The Importance of Mobile Security
The security of mobile devices and applications matters more today than ever — and the threat landscape has shifted noticeably over the past two years. According to the Verizon Mobile Security Index 2025, 85% of organizations report a rise in mobile attacks. At the same time, generative AI has opened an entirely new dimension of risk: in 93% of organizations, employees use genAI tools on their mobile devices — yet only 17% have implemented any controls against AI-assisted attacks. Verizon aptly calls this a "perfect storm" of artificial intelligence and human error.
How the Threats Have Changed
Attackers now treat mobile endpoints as a primary target. Zimperium's 2025 Global Mobile Threat Report shows clearly what that looks like:
- Mishing, not just classic phishing. "Mishing" — phishing tailored to mobile devices — now accounts for roughly a third of all detected threats. Over two-thirds of it is smishing (SMS phishing). Vishing (voice phishing) and smishing rose 28% and 22% year over year, driven by attackers' widespread use of AI tooling.
- New lures. PDF-based phishing has emerged as an effective new way to hide malicious links. AI-generated text, voices, and even deepfakes make these attacks more convincing than ever.
- Outdated systems. Around 50% of mobile devices run on outdated operating system versions — every unpatched gap is an open door.
- Sideloading and the supply chain. Apps from unofficial sources are often repackaged versions of legitimate ones; nearly a quarter of enterprise devices already carry sideloaded apps. In the EU, regulatory change (the Digital Markets Act) has widened this attack surface further, since iOS now permits alternative app stores and sideloading. On top of that come poisoned third-party SDKs hiding deep in the supply chain.
The core message: mobile security is no longer a footnote — it's one of the most important attack surfaces there is.
Standards as a Solid Foundation
To address these threats in a structured way, the OWASP Mobile Application Security project remains the first reference. It has grown considerably in recent years and now comprises:
- the MASVS (Mobile Application Security Verification Standard) as the requirements catalog,
- the MASTG (Mobile Application Security Testing Guide) for carrying the testing out in practice,
- and, newly, the MASWE (Mobile Application Security Weakness Enumeration), which bridges standard and testing guide by systematically listing the typical weaknesses.
The accompanying checklists were last updated in June 2025. Together, these provide a reliable basis for assessing mobile applications and identifying and fixing common vulnerabilities.
Why a Test Catalog Alone Isn't Enough
As valuable as a standard is, simply working through it falls short. Industry-specific experience — in finance or healthcare, for instance — is decisive for spotting the vulnerabilities that matter in that particular environment: regulatory requirements, sensitive data flows, business-critical logic. A generic test finds generic gaps. The expensive vulnerabilities are usually the context-specific ones.
How I Work
At HSEC.Consulting I combine the OWASP test catalog (MASVS/MASTG/MASWE) with experience across different industries — and a current, methodical view of the real threat landscape. Part of what keeps me current is lecturing on mobile security at the USTP in Austria: teaching forces you to track new attack techniques and their countermeasures continuously, and to explain them clearly. So the question isn't only whether your app meets the standards, but whether it's prepared for the attacks that actually occur in your line of business.
If you'd like to know how secure your mobile applications really are, get in touch.
#MobileSecurity #AppSec #CyberSecurity #OWASP #MASVS
