AI doubled developer productivity in 2024—but at what cost? While AI accelerates code development, it still produces errors in 10-30% of cases. Researchers found that over 5% of AI-generated code for commercial models and a staggering 22% from open-source models contained non-existent package names, leading to potential security gaps. Are AI-driven apps moving too fast for security to keep up?
These errors aren’t just minor bugs. They create vulnerabilities that attackers can exploit. While AI speeds up mobile app development, security risks are growing just as fast.
How AI accelerates mobile app development (beyond LLMs)
AI isn’t a glimpse of the future—it’s here, accelerating mobile app development today. While advancements in large language models (LLMs) have fueled recent interests and investment in AI, AI-driven code generation isn’t new–it’s been a practical use case for years.
A McKinsey study found that developers using generative AI tools could complete coding tasks up to twice as fast as those working without them. However, the impact varied based on task complexity and developer experience, with AI development providing the biggest efficiency gains for repetitive or well-defined coding tasks while offering less benefit for more complex, high-level problem-solving.
Developers are leveraging both specialized AI coding models, like code infilling tools that act as “auto-complete for code,” and LLM-based foundation models to generate code more efficiently. From allowing teams to build, test, and deploy apps faster than ever before, AI-driven engines optimize security testing, dependency management, and CI/CD pipelines to improve efficiency across the entire development lifecycle.
According to the 2024 StackOverflow Developer Survey, 76% of developers are currently using or will use AI in their development process this year, and 82% of them rely on using AI to write code.
Here are just a few key ways AI is accelerating the app development process:
- Automated code generation: AI development tools can generate functional code snippets, cutting down on manual coding and speeding up development. Developers input requirements, and AI generates the code, allowing them to focus on higher-level tasks, improve productivity, and reduce errors from repetitive coding.
- SDK & library recommendations: AI-driven dependency management platforms analyze project requirements and suggest compatible SDKs and APIs, reducing manual research time. While LLMs can assist in identifying SDKs, developers primarily use specialized AI tools that assess compatibility, security, and performance risks.
- Automated testing & security analysis: AI-driven testing engines run automated security scans, identify vulnerabilities, and optimize functional testing, reducing the need for manual QA.
- CI/CD automation & deployment optimization: AI enhances continuous integration and deployment pipelines by predicting potential failures and automating release workflows, ensuring faster, more stable rollouts.
AI code generation is great for boosting productivity and even improving cybersecurity by speeding up how we detect and fix vulnerabilities. But there’s a catch. Research shows these models can also churn out insecure code, which becomes a big problem if it’s used without careful review.
AI-generated code: the hidden security risks in your mobile apps
AI is accelerating code generation, but speed comes at a cost. Unlike human developers, AI doesn’t inherently understand security best practices, meaning it can introduce vulnerabilities at scale—vulnerabilities that attackers are actively exploiting.
Worse, the burden of securing AI-generated code rests entirely on developers, and without the right security tools in place, businesses risk deploying insecure applications, violating compliance standards, and exposing users to cyber threats. Insecure code often ends up in open-source repositories, feeding into new models and creating a cycle of widespread vulnerabilities.
- 46% of AI-generated programs contain known vulnerabilities listed in MITRE’s 2021 CWE Top 25 Most Dangerous Software Weaknesses (Pearce et al., 2021).
- 48% of AI-generated code samples contained bugs detected by ESBMC, while others couldn’t even be verified due to infinite loops, checker timeouts, or compilation errors.
- 76% of technology workers mistakenly believe AI-generated code is more secure than human-written code, potentially leading to overlooked vulnerabilities and inadequate code reviews (Chen et al., Evaluating Large Language Models Trained on Code).
AI-generated code can pass functionality tests while still containing severe security flaws. In some programming languages, AI-powered code generation models frequently suggest external libraries and packages—but that comes with risks. These external sources may be non-existent (hallucinated by the model), outdated and unpatched, or even outright malicious. Attackers exploit common misspellings in package names and URLs to trick developers into pulling in compromised dependencies, turning what should be a simple interaction into a serious security threat.
Without continuous security testing, organizations may unknowingly deploy vulnerable applications, exposing their users, data, and infrastructure to cyberattacks.
AI-generated code is uniquely vulnerable to manipulation
AI-generated code is uniquely vulnerable to hacking, tampering, and manipulation, creating new risks that traditional security measures aren’t designed to handle. Nearly half of the code snippets generated by five AI models were found to contain exploitable vulnerabilities, heightening the risk of cyberattacks. Worse still, attackers are now using AI to create entirely new security threats that traditional tools are ill-equipped to identify. Two major attack types:
- Data poisoning: Attackers manipulate an AI model’s training data, increasing the likelihood that it will generate malicious or vulnerable code. This could lead to AI suggesting compromised SDKs, insecure authentication methods, or vulnerable encryption algorithms.
- Backdoor attacks: A hidden trigger phrase forces the model to produce compromised code on demand, bypassing normal security controls. Even if developers try to remove the backdoor, it can remain hidden and persistent, creating long-term risks.
For example, if an attacker successfully poisons an open-source repository used to train AI models, future AI-generated code could automatically suggest or incorporate those compromised dependencies, affecting thousands of applications before the issue is even detected.
AI’s ripple effect, reshaping supply chain risks
The increasing use of AI-generated code isn’t just changing how software is built—it’s also reshaping the vulnerability landscape in ways that could have long-term downstream impacts on the software supply chain.
What’s coded today becomes the training data for future AI models, creating a feedback loop where vulnerabilities, inefficiencies, and insecure practices risk being reinforced rather than corrected. Supply chain attacks become harder to detect, as insecure code spreads across open-source repositories and enterprise applications.
- Technical debt: AI-generated code also adds to technical debt, often requiring future rewrites, removals, or patches due to security flaws or inefficiencies. As a result, organizations face an increased burden in monitoring, maintenance, and vulnerability management, driving up operational costs and security risks across the supply chain.
- Functionality over security: AI-powered code generation models excel at producing functional code—but security isn’t their strong suit. These models are typically trained to perform well on benchmarks like HumanEval, which measures their ability to generate correct Python code—but doesn’t assess whether that code is secure (Chen et al., Evaluating Large Language Models Trained on Code).
A single unvetted AI-generated code snippet can introduce persistent vulnerabilities across multiple software ecosystems. Attackers can exploit these weaknesses at scale, increasing the urgency for businesses to implement proactive security measures.
AI-generated code in mobile apps: the compliance and business risks
The security risks of AI-generated code extend beyond technical vulnerabilities—they also create regulatory and compliance challenges that organizations can’t afford to ignore. Attackers can exploit these weaknesses at scale, increasing the urgency for businesses to implement proactive security measures.
- Regulatory violations: AI-generated vulnerabilities can put businesses out of compliance with GDPR, CCPA, PCI DSS, and other security frameworks, leading to potential fines and legal liabilities.
- Increased attack surface: AI-assisted development often introduces new dependencies and unverified SDKs, making it easier for attackers to exploit weaknesses in an organization’s mobile apps.
- Higher operational costs: More security flaws mean more patches, more audits, and more maintenance, increasing long-term costs for security teams.
Code generation models are great at creating functional code, but security? Not so much. The catch? It doesn’t check if that code is secure or free of vulnerabilities.
AI in mobile app development is here—but security can’t be an afterthought
AI is not slowing down—neither are the threats that come with it. AI is not just helping developers build apps faster—it is also helping cybercriminals create and distribute malicious apps more efficiently than ever before. Attackers are leveraging AI to generate malware, automate phishing attacks, and disguise harmful applications in ways that make them harder to detect.
The organizations that integrate automated mobile app security testing today will be the ones ahead of AI-driven vulnerabilities, compliance risks, and evolving attack surfaces.
Here are three major ways AI-generated code can affect your mobile apps and users:
- Sloppy apps: AI-generated code often lacks proper security validation, leading to apps with weak encryption, improper authentication, and exploitable vulnerabilities. Without thorough security testing, these flaws can go undetected until attackers exploit them.
- Malicious apps: Attackers can use AI to create realistic phishing apps, mimic legitimate software to steal credentials or inject spyware. Even platforms like Google Play Store and Apple’s App Store struggle to keep up. In 2024, over 200 malicious apps were discovered in Google Play, accumulating more than 8 million downloads before being removed.
- Third-party app stores: The rise of alternative app stores, driven by regulations like the Digital Markets Act (DMA), increases the risk of unverified and malicious AI-generated apps entering the ecosystem. These stores may not enforce the same security standards as Apple’s App Store or Google Play, exposing users to Trojans or fraudulent applications.
- Compromised SDKs and dependencies: AI-powered coding assistants often suggest third-party SDKs and libraries without considering security risks. Developers may unknowingly integrate outdated, vulnerable, or even malicious SDKs, creating hidden backdoors that attackers can exploit.
Without automated mobile app security testing, businesses risk deploying applications that contain AI-generated vulnerabilities, insecure dependencies, and exposure to unregulated app marketplaces. Organizations using AI in mobile development must prioritize security testing to ensure their apps remain compliant, resilient, and protected against evolving threats.
Balancing speed with security reduces AI-driven risks for developers
AI-generated code introduces vulnerabilities at scale, making proactive security testing essential for mobile applications. Traditional security reviews cannot keep pace with AI’s rapid development cycles, but integrating automated security testing into your workflow ensures vulnerabilities are identified and mitigated before deployment.
- Comprehensive security testing: Security testing should cover static, dynamic, and interactive analysis (SAST, DAST, and IAST) along with forced path execution to uncover hidden vulnerabilities across the entire application stack. This approach ensures end-to-end security, from AI-generated code to third-party dependencies.
- SBOM for SCA: A Software Bill of Materials (SBOM) integrated with Software Composition Analysis (SCA) validates open-source and third-party components, identifying vulnerabilities in libraries, nested dependencies, and AI-recommended SDKs. This prevents the unintentional use of compromised packages.
- Centralized management & CI/CD integration: Security testing should be frictionless. A single platform for testing, monitoring, and reporting streamlines security operations, while CI/CD pipeline integration via REST API ensures automated security scans without slowing down development cycles.
Quokka’s Q-mast delivers static, dynamic, and behavioral analysis to uncover risks in code, libraries, and dependencies. Real-world vulnerabilities are exposed through custom user journey simulations, while built-in compliance with OWASP, GDPR, and NIAP ensures apps meet security standards. With seamless CI/CD integration, Q-mast automates security testing at scale, providing detailed, actionable reports with remediation guidance.
Future Implications: The Need for Ongoing Vigilance
As AI becomes more deeply integrated into app creation, consumers must also remain vigilant about the security of their apps they download and use. Unfortunately in today’s world of millions of apps that serve millions of purposes with complex Terms and Conditions, it’s nearly impossible for the average person to stay on top of the security or privacy risks. Companies can use Quokka’s Q-scout to vet mobile apps and limit the risk of those sloppy or malicious apps on employees’ phones. This ensures that employees aren’t using apps that could compromise the company’s security. Q-scout can help users and IT teams identify and address a range of risks, including malicious and sloppy apps that attempt to gain access to unnecessary permissions.
Contact us today to learn how we can help you build apps faster without compromising on security and protect your organization from risky apps on employees’ mobile endpoints.
