惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tailwind CSS Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
The Cloudflare Blog
J
Java Code Geeks
大猫的无限游戏
大猫的无限游戏
雷峰网
雷峰网
WordPress大学
WordPress大学
Jina AI
Jina AI
IT之家
IT之家
Hugging Face - Blog
Hugging Face - Blog
博客园 - 聂微东
有赞技术团队
有赞技术团队
V
Vulnerabilities – Threatpost
博客园 - 司徒正美
L
Lohrmann on Cybersecurity
P
Privacy International News Feed
S
SegmentFault 最新的问题
C
Cisco Blogs
V
V2EX
博客园 - 三生石上(FineUI控件)
Apple Machine Learning Research
Apple Machine Learning Research
I
Intezer
人人都是产品经理
人人都是产品经理
博客园_首页
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Cyberwarzone
Cyberwarzone
Know Your Adversary
Know Your Adversary
酷 壳 – CoolShell
酷 壳 – CoolShell
Security Latest
Security Latest
V
Visual Studio Blog
S
Schneier on Security
宝玉的分享
宝玉的分享
博客园 - 【当耐特】
腾讯CDC
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - Franky
Last Week in AI
Last Week in AI
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
K
Kaspersky official blog
T
The Exploit Database - CXSecurity.com
G
GRAHAM CLULEY
量子位
S
Securelist
小众软件
小众软件
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Tenable Blog
阮一峰的网络日志
阮一峰的网络日志
博客园 - 叶小钗
T
Troy Hunt's Blog

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Mobile App Security Audit Playbook: What US Enterprise CTOs Need to Check Before Launch 2026
Mohammed Ali · 2026-04-26 · via DEV Community

This piece was written for enterprise technology leaders and originally published on the Wednesday Solutions mobile development blog. Wednesday is a mobile development staffing agency that helps US mid-market enterprises ship reliable iOS, Android, and cross-platform apps — with AI-augmented workflows built in.

Eight audit categories, what to check in each, what failure looks like, and what to do when you find a problem two weeks before launch.


73% of enterprise mobile apps fail at least one security audit category before launch, according to NowSecure's 2024 Mobile Security Report. The most common failures are not exotic zero-days - they are basic hygiene problems: sensitive data stored in plaintext, API keys hardcoded in the app binary, and third-party SDKs accessing device data with no one tracking what they collect. This playbook covers the eight categories a CTO needs to check before any major mobile release, what a failure looks like in each, and what to do if you find something critical two weeks before the launch date.

Key findings
73% of enterprise mobile apps fail at least one security audit category before launch (NowSecure, 2024).
Hardcoded API keys in app binaries are the most exploitable single-point failure - anyone who downloads the app can extract them.
A professional penetration test runs $15,000-$50,000. Running one only at initial launch misses every vulnerability introduced by subsequent changes.
Below: the full eight-category audit, what to check in each, and how to handle a late-breaking finding.

Data storage security

What to check: Any data the app writes to the device must be assessed for sensitivity and encryption status. The audit categories are local database files (SQLite, Core Data, Room), shared preferences or NSUserDefaults, temporary files and caches, and clipboard access.

How to check it: On iOS, use a jailbroken device or a tool like iMazing to browse the app's Documents and Library directories. On Android, use Android Debug Bridge to pull the app's data directory. Look for any file containing tokens, credentials, PII, or financial data that is not encrypted. Check NSUserDefaults on iOS and SharedPreferences on Android specifically - developers frequently store session tokens there because it is convenient, and neither is encrypted by default.

What failure looks like: A session token or bearer credential stored as plaintext in SharedPreferences. A SQLite database containing user transaction history with no encryption layer. A temporary file created during a PDF export that persists after the export completes.

The fix: Sensitive data on device belongs in the platform keychain (iOS Keychain, Android Keystore). Temporary files must be purged after the operation that created them. Local databases containing PII require file-level encryption using a key derived from the user's credentials.

Network security

What to check: Every network call the app makes should use TLS 1.2 at minimum, with TLS 1.3 preferred for any call carrying credentials or financial data. Certificate pinning should be active for calls to your own backend. The audit should map every outbound domain the app connects to.

How to check it: Run a TLS intercept proxy (mitmproxy or Charles) on a device with the app installed. Watch the network log for any unencrypted HTTP calls. Check the TLS version on every HTTPS connection. Attempt to swap the app's expected certificate with a self-signed certificate - if the app accepts it, certificate pinning is either not implemented or misconfigured.

What failure looks like: Any call over HTTP rather than HTTPS. A TLS 1.0 or 1.1 connection to a legacy backend. A certificate pinning check that fails open (accepts any valid certificate) rather than failing closed (refuses the connection). An analytics SDK making calls to a domain you did not know the app was connecting to.

The fix: Enforce HTTPS with App Transport Security on iOS and Network Security Configuration on Android. Set minimum TLS version to 1.2 in your network library configuration. Implement certificate pinning for your primary API domains using public key pinning rather than certificate pinning, so that certificate rotation does not require an app update.

Authentication and session management

What to check: Session token generation, token storage, token expiry, biometric authentication implementation, and what happens when a token is revoked server-side.

How to check it: Capture a valid session token using a network proxy. Log out, then replay the captured token against the API - if the server accepts it, session invalidation is not working. Check the token expiry: short-lived tokens (under four hours) with refresh token rotation are the target. Test biometric authentication by asking: if biometric fails, what is the fallback, and does that fallback inherit the same security posture?

What failure looks like: A session token that remains valid after logout. Tokens that never expire. A biometric fallback that downgrades to a four-digit PIN when the backend requires full credentials. Session tokens stored in a location accessible without device unlock.

The fix: Server-side session invalidation on every logout event. Tokens expire in four hours with a refresh flow requiring active session validation. Biometric authentication should unlock a key in the device's secure enclave, not bypass server-side authentication. Store session tokens in the platform keychain, never in application storage.

API security

What to check: Whether API keys are embedded in the app binary, whether API endpoints validate the caller's identity on every request, and whether the app exposes more API surface area than it needs.

How to check it: Decompile the app binary using a tool like apktool (Android) or class-dump (iOS). Search the output for strings matching common API key patterns: long alphanumeric strings, strings labeled "key", "secret", "token", or "api". Check whether requests to your backend include both a session token and a per-request signature. Test API endpoints directly, bypassing the app, to see whether they enforce authentication independent of the app client.

What failure looks like: A Google Maps API key, Stripe publishable key, or internal service key embedded as a string constant in the app binary. API endpoints that trust the app client to enforce authorization rather than doing it server-side. An admin endpoint reachable from the app with a standard user session.

The fix: API keys belong in a server-side proxy call, not in the app binary. If a key must live on the device, it should be delivered at runtime via an authenticated call, not compiled in. Backend endpoints must validate authorization on every request, independent of the client.

Third-party SDK audit

What to check: Every SDK in the app must be mapped to what device data it accesses, what it sends off-device, and what the privacy policy of its vendor says about data use. The most common risks are analytics SDKs with broad device permissions and advertising SDKs that collect device identifiers.

How to check it: Pull the dependency manifest (Podfile.lock for iOS, build.gradle for Android). For each SDK, check the vendor's privacy documentation against what permissions the SDK declares in its manifest. Use a tool like Exodus Privacy or NowSecure to scan the app for tracker SDKs. Cross-reference SDK permissions against your app's declared privacy policy - any data an SDK collects that your policy does not disclose is a compliance problem.

What failure looks like: An analytics SDK with permission to read the contact list that your privacy policy does not mention. An advertising SDK from a third-party ad network that your team integrated six months ago and no one audited. An SDK that is no longer maintained and carries a known CVE.

The fix: Maintain a dependency inventory with the last audit date for each SDK. Every SDK upgrade triggers a re-audit of its permissions. Remove SDKs that are no longer needed. For SDKs that require broad permissions, assess whether the functionality can be replaced with a more targeted library.

App Store binary analysis

What to check: What can be extracted from the app binary by someone who downloaded it from the App Store. The goal is to understand what an attacker with the app on their device can learn about your architecture.

How to check it: Download your own app from the App Store. Unpack the IPA or APK. Run strings extraction on the binary to find hardcoded values. Use a decompiler to assess whether the business logic is readable. On Android, check whether ProGuard or R8 obfuscation is active. On iOS, check whether the binary includes debug symbols that should have been stripped.

What failure looks like: Internal API endpoint URLs visible in the binary. Error messages that expose server architecture details ("PostgreSQL connection failed at 10.0.1.45"). Debug build artifacts in the release binary. A decompiled Android app where class names are fully readable, exposing the data model.

The fix: Strip debug symbols before release. Enable obfuscation on Android. Treat any URL or configuration value in the binary as potentially public. Remove all error messages that reference internal infrastructure. Run binary analysis as part of every release pipeline, not as a one-time audit.

MDM policy compliance

What to check: If the app is distributed through a Mobile Device Management system (for internal enterprise apps) or is expected to run on MDM-enrolled devices (for B2B apps), the app must behave correctly under MDM policy constraints.

How to check it: Enroll a test device in your MDM platform (Jamf, Intune, VMware Workspace ONE). Apply the strictest policy set your enterprise users operate under. Install and run the app. Check: does the app function under app wrapping? Does it respect data-sharing restrictions between managed and unmanaged apps? Does the app block screenshots when MDM policy requires it? Does it handle remote wipe of app data without data loss side effects?

What failure looks like: The app crashes under app wrapping because it uses a framework that conflicts with the MDM wrapper. A managed app that allows users to copy data to unmanaged apps (email, cloud storage) when the MDM policy prohibits it. A remote wipe command that corrupts local cache files rather than deleting them cleanly.

The fix: Test against every MDM platform your enterprise clients run. Build explicit support for Managed App Configuration keys if the app serves enterprise B2B use cases. Data sharing restrictions require explicit support in the app's file handling code - they do not apply automatically.

Penetration test scope and cost

A professional penetration test is distinct from an internal audit. An auditor checks that controls are configured correctly. A penetration tester actively tries to break the app, using the same techniques an attacker would use.

Scope for a standard enterprise mobile penetration test covers the eight categories above plus backend API testing, authentication bypass attempts, session hijacking tests, and reverse engineering of the app binary. A full-scope test for a mid-complexity enterprise app takes three to five days of tester time.

Cost ranges: a targeted mobile-only test (app binary and API, no backend infrastructure) runs $15,000-$25,000. A full-scope test including backend infrastructure, network, and cloud configuration runs $30,000-$50,000. Retesting after remediation typically adds $5,000-$8,000.

When to run it: before the first major public launch, before adding a payment flow or authentication change, before any compliance certification (SOC 2, HIPAA, PCI DSS), and on an annual cycle for apps handling financial or health data. A single pre-launch test is not a security program.

How to choose a tester: look for a firm with OSCP-certified testers, mobile-specific methodology (OWASP MASVS is the standard), and a track record in your industry. Ask for a sample report before engaging - the report quality tells you as much about the firm as any certification does.

When you find something two weeks before launch

Two weeks out is not ideal. It is also not a reason to delay.

Triage by exploitability first. A hardcoded API key is exploitable immediately - anyone with the app binary has the key. A missing certificate pin is exploitable only on a compromised network. A debug symbol in the binary is an information risk, not a direct exploit path. Rank the findings by how quickly an attacker could cause damage, not by how bad they look on paper.

For findings that are exploitable immediately, fix before launch. For a hardcoded API key, the fix is less than a day of engineering work: rotate the key, remove it from the binary, gate it behind a server-side call. For an unencrypted local database, encrypting an existing SQLite database on first upgrade takes one to two days.

For findings that require architecture changes - a session management redesign, a full certificate pinning implementation - assess whether a mitigating control buys time. Temporarily restricting the exposed functionality while the full fix ships in the next release is a defensible decision if the risk is documented and the timeline is specific.

Document every finding, its risk classification, its remediation status, and the person accountable for the fix. If a finding ships unresolved, the documentation needs to show it was a deliberate risk acceptance decision with a named owner and a fix date, not an oversight.


Want to go deeper? The full version — with related tools, case studies, and decision frameworks — lives at mobile.wednesday.is/writing/mobile-app-security-audit-playbook-cto-2026.