How to secure the Mobile-Cloud threat landscape: Seven takeaways from the Security Masterclass

Subho Halder and Akash Mahajan, Founder & CEO of Kloudle sat down for a candid conversation on the often ignored shared threat landscape and how to secure it. Here are the key takeaways.

The Hidden Connection: Why Mobile and Cloud Security Can't Be Separated

Insights from two cybersecurity CEOs on breaking down silos and defending the connected attack surface between mobile and cloud.

"For an attacker, it really doesn't matter which team handles what. For them, they see that it is just one attack surface."

This stark reality, shared by Subho Halder, CEO & CISO of AppKnox, cuts through the organizational complexity that often leaves enterprises vulnerable.

In a recent conversation between Subho Halder and Akash Mahajan, CEO of Kloudle, two veterans with over two decades of combined experience in cybersecurity revealed why the traditional approach of treating mobile and cloud security as separate domains is fundamentally flawed. The two companies - AppKnox helps developers secure mobile applications from code to cloud, and Kloudle helps developers find and fix cloud security issues—sit at the intersection of this critical challenge.

Here's what enterprise security leaders need to understand about this interconnected threat landscape.

The Mobile-First Reality That Changed Everything

The explosion of mobile applications didn't just create a new interface—it fundamentally rewired how businesses operate and where attackers focus their efforts. Akash explains the connection: "Mobile became crazy popular, and cloud became popular because mobile became popular. When more and more people had smartphones, more data was generated, and at some point you have to solve problems that virtual private servers cannot solve."

This shift created what Subho calls the "secondary interface" problem. Companies like Uber, Swiggy, and countless fintech apps became mobile-first, with little to no web presence that users actually engage with.

The result? Your mobile app isn't just another channel—it's often the primary way customers interact with your most sensitive business logic and data.

The security implication is profound: Mobile apps became the front door to cloud infrastructure holding massive amounts of customer data and business-critical APIs.

Why "Secure by Default" Isn't Working

The conversation uncovered a fundamental flaw in how security is approached across the mobile-cloud stack: insecure defaults that place an unreasonable burden on developers.

Subho illustrates the problem with a simple comparison:

"Your Chrome browser immediately shows you a red web page saying the SSL certificate is not valid. Does the developer need to work on that? No, it's taken care of by the browser. Unfortunately, for a mobile application, it is the responsibility of the developer to code that piece out."

Unfortunately, things aren’t much better on the cloud side. "When you create a bucket, I still remember five years ago, it was by default a public bucket," Subho notes. "We're expecting our DevOps engineer to know more security. We're expecting this Java engineer who just knows how to write an app to know how to handle SSL certificates. We're asking a lot more from them."

This creates what Akash calls ‘the fundamental crack in enterprise security’:
developers working in silos, each responsible for security knowledge outside their core expertise, while attackers view the entire system as one connected surface.

A Real-World Attack Chain That Should Keep You Awake

Subho shared a case study that perfectly illustrates how mobile and cloud security failures combine in devastating ways:

A fintech company had everything "right" on paper—biometric login, encrypted storage, obfuscated code. But they used a third-party push notification SDK with a known vulnerability. Through this SDK, attackers could trigger Java class reflections and call functions without even logging into the app.

"If you give me a phone with the app installed, I don't even need to open the app. I can have a separate companion app that triggers API calls through those functions, giving me data from the app logs," Subho explained.

The attack chain: insecure third-party SDK → unauthorized function calls → API abuse → data exfiltration from cloud logs. Three separate security domains, one successful attack.

The Five Non-Negotiables for Connected Security

Drawing from their combined experience, both CEOs outlined five critical areas that enterprises must address:

1. API Security First: Strong authentication, proper token lifecycle management, and least privilege access. "It's from the mobile side that most of this the developer needs to code out," Subho emphasizes. Unlike web apps where browsers handle much of this, mobile developers must implement these protections manually.

2. Runtime Protection: Monitor app behavior on real devices to detect tampering. With AI making fake app creation easier, runtime monitoring becomes essential for identifying when legitimate apps are being spoofed or manipulated.

3. Third-Party SDK Vetting: As the fintech example shows, your security is only as strong as your weakest dependency. This requires ongoing monitoring, not just initial assessment.

4. Data Protection in Transit and at Rest: This spans both mobile storage and cloud infrastructure, requiring coordination between teams that often don't communicate.

5. DevSecOps Integration: "Please use CI/CD for security as well," Subho urges. "You need to automate security checks during build before you deploy."

The AI Acceleration Factor

Both leaders see AI fundamentally changing the threat landscape, but not in the way most people expect. While everyone talks about AI-powered attacks, the real shift is in speed and scale.

"The term script kiddie has gone away, and now probably I might say 'prompt kiddies,'" Subho observes. Attackers can now generate sophisticated fake apps and attack tools without deep technical knowledge, while security teams struggle with AI hallucinations and false positives.

The response? Both companies are integrating AI into their defensive tools—Appknox for analyzing mobile binaries at scale and detecting fake applications, Kloudle for simulating potential misconfigurations across cloud providers before they're exploited.

Breaking Down the Silos

The conversation revealed a critical insight often missed in security discussions: technical solutions alone won't solve the mobile-cloud security challenge. The problem is organizational.

"Mobile app developers need to think about how they store tokens properly, while backend developers need to understand that CORS doesn't mean anything for mobile applications," Subho explains. "We need to take a holistic approach to both identifying and fixing these issues."

This means security teams must facilitate communication between mobile developers, cloud engineers, and backend teams. Each group needs to understand how their security decisions impact the others.

The Path Forward

The most actionable insight from this conversation isn't about buying more tools—it's about changing perspective. Instead of asking "Is our mobile app secure?" and "Is our cloud secure?" separately, enterprises need to ask "How secure is our connected system?"

This requires threat modeling that spans the entire user journey, from mobile app installation through API calls to data storage and processing in the cloud. It means implementing security controls that work across domains and teams that collaborate rather than operate in isolation.

As Akash puts it: "One cannot exist without the other. Cloud would not have been adopted so much if developers weren't building mobile apps and thinking about scale for mobile apps."

The attackers already understand this connection. The question is: when will your security program catch up?

Watch the full recording of ‘How to secure the Mobile-Cloud threat landscape’.

P.S. If you live and breathe mobile app security, you might find these resources helpful:

1. Learn more about the intersection of AI and app sec - download our white paper: ‘Navigating Application Security in the age of Generative AI’

2. Time to re-think your approach to mobile app security - get your copy of our latest book: ‘Securing Mobile Applications in the era of AI and transformation’

3. Check out our latest infographics about the security vulnerabilities of the Perplexity AI Android app and the Deepseek AI Android app