Risks to software supply chains from mobile applications are increasing, largely due to a lack of deep visibility into the software's codebase, a new study has found.
Zimperium researchers noted in the 2025 Global Mobile Threat Report that more than 60% of top Android and iOS third-party components, or software development kits (SDKs), are shipped as precompiled binary packages, often with partial or missing software bills of materials (SBOMs).
Even when source code exists, the researchers said, developers commonly test open-source versions but deploy the compiled binaries for speed, leaving what ships and runs unchecked. This allows attackers to poison the mobile supply chain with malicious or tampered components, bypassing traditional static testing and software composition analysis (SCA) tools, the report explained.
Without deeper binary analysis, the puzzle that is modern software becomes an ideal target for exploitation. Learn more about risk from third-party mobile development — and how to get on top of it.
[ See white paper and more: Assess and Manage Third-Party Software Security Risk ]
The lack of visibility is key
The report explained that third-party libraries and frameworks are extensively used in mobile app development, and development teams frequently choose proprietary, precompiled binaries for critical functionality, such as authentication, payments, and encryption, because they offer enterprise-grade support and faster integration.
However, it continued, these binaries often come with limited source code and dependency visibility, making assessing their behavior or security posture difficult. This lack of transparency introduces silent vulnerabilities that traditional security tools struggle to detect, creating a blind spot in the mobile app supply chain that attackers can exploit
Traditional CI/CD workflows often rely on source code scanning and SCA tools, which cannot assess the runtime behavior of third-party libraries when access to the source code is not available, the report noted. This lack of visibility becomes even more dangerous considering that 90% of the codebases include components that are more than 10 versions behind the latest release.
Most proprietary, closed-source components are responsible for critical functions, such as authentication or payments, so the impact of security failures here can be costly. "Enterprises are becoming more and more reliant on mobile apps to perform basic business operations," the researchers wrote. "They are used for supply chain management, reporting, office functions, expense management, and HR, to name a few categories. With the ubiquity of apps in an enterprise rising, so does the risk they pose to the enterprise’s data."
Eric Schwake, director of cybersecurity strategy at Salt Security, said threat actors find mobile apps appealing for a number of reasons.
"These apps often manage sensitive user data, such as financial details, personal information, and authentication credentials, which are commonly accessed and transmitted via APIs. Their ubiquitous presence on personal devices makes them prime targets for large-scale cyberattacks."
—Eric Schwake
Schwake said that design and development flaws, along with insecure API practices and inconsistent security measures, result in vulnerabilities that can be exploited.
Need for continuous software vetting
The mobile threat report noted that security, risk, and compliance teams often lack visibility into the risks posed by mobile apps, especially when relying solely upon release notes or vendor documentation. Adam Brown, a managing consultant with Black Duck Software, said software producers and organizations that rely on mobile devices must understand the risk of the software architecture and code implementation on these devices and take action.
"Otherwise, the weaknesses introduced at that stage result in vulnerabilities and therefore breaches."
—Adam Brown
Brown said that organizations are making compliance progress. "According to the Building Security in Maturity Model [BSIMM] 15, there has been a 22% rise in the number of organizations creating SBOMs for deployed software and a 67% increase in organizations performing software composition analysis on code repositories," he said.
BSIMM participants are also protecting the code they publish to improve regulatory compliance, Brown said. "The security activity 'protect code integrity' increased by roughly 20% from BSIMM14 to BSIMM15, and 'use code protection' increased by about 45%."
The report called for continuous application vetting to reduce risk in the mobile domain. Without the insights provided by continuous app vetting, critical changes in privacy, communications, and compliance behavior can go unnoticed.
In cases where the risk stems from a third-party supply chain dependency, even the software vendor may be unaware, leaving no mention in documentation or SBOMs, the report noted. An example is a new version of an iOS business messaging app analyzed by the report's researchers that showed some camera and microphone functionality had been added two months after a previous version was released. But the version history in the store only listed the word “improvements.”
The report's researchers also found finance- and productivity-related Android software with millions of downloads mistakenly shipped with the debug flag enabled in production, leaving them vulnerable to runtime attacks, code inspection, and unauthorized data access.
"The story these statistics tell us is about the importance of vetting third-party applications, not just as a precaution but as a strategic imperative for enterprises. Without proper security and privacy assessment measures for mobile applications, the risk for sensitive data leakage, whether intentional or accidental, can directly impact organizational integrity, customer trust, and regulatory compliance."
—2025 Global Mobile Threat Report
Shift to a third-party risk management strategy
Today, mobile devices themselves have become a critical point of vulnerability, the report noted. As attackers increasingly target the underlying mobile environment to bypass software-level defenses, ensuring that an app is running untampered on a secure, uncompromised device is no longer optional. Outdated operating systems, rooted or jailbroken devices, application toolkits to manipulate software, and malware infections all create blind spots that traditional application security testing (AST) tools cannot mitigate alone.
Jason Soroko, senior vice president of product at Sectigo, said that one of the reasons some people like to root their Android device or jailbreak their iOS device is to have the ability to sideload applications.
"Sideloading bypasses the official app store’s rigorous vetting process, leaving devices exposed to malware, unauthorized code, and other security risks. With Apple now forced in Europe to allow sideloading, the safety net of curated applications is eroded, increasing the potential for compromised apps and systemic vulnerabilities that attackers can exploit to access sensitive data and undermine device integrity."
—Jason Soroko
The report urged organizations to adopt a risk-based approach to third-party mobile security to counter exploitation of vulnerable devices, poorly protected apps, and blind spots in third-party supply chains to access sensitive data and systems.
Aspects of such an approach can include:
- Treating device-level risks such as mishing (mobile-targeted phishing), outdated operating systems, and sideloaded apps as integral to mobile endpoint security outcomes
- Continuously vetting third-party apps on employee devices to evaluate their actual behavior, beyond stated functionality, with every update, ensuring they don’t become hidden threats to the enterprise
- Making sure developed applications are thoroughly assessed prior to release to ensure best practices, meet industry standards, and validate protection against expected benchmarks
- Embedding security throughout the mobile app development lifecycle, not just at the code level, and assessing applications for compliance to these requirements prior to release
- Shifting from reactive controls to proactive visibility, including binary analysis, runtime protection, and device attestation
The 2025 Global Mobile Threat Report researchers wrote:
"Mobile security is no longer optional or peripheral. It is now a strategic pillar of enterprise risk management."
Going beyond traditional testing is essential
Managing third-party risk is critical today — and that requires retooling. The 2025 version of Verizon's Data Breach Investigations Report (DBIR) for the first time has a strong call to focus risk attention on the unprecedented rise in breaches stemming from third-party organizations.
Saša Zdjelar, chief trust officer at ReversingLabs, said the new DBIR highlights the need for a better approach to software supply chain security. He said enterprises needed to employ binary analysis and reproducible builds to complement traditional application security testing tools such as static and dynamic application security testing (SAST and DAST) and software composition analysis (SCA).
The Enduring Security Framework, a public/private working group led by the National Security Agency (NSA) and the U.S. Cybersecurity and Infrastructure Security Agency, has called for the use of binary analysis and reproducible builds to identify and manage risk. These more modern tools produce actionable threat information about the software and services deployed within IT environments. That includes the presence of active malware, evidence of software tampering, the absence of application hardening, and secrets exposure. This strategy makes security teams more proactive in their quest to mitigate risk.
In contrast, SAST and DAST at many organizations typically apply only to a small subset of internally developed systems and applications. Zdjelar said the recommended use of binary analysis and reproducible builds marked a significant step forward in ensuring better software supply chain security.
"Our ability to analyze binaries is key to understanding risk in third-party software."
—Saša Zdjelar
