime costs  for Global 2,000 companies have surged 50% since 2024, reaching a staggering $600 billion ...

Breaking Down Agentic AI Fragmentation and Complexity with Governance

Deloitte found that 74% of enterprises expect to deploy agentic AI solutions in the next 24 months. However, the rush to deployment is outpacing foundational work, though. Only 21% of enterprises have fully formed agent governance models in place. The result? AI agents deployed without guidance or governance begin to function as fragmented islands of complexity ...

Cloud Spend Is Rising and Cloud Optimization Is Key to Funding AI and Protecting Margins

Cloud spending is no longer viewed as a passthrough IT expense, but as a strategic financial lever that directly impacts innovation capacity, profitability and enterprise resilience, according to the CFO Cloud Cost Optimization Report from Azul ...

Building AI Agents That Build Trust

As AI moves from generating responses to performing actions, the need for trust increases exponentially. And as organizations enlist AI agents for increasingly sophisticated business processes, trust is going to be the single most important theme for spurring adoption. What can organizations do to build trustworthy AI agents? ...

Keys to Building a Partner Ecosystem That Scales

I've spent a lot of time in the channel, and one thing I keep coming back to is this: a partner program is only as good as what it looks like in the field. Many programs look great on paper, but when a partner is in front of a customer navigating a complex hybrid environment or trying to make the case for AI-powered observability, the gap between what a vendor promises and what it actually delivers becomes very clear, very fast ...

How AI Agents Are Reshaping DataOps for the Always-On Enterprise

Enterprises today operate in a real-time environment where uninterrupted access to trusted data has become a baseline expectation for users, applications and automated systems. Traditional DataOps models, built on manual effort and human triage, cannot keep pace with this always active demand. AI agents are emerging as the operational backbone, ensuring consistent data availability, reinforcing trustworthiness and enabling a level of scale that manual processes cannot achieve ...

AI Deepfakes: Rethinking Trust in the Workplace

For decades, trust in the digital workplace rested on familiar signals. We trusted faces on video calls, voices on the phone, and emails that appeared to come from people we knew. These cues felt human and intuitive. They anchored how decisions were made, approvals were granted, and access was authorized. AI-powered deepfakes have quietly broken that model ...

Nine in Ten Enterprises Plan Cloud Data Repatriation amid Rising Cloud Costs and Data Sovereignty Mandates

Cloud migration was supposed to be a one-way door. For most enterprises, it turns out it isn't. Cloud data repatriation is a real and growing trend. A new survey ... finds that 89% of organizations plan to expand their on-premises infrastructure footprint over the next two years — and 75% have already moved at least some workloads back from public cloud in the past 24 months. The findings point to a broad rethinking of where data belongs ...

Why ITOps Need Right-Sized AI, Not Bigger Models

Over the past few years, large language models (LLMs) have revolutionized the software industry. Given their ability to excel at multi-step reasoning, LLMs have helped enterprises streamline workflows and adapt to the unknown. However, employing such models comes with sky-high costs, latency issues, and limited flexibility. In the realm of IT operations, it is generally wiser to employ smaller, domain-specific models instead ...