Learn About Hidden Mobile Security and Privacy Risk Sources with the NowSecure Mobile Application Risk Checker (MARC)
admin Last month, NowSecure launched NowSecure Privacy, the first automated solution for finding and fixing the systemic blind spots that degrade mobile application privacy. And today, we released NowSecure Mobile Application Risk Checker (MARC), the first and only free public risk checker for mobile applications.
The free, educational MARC tool builds mobile security awareness by helping IT and security teams understand where mobile application security and privacy risks come from. MARC contains topline test data for thousands of mobile apps that illuminate how unique capabilities available to mobile applications can expose sensitive data creating security and privacy risk.
Leading the Mobile Security Community
NowSecure actively supports the security community through leadership contributions to the open-source tools Frida and Radare, and to the OWASP Mobile Application Security Verification Standard (MASVS). Building on that foundation, we created the MARC service to shed light on where risks truly originate in mobile apps.
Recent headlines and a wave of new data privacy regulations highlight a critical truth: mobile application risk is business risk. We developed MARC to provide IT and business leaders with an instant snapshot of how mobile risk contributes to an organization’s overall security and privacy risk posture.
As a free tool MARC empowers the world to uncover hidden mobile app risks, advancing our mission to secure the apps people rely on every day.– David Weinstein, NowSecure Chief Technology Officer
How MARC Helps IT and Security Build Awareness
MARC offers IT Risk, Security and Privacy leaders:
- A neutral, third-party baseline to accelerate understanding of mobile application behaviors and potential risks.
- An immediate gut check to determine whether an internal or third-party app warrants deeper security and privacy testing.
- A way to assess applications outside of direct control — including personal, partner apps, or other third-party apps used by employees.
- A catalyst for action, helping teams develop a mobile application risk management strategy and program to address concerns.
Five Key Areas of Mobile Application Risk
MARC provides a clear view observed app properties and detailed findings across five key application risk areas:
- Permissions: Poorly managed or overreaching permissions can grant unnecessary access to sensitive data and device features, increasing the risk of abuse or compromise.
- Sensitive Data Collection & Sharing: Inadequate data handling practices can expose enterprises, customers and partners to data breaches and compliance violations.
- Privacy Declarations: Many apps provide incomplete or inaccurate disclosures in Apple and Google app stores, leaving users unaware of what sensitive data is collected, processed or shared.
- Network Connections: Uncontrolled connections to external servers may transmit sensitive business data to unauthorized third parties, resulting in data exposure, non-compliance and reputational harm.
- AI: AI-powered features may process sensitive data in unintended ways, increasing the likelihood of proprietary information leaks and legal liability.
The Hidden Risks Within Mobile Apps
A particularly significant concern — and one that motivated the development of both NowSecure Privacy and MARC — is the widespread use of third-party components in mobile app development. These components often contain hidden data flows that can unintentionally expose organizations to data theft, data leakage, loss and privacy violations.
Compounding the challenge, compiled application code is easily accessible from app stores, giving threat actors opportunities to analyze and exploit vulnerabilities.
Recent MARC observations highlight just how common these hidden security and privacy risks are across modern mobile apps:
- 27% of MARC-tested apps contained AI artifacts, signaling an increased risk of data leaks to AI endpoints, training models or third-party AI services.
- Nearly 49% established network connections — often from third-party SDKs or APIs — that may transmit sensitive information.
- 85% exposed Personally Identifiable Information (PII), underscoring how frequently mobile apps handle sensitive data.
These patterns are not isolated incidents. They appear in popular business applications, which may inadvertently leak data, misrepresent behavior and create unseen risks. As agentic AI becomes deeply embedded across the mobile ecosystem, these mobile security and privacy risks are likely to grow.
Interpreting MARC Observations Responsibly
Disclaimer: MARC’s findings do not inherently categorize an application as high or low risk. The determination of risk should be made by the user, considering the application’s criticality, the information it collects, stores, and shares, and the developer’s obligations. Furthermore,only publicly available information and resources were utilized to generate these results; and no customer data was employed in this testing.
Summing Up: Mobile App Risk Is Business Risk
The security and privacy posture of mobile apps directly impact a company’s business risk. By examining MARC information, leaders can better understand how mobile app behaviors influence four key dimensions of enterprise risk.
Security Risk
Poor development practices create exploitable vulnerabilities in mobile apps:
- 75% include debug symbols
- 68% expose hardcoded URLs
- 60% use weak encryption
Because third-party SDKs often make up 60-80% of app code, they can introduce unknown dependencies, unpatched flaws and hidden security risks that attackers can exploit.
Privacy Risk
While users rarely read privacy policies, regulators scrutinize them relentlessly. Many mobile apps mishandle or misrepresent data collection practices, introducing significant privacy risks:
- 77% contain embedded PII such as location, contacts or unique identifiers
- 35% of iOS apps fail to declare collected data
- 98% include incomplete third-party SDK disclosures
- 18.3% of apps use AI, with 3,541 transmitting data to AI endpoints, potentially exposing proprietary models and sensitive information
Safety & Fraud Risk
Misused permissions such as SMS, contacts, camera, location can enable identity theft, phishing or account takeover.
- Nearly 49% of MARC-tested apps connect to third-party trackers
- 85% contain Personally Identifiable Information (PII), increasing the risk of fraud and abuse.
For instance, an app requesting continuous background location, microphone and external storage access could enable real-time tracking, audio capture and file extraction. Combined, these permissions create privacy, security, safety and compliance risk if personal data or movements are misused or exposed.
Compliance & Regulatory Risk
When apps behave differently than disclosed their stated policies — for, for example, claiming “we don’t collect contacts” while actually doing so — organizations face serious compliance and regulatory risks:fines, regulatory action, and audit failures.
- 42% of iOS apps lack required Privacy Manifests
- 97% are missing manifests for third-party SDKs
In regulated sectors like (healthcare, finance and, children’s apps), non-compliance with GDPR, CCPA, or HIPAA can trigger multi-million dollar penalties before reputational damage even begins.
Recommended Actions: How to Leverage MARC Observations
To strengthen mobile security awareness and improve understanding of mobile application risk, organizations should
- Investigate third-party and internal apps with MARC.
- Compare observed permissions, data flows and network endpoints against expected behaviors, flagging anomalies for deeper review.
- Collaborate across AppSec, DevSecOps, privacy, compliance and risk management teams to assess business impact.
- Prioritize actions based on business impact, especially for apps handling regulated data, critical functions, or large user bases.
- Monitor continuously conducting regular reviews, after updates or new releases.
- Strengthen protections with NowSecure Platform for continuous mobile application security testing and risk management.
Spending just a few minutes with MARC insights offers visibility into mobile app behaviors and risk sources that will prove to be a valuable investment. In boardrooms, during audits and across public perception, mobile app risk is now business risk. Forward-thinking organizations must recognize, map and manage this risk with the same urgency applied to web and cloud application security.
