Mobile security's dirty cupboard: The app layer nobody's watching

Michael leads strategy at Jamf, where he focuses on mobile security challenges facing enterprises. With deep expertise in the mobile application layer, Michael helps organizations understand the evolving risks that traditional device-centric security approaches often miss.

By Michael Covington, VP of Strategy at Jamf

Mobile devices power everything from retail payments to clinical workflows and frontline logistics. Most organisations have gradually positioned mobile tech as mission-critical and cannot risk these devices suffering a security breach that puts them out of action or allows unauthorized access to the sensitive data they can reach.

Surprisingly, enterprises have come to believe they have mobile security under control, through a combination of device posture management, OS updates and regulatory compliance keeping them safe.

But this confidence overlooks a more complex reality. Beneath the surface, the mobile application layer has quietly become the most fragmented and least governed part of the IT stack. Organisations often field large and essential fleets of mobile devices without even realising they lack visibility into which apps are in use and how they interact with sensitive data.

The illusion of control

I often find that mobile application security programmes have been adapted from older desktop processes. The desktop side of things is typically quite predictable, with teams benefiting from stable permission models and the ability to test any changes in a controlled way before introducing them into the live environment.

By contrast, mobile apps can be much more scattershot, with updates routed through multiple app stores for distribution. Ad-hoc patching is more common, making it harder for teams to predict. And mobile software updating mechanisms are still largely controlled by end users, making the overall mobile app lifecycle more challenging to manage across a large fleet.

Basing mobile security on familiar territory like device compliance, OS patching, and endpoint controls creates a comforting sense of assurance, but it often falls short of the actual state of the mobile fleet's security.

In fact, our research has found that more than half of mobile devices used at work run on operating systems containing known vulnerabilities – and readily available, but un-applied patches – showing how many are struggling to maintain even this baseline.

The issue is not that these controls are unnecessary, but that they are incomplete. Mobile security is no longer just about protecting devices but understanding the applications and workflows that sit on top of them.

The hidden chaos of app version sprawl

If the device layer gives organisations a sense of control, the application layer quickly undermines it.

Even when device-level controls are in place and enforced effectively, the application layer can be extremely chaotic. I commonly find that enterprise environments have a dozen different versions of the same applications running simultaneously across different devices as a result of manual patching efforts breaking down.

This is in part due to the decentralised nature of mobile app distribution. Apps will come from several different stores or may even be sideloaded. Different versions across operating systems and devices may also have varying updates and schedules.

The result is complexity that is difficult to manage. Security teams cannot easily determine which versions contain vulnerabilities, who is affected, or the business impact.

Redefining app risk

Tackling this issue requires a change in perspective. Traditionally, mobile security has focused on detecting malware and blocking external threats, but this is no longer where most organisations see risk. The greater concern lies in how applications behave and how data moves between them.

Risk today is primarily driven by outdated apps introducing issues like over-permissioned access, insecure data storage and unapproved data sharing. Apps may function as intended but still expose sensitive information through outdated permissions, weak encryption or unintended integrations.

This risk often comes from normal usage, not malicious code. An employee using the wrong app to communicate, store or transfer data can create the same exposure as a traditional breach or even introduce compliance gaps that expose the business to regulatory fines.

Adding to the challenge is the fact that these issues rarely trigger alerts. Data continues to flow, just not in ways the organisation expects, making it persistent and difficult to detect.

Start with visibility and context

Addressing app risk begins with understanding. Many organisations are still making security decisions based on incomplete information and lack insight into how apps are being used and their impact on business workflows.

So, the first step is to establish visibility across the application layer. This requires a granular view that includes knowing which apps are installed where, which versions are running, and how they behave. It also means getting sight of key risk indicators such as outdated versions, excessive permissions and potential data leakage points.

Crucially, this must be paired with context. Knowing what is happening is only half the story, and organisations also need to understand why, and what it means for the business. This will help shape policies and prioritise actions based on business impact.

Control data flows, not just devices

Once organisations have visibility, the next priority is control. A common mistake is to assume that controlling mobile risk is a case of locking down devices. But as we've seen, it's also essential to manage how data moves between applications.

In many environments, the greatest exposure comes from routine actions. Employees may copy sensitive data into personal apps, share it through unmonitored channels, or store it outside approved systems.

Addressing this requires specific controls to govern these interactions. This includes restricting how data moves between managed and unmanaged apps, limiting actions such as copying and pasting or taking screenshots, and ensuring sensitive information remains within approved environments.

The challenge is doing this without disrupting the user experience. Effective controls must be granular and context-aware, protecting the business without slowing work.

Embrace dynamic risk management, not static compliance

For many organisations, mobile security is still governed by periodic checks and static compliance frameworks. This approach is reinforced by a tendency to base activity around meeting basic regulatory requirements, rather than understanding the company's risk posture.

But risk changes too quickly for this in a mobile environment, where apps and operating systems update constantly. A version that passed a safety check one week could introduce new exposure the next.

Any mobile security still relying on periodic audits will quickly create a gap between how risk is measured and how it evolves.

To close this gap, organisations need a more dynamic approach. This means continuously monitoring application behaviour, identifying changes in risk as they occur, and responding in real time.

Shifting from periodic assessment to continuous oversight helps align security posture with the pace of mobile, reducing exposure without slowing the business.

Ultimately, the mobile application layer is one of the most relied-upon parts of the IT stack, yet it is still the least understood. Addressing this does not require a complete rethink of mobile strategy, but a shift in focus beyond basic device security.

Thank you Michael. Connect with Michael on LinkedIn and read more about Jamf.