Recent research finds that a majority of organizations are aware of the risk that apps are being attacked in ways that manipulate user requests, expose business logic, or extract secrets. Attacks include reverse engineering and tampering, as well as exposure and exploitation of back-end business infrastructure.
A global survey of 1,360 mobile app developers and security leaders, conducted by independent research firm TrendCandy, and released in January 2026 by Guardsquare, found that 72% of organizations experienced at least one mobile app security incident in the past year. Guardsquare is one of multiple technology suppliers that specialize in app protection.
The TrendCandy research found that app security incidents are no longer isolated technical events. Sixty-five percent of respondents reported customer churn or app uninstalls as a direct result of mobile app security issues.
Despite this recognition, the researchers found that nearly half of app developers feel that security measures built in to mobile operating systems (e.g. iOS and Android) provide sufficient protection, and that app developers are resistant or simply uninformed about vulnerabilities not addressed by the OS.
Current trends involving app security
Akamai Technologies regularly publishes research about threat trends in its State of the Internet (SOTI) Reports. According to Akamai research, data breaches due to API security incidents “will surpass all other attack vectors to become the dominant source of application-layer data breaches.”
Over the course of 2025, Akamai found two patterns: that bots continue to innovate and will be as persistent as DDoS has been; and that cybercriminals continue to follow the critical data to monetize their attacks. Akamai also sees APIs as the primary focus with GenAI/LLMs emerging as the new target area.
Statistics confirm these trends. For example, AI bot traffic has been rising by 300% year over year from July 2024, we have seen 94% growth in quarterly application-layer (Layer 7) DDoS attacks, and 47% of AppSec teams maintain full API inventories but fail to identify APIs that handle sensitive data.
The TrendCandy researchers found that 96% of mobile developers now use AI when building apps or SDKs. While these tools accelerate development, 81 percent said AI-generated code has introduced new vulnerabilities. More than half of developers said they are unsure how to secure AI-generated code effectively.
Security countermeasures and best practices exist and continue to evolve to meet the trends; which can differentiate between human and automated access via the Web or through apps.
The need for governance
Akamai observes that API and GenAI capabilities are exploding and organizations need to make certain that they are secure. They also need to detect and segment ransomware attacks so they do not have a material impact on business.
The company urges organizations to update their cyber risk portfolios to ensure that they can handle the latest trends, such as the new surge in scraping, the need for brand protection, and new record-setting DDoS attacks. But the real work is making sure they can mitigate two key threats: edge attacks and business disruption.
If they don’t already, service and media providers should also add an oversight function that places parameters around ‘permitted’ usage and users, so out-of-norm access attempts that could cause damage to users, data or infrastructure resources can be escalated and addressed. While such an oversight function could reside in IT, it should be granted the authority to work across the organization to make sure that any oversight adds value for the users and the business.
Start out simple
January’s National Privacy Week underscores the need for basic protections that begin with end users, including managing privacy settings, controlling personal data. Akamai adds that breaches can be reduced by using multi-factor authentication and to be watchful for phishing attacks.
Further reading
New research shows mobile app security incidents are now widespread. Press release. January 20, 2026. TrendCandy, released by Guardsquare
The Year in Review 2025: AI, APIs, and a whole lot of audacity. Article. December 11, 2025. by Kimberly Gomez. Akamai Technologies.
National Privacy Week: New data suggests how concerned Americans are, and who makes privacy a priority. Article. January 26, 2026. by Steven Hawley. Piracy Monitor
