When two cybersecurity CEOs meet: Looking back at a decade in mobile app security
Subho Halder (Appknox) and Jason Haddix (Arcanum Security) discuss how the mobile app security landscape has changed, how AI will influence the field, and the journey of Appknox over the last decade.
Two security pro’s. One interesting conversation
Appknox CEO Subho Halder and Jason Haddix, CEO of Arcanum Security, have known each other for over a decade. They first met during Black Hat training, and now both run companies dedicated to protecting enterprises and users from cyber threats.
So when they sat down for a conversation on the latest episode of ‘Executive Offence’, it was not just a trip down memory lane - it was a commentary on how the mobile app security landscape has changed, the perils of ‘build fast, secure later’, and what it actually takes to stay ahead of evolving security threats.
Here are the 10 key highlights from their candid conversation.
1. Appknox: How it started, and how it has evolved
Subho founded Appknox in 2014 after identifying a gap in the market while teaching at Black Hat security conferences. The company started with a focus on analyzing app binaries rather than source code, allowing them to assess security without needing access to the original code.
Initially concentrating on static analysis techniques for Android (leveraging projects like Androguard) and later cracking the more complex iOS analysis, Appknox gradually expanded into dynamic analysis, API security assessments, and store monitoring.
"Our focus from the start was analyzing binaries rather than source code — that way, we could assess apps without needing source access." - Subho Halder
2. Going beyond simple "grepping" for security issues
Early mobile app security tools relied on basic string searching (or "grepping") to identify potential vulnerabilities. However, as code obfuscation became more common, Appknox evolved to use more sophisticated techniques like taint analysis and data flow analysis.
Rather than just searching for specific strings, Appknox developed methods to track how sensitive data moves through an application, identifying sources and sinks similar to how web application security handles cross-site scripting detection. This approach allowed for more robust vulnerability identification that wasn't easily defeated by code obfuscation.
"We moved to taint analysis and data flow analysis — tracking sources and sinks, similar to how web app security handles XSS detection." - Subho Halder
3. How did tools like Frida change mobile security testing?
Frida revolutionized mobile security testing by dramatically lowering the technical barrier to entry. Before Frida, debugging mobile apps required expertise with low-level tools like JDB (for Android) or LLDB (for iOS).
Frida injected a JavaScript runtime into applications, making it much easier to hook functions, bypass security protections like certificate pinning or jailbreak detection, and modify app behavior at runtime. This democratization of dynamic analysis capabilities accelerated mobile security research and made sophisticated testing more accessible.
"Frida made it accessible — it injects a JavaScript runtime into apps, allowing anyone to hook functions, bypass protections, and modify app behavior at runtime easily." - Subho Halder
4. How have mobile app vulnerabilities evolved over time?
In the early days of mobile apps, many security issues stemmed from insecure defaults. Android apps would automatically back up sensitive data unless developers explicitly disabled this feature, while iOS apps allowed easy data access without implementing data protection APIs.
Over time, platform defaults improved significantly. Features like App Transport Security (ATS) on iOS and stricter permissions models on Android made apps safer by default. Today, critical vulnerabilities have largely shifted to backend APIs that mobile apps communicate with, including issues like Insecure Direct Object References (IDORs) and business logic flaws.
5. What frameworks would you recommend for security in new mobile app development?
For developers starting new mobile applications today, Subho recommends different frameworks depending on specific needs:
Flutter offers excellent security defaults for simpler applications that don't require deep hardware interaction. It's particularly well-suited for frontend-heavy applications.
For apps that need more direct access to hardware features like Bluetooth, NFC, or other OS-level capabilities, native development with Kotlin (for Android) provides better security options while maintaining deeper system access.
"Flutter is fantastic for frontend-heavy apps. Kotlin is better if you're interacting with the mobile OS deeply." - Subho Halder
6. In 2025, how should someone get started learning mobile security testing?
For newcomers to mobile security testing, Subho strongly recommends starting with the OWASP Mobile Application Security Verification Standard (MASVS). This comprehensive resource covers best practices, recommended tools, sample applications for practice, and detailed testing guides.
The MASVS provides a structured framework for understanding mobile security concepts and practical testing approaches. Appknox directs all their new security engineers to this resource as a first step.
"Start with the OWASP Mobile Application Security Verification Standard (MASVS). It's a fantastic resource — covering best practices, tools, sample apps, and detailed testing guides." - Subho Halder
7. What makes Appknox stand out compared to other mobile security vendors?
Appknox enables customers to test their apps on real cloud-hosted devices, instead of just automated crawlers. This provides more comprehensive testing compared to automated crawlers, or testing on emulators.
Appknox offers Enhanced Software Bill of Materials (ESBOM) capabilities that identify app components, libraries, vulnerabilities, and upgrade paths without requiring source code access.
And Appknox’s latest product, Storeknox, uses AI to detect and facilitate takedowns of fake or cloned apps across various app stores, addressing the growing security concern of enterprise brand abuse.
"Customers get full control of real cloud-hosted devices through the Appknox dashboard — not just automated crawlers." - Subho Halder
8. What are some of the most memorable vulnerabilities Appknox has discovered?
Over a decade of detecting security vulnerabilities, two particularly interesting cases stand out:
In one banking application, Appknox discovered a logic flaw that allowed a user to transfer $10 USD and receive $800 USD in return due to improper account type validation during currency conversion.
In a major ride-sharing application, Appknox found a hardcoded encryption key stored directly within the APK, which would have allowed users to manipulate wallet balances - a serious security oversight.
9. How did COVID-19 impact the mobile security landscape?
Contrary to initial concerns about economic slowdown, COVID-19 actually accelerated demand for application security services. As businesses rapidly moved to digital platforms and remote operations, the need for secure mobile applications surged.
This digital transformation created new opportunities for security-focused companies like Appknox, which experienced significant growth during this period as organizations prioritized securing their expanding mobile application footprints.
"COVID-19 was actually a boon for security - with everyone going digital, application security demand surged" - Shubho Halder
10. How will AI impact the future of mobile apps and security?
Running large AI models directly on mobile devices remains challenging due to hardware limitations. However, as specialized hardware like Google's Tensor chips and Snapdragon's AI enhancements improve, we'll see more on-device AI capabilities.
This shift will raise new privacy concerns that local models might help address, but will also introduce novel attack surfaces like GPU-based vulnerabilities. The industry may repeat some early security mistakes with over-permissive access and poor defaults. But if past experience is anything to go by, the learning cycle in the genAI era will likely be faster.
Appknox is preparing for this future by enhancing their software bill of materials capabilities to detect embedded machine learning models within applications.
"As chips like Google's Tensor and Snapdragon AI enhancements improve, we'll see more on-device AI. Privacy will become a bigger concern."
In Conclusion
Mobile app security has evolved significantly over the past decade.
From simple static analysis techniques to sophisticated AI-powered testing platforms, the field continues to advance rapidly. And as mobile applications become increasingly central to business operations and daily life, app security must keep pace with rapidly evolving technologies and threats.
And now, with the emergence of on-device AI capabilities, mobile app security is entering a new chapter that simultaneously brings a windfall of opportunities and unprecedented challenges.
Developers and security professionals need to keep up with these trends and adopt novel testing approaches to build mobile apps that are secured against AI-powered threats.
Tune in to the full episode of ‘Executive Offence’ featuring Subho Halder here: