Mobile apps expose sensitive data and create privacy risks
New research from NowSecure tested 50,000 mobile apps in August and finds over 77 percent contain common forms of PII.
It’s well known that the vast majority of mobile apps are built using third-party components like SDKs. The study finds that 98 percent of iOS apps have incomplete privacy manifests due to omissions relating to third-party components, violating Apple transparency requirements and creating major blind spots.
In addition 35 percent of iOS apps fail to declare collected data that NowSecure observed during testing. While 10 percent of Android apps don’t even declare a data safety section in the Google Play app store listing.
Since August 2025, 75 percent of iOS apps and 70 percent of Android apps tested (25,000) have both sensitive data and tracking domains, meaning they collect, store, or transmit, and/or share sensitive data with third parties.
Of 183,000 mobile apps scanned in 2025, 18.3 percent (33,396 apps) use artificial intelligence and 3,541 send data to AI endpoints which introduces privacy and security risks including sensitive data leakage and loss of IP.
To address these issues NowSecure is launching NowSecure Privacy to enable organizations to analyze, detect, and eliminate privacy leaks across both first-party and third-party mobile apps before they become breaches and public incidents.
“When it comes to enterprise privacy risk, mobile applications are some of the worst offenders, yet the risks persist unaddressed,” says Ed Amoroso, CEO of Tag Cyber, a cybersecurity research and advisory firm. “NowSecure Privacy is a major step forward in mobile application risk management. It provides enterprises with the visibility and control to maintain both code integrity and data privacy while bolstering user trust and safety.”
NowSecure Privacy delivers continuous static, dynamic, and human-augmented testing uncovers hidden data leaks, unsafe SDKs, excessive permissions, improper AI usage, incorrect MFA implementation and unauthorized data sharing across all app versions and releases. Detailed findings identify what data is leaking or inadvertently shared, its source (first-party code, SDK, or API), and where it is sent, including ad networks, analytics providers, and data brokers.
“Mobile application risk is data-centric and privacy is all about properly managing and securing data. Strong mobile security requires equally strong privacy controls,” says Alan Snyder, CEO of NowSecure. “Our solution gives enterprises full visibility into what data their apps collect, share, and transmit -- allowing them to prevent violations before they become a reputation or regulatory incident.”
You can find out more on the NowSecure site where the full research is also available.
Image credit: Sasinparaksa/Dreamstime.com