There is a number that most CISOs in the UAE know by heart: AED 5.9 billion. That is the estimated annual cost of cyberattacks to UAE organisations. What most CISOs do not know is how much of that cost is attributable to mobile applications because the honest answer is that nobody is tracking it yet....
Third-Party SDKs: The Supply Chain Risk Hiding Inside Your Mobile App
Third-Party SDKs: The Supply Chain Risk Hiding Inside Your Mobile App When the OWASP Foundation published the updated Mobile Top 10 for 2024, the most significant change was the elevation of supply chain risk to the number two position. Not authentication. Not data storage. Supply chain specifically, the security of third-party SDKs and libraries embedded...
SAMA vs NESA: A Dual-Compliance Playbook for GCC Financial Institutions
Key takeaways GCC banks now answer to SAMA, NCA, TDRA, SIA, CBUAE and the UAE Cybersecurity Council — six authorities, overlapping but incompatible control catalogues. Mobile is where the gaps surface fastest. SAMA Cyber Security Framework v1.0 (May 2017) is the working standard for Saudi banks, insurance companies and finance companies, with a 6-level maturity model. The...
Mobile App Security in CI/CD: A Practical Integration Guide for Android and iOS Teams
Key takeaways Mobile shift-left is structurally different from web shift-left: ephemeral builds, signing identities, store review cycles, two codebases (Android + iOS), three test layers (static + dynamic + device). Four pipeline patterns work in 2026: GitHub Actions, GitLab CI, Bitbucket Pipelines + Fastlane, Azure DevOps. This article covers integration patterns for each. Don’t hard-block on day one. The...
India Fintech’s Mobile Security Problem: What RBI, CERT-In, and DPDP Actually Require
Key takeaways Indian fintech mobile teams sit under a three-layer regulatory stack: prudential (RBI Master Direction on IT Governance, effective 1 April 2024), technical (CERT-In Directions, April 2022, 6-hour reporting), and privacy (DPDP Rules 2025, substantive provisions live 13 May 2027). The RBI Master Direction (RBI/2023-24/107) requires VAPT every 6 months on critical systems and annually on...
Inside a Mobile Banking App Breach: A Forensic Walkthrough of What Goes Wrong
Key takeaways Modern mobile banking compromises are chained, not single-exploit events: lure → dropper → accessibility-service abuse → overlay attack → credential theft → device takeover → fraudulent transaction. The Android banking trojan ecosystem in 2024–2026 is dominated by Anatsa, Crocodilus, TrickMo, Hook, Octo, Godfather and their forks. ThreatFabric documented Crocodilus expanding from Spain/Turkey to 8 countries including India, Brazil,...
Why Most Mobile Pentests Miss 60% of Real Vulnerabilities (And How Continuous Testing Closes the Gap)
Key takeaways The average mobile app receives a release roughly every 2–5 weeks. Annual or semi-annual pentests sample at best 4–8% of the actual production attack surface across a year. Modern mobile threats — SDK supply-chain compromises, post-release Play Store substitutions, runtime API changes — emerge between pentest engagements, not during them. The 60% figure...
OWASP MASVS 2.1 vs OWASP Mobile Top 10 2024: What Changed and Why It Matters
Key takeaways MASVS v2.1.0 was released on 18 January 2024, adding the new MASVS-PRIVACY control group (4 controls) and CycloneDX SBOM support. OWASP Mobile Top 10 2024 is the first major revision since 2016. Four categories are brand-new; the priority order has shifted dramatically. Improper Credential Usage (M1) is now the top risk; Inadequate Supply Chain Security (M2) is the second. Verification...
The MSSP Playbook: How Managed Security Providers Build a Profitable Mobile App Security Practice
Key takeaways The global Managed Security Services market hits USD 43.03 billion in 2026 and grows at 12.33% CAGR to USD 76.96 billion by 2031, with Asia-Pacific the fastest-growing region at 12.95% CAGR. Mobile application security testing (MAST) is the next high-margin recurring service line for MSSPs serving GCC and India clients driven by NESA, SAMA, RBI and DPDP...
NESA Mobile App Security Compliance: The 2026 Evidence Guide for UAE Organisations
Key takeaways NESA still exists as the framework, but the authority has been renamed the UAE Signals Intelligence Agency (SIA), with day-to-day oversight by TDRA. The standard you are audited against is the UAE Information Assurance Regulation v1.1 and its underlying Information Assurance Standards (188 controls across 4 priority tiers). Mobile applications are now treated as part of the...