Why choose us?
Products
Platform
Promon Platform All Promon products and extensions in a single platform.
App protection
Promon Shield for Mobile™ Secure iOS & Android apps from tampering, repackaging, & more.
Promon Shield for Desktop™ Protect Windows & macOS apps from static & dynamic attacks.
Promon Shield for SDKs™ Defend SDKs from tampering, & unauthorized use.
Extensions
Promon Code Protect™ Protect app code & data from reverse engineering & copying.
Promon Data Protect™ Store app secrets securely on compromised end-user devices.
Promon Verify™ Verify the integrity of apps accessing APIs in real-time.
App analytics
Promon Insight™ for App Security Understand security risks & make data-driven decisions.
Featured webinar
Pass your next mobile app pentest with confidence
Find out how
Solutions
By industry
Banking Comply, prevent fraud, & protect sensitive data.
Payments Achieve compliance, prevent tampering, & secure data.
Gaming Prevent cheating, protect transactions, & revenue.
Streaming & media Secure content, intellectual property, & user data.
Retail & e-commerce Stop malware, MitM attacks, & account takeovers.
Public sector Prevent repackaging, breaches, & tampering.
Healthcare Ensure regulatory compliance & secure PHI.
Automotive Secure sensitive app data & assets.
By use case
On-device AI security Secure on-device AI features against next-gen attacks
Pass your mobile app pentest Identify and fix security gaps before auditors or attackers do
Customer stories
We protect the world's leading brands, & we can protect yours too.
Read more
About Promon
Company
About us Learn about us & our 19-year history.
Contact us Need help? Get in touch with our team.
Careers #LifeAtPromon & the latest jobs.
Partners Become a partner & deliver app security.
Press Your source for all things Promon.
We're hiring!
We're changing the world, one app at a time. Will you help us?
View open roles
Resources
App sec library
All resources Explore The Mobile App Security Library.
Customer stories Find out how the world's leading brands stay secure.
Webinars & events Meet peers (& Promon) online & around the world.
Ebooks & whitepapers Dive into the finer points of app shielding.
Knowledge Centre Where app security meets Promon tech.
Blog Keep up with app sec news & developments.
Tools & games Research, calculate, or just have some fun!
Glossary Understand critical app sec terminology.
Mobile attack vector library Understand key mobile attack vectors.
On-demand webinar
App Threat Report: The state of facial recognition security
Read now
Book a meeting ›

Mobile attack vector library

Gain a clear understanding of how attackers exploit weaknesses across application logic, devices, networks, cloud services, and user behavior. This glossary defines key mobile attack vectors to help teams recognize threats and strengthen their security posture.
By topics

App Store/Play store review tampering

Attackers use fake reviews or ratings to manipulate user trust and encourage downloads of malicious apps.

Application logic vulnerabilities

Application logic vulnerabilities occur when design and coding decisions allow the normal logic of the application to be manipulated by attackers.

Attacks targeting wearables and smart devices

Cybercriminals exploit vulnerabilities in wearable tech and IoT devices to access sensitive data or disrupt operations.

Biometric authentication attacks

Biometric authentication attacks exploit or bypass biometric systems like fingerprint, iris, or facial recognition.

Broken authentication

Broken authentication occurs when attackers can compromise the identity of users, often through weak or flawed authentication mechanisms.

Business email compromise attacks

Business Email Compromise (BEC) attacks involve attackers sending fraudulent emails that impersonate trusted entities, such as executives, vendors, or colleagues, to deceive users into transferring funds, sharing sensitive information, or performing unauthorized actions.

Cloud jacking attacks

Cloud jacking refers to attacks where attackers gain unauthorized access to cloud accounts, allowing them to control or manipulate cloud resources.

Cloud-based attacks

Cloud-based attacks exploit misconfigurations or vulnerabilities in the cloud storage or services used by mobile apps.

Cross-site scripting (XSS)

Cross-site scripting (XSS) is a type of injection attack where malicious scripts are injected into web pages or apps.

Cryptocurrency scams

Cryptocurrency scams exploit the growing interest in digital currencies by creating fraudulent investment apps or schemes.

Data breaches in cloud providers

Data breaches in cloud providers occur when attackers exploit vulnerabilities in cloud infrastructures or services to gain unauthorized access to sensitive data.

Deepfake videos used to discredit people or organizations

Deepfake videos employ AI technologies to produce highly realistic but entirely fake visual representations of individuals, often making them appear to say or do things they never did.

Deepfakes

Deepfakes leverage artificial intelligence to create realistic but fraudulent representations of individuals.

Denial-of-service (DoS) attacks

Denial-of-service (DoS) attacks overwhelm cloud servers with traffic, making the app unavailable to legitimate users.

DNS spoofing attacks

DNS spoofing, also known as DNS cache poisoning, occurs when attackers manipulate the DNS (Domain Name System) resolution process, redirecting users to malicious websites that appear legitimate.

Eavesdropping on unsecured Bluetooth connections

Bluetooth eavesdropping occurs when attackers exploit weak or absent encryption in Bluetooth communication.

Eavesdropping on unsecured networks

Eavesdropping on unsecured networks occurs when attackers intercept communications between a mobile device and a server, particularly over unencrypted or poorly secured connections such as public Wi-Fi.

Exploit kits targeting mobile devices

Exploit kits are pre-packaged sets of malicious tools designed to identify and exploit device vulnerabilities.

Fake login pages/mobile apps

Attackers create counterfeit login pages or apps to steal user credentials.

Improper access control

Improper access control occurs when an application fails to enforce permissions correctly, allowing users to access data or perform actions that should be restricted.

Increased automation in attacks

Attackers leverage AI and automation tools such as botnets or automated phishing to scale and execute attacks more efficiently, often overwhelming traditional defenses.

Injection flaws

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query.

Insecure APIs

Insecure APIs (Application Programming Interfaces) occur when mobile apps communicate with cloud services or other external systems using poorly secured APIs.

Insecure app installation

Insecure app installation occurs when users download and install mobile applications from untrusted sources, such as unofficial app stores or third-party websites.

Insecure communication channels

Insecure communication channels refer to situations where sensitive data is transmitted between a mobile app and backend servers over unsecured or poorly secured networks.

Insecure data storage on device

Insecure data storage occurs when mobile applications store sensitive information such as user credentials, personal data, or financial information without adequate encryption or protection.

Insecure deserialization

Insecure deserialization occurs when untrusted data is used to reconstruct objects or data structures (deserialization), without sufficient validation or protection.

Insecure direct object references (IDOR)

Insecure direct object references (IDOR) occur when an application provides direct access to objects based on user-supplied input, without properly validating whether the user is authorized to access that resource.

Insecure in-app advertising

Malicious ads within apps steal data, redirect users to phishing sites, or use advanced tactics like AI-driven targeting to deceive users.

Insecure mobile payment systems

Insecure mobile payment systems can expose sensitive data, such as credit card details, transaction history, or personal information.

Insecure server-side code execution

Insecure server-side code execution refers to vulnerabilities in the backend code running on cloud servers that can be exploited by attackers to execute arbitrary code or gain unauthorized access.

Insecure Wi-Fi networks

Insecure Wi-Fi networks, particularly open or public networks, do not use encryption to secure data transmitted over the connection.

Insider threats

Insider threats come from malicious actors within an organization who have authorized access to cloud resources.

Insufficient identity and access management (IAM)

Insufficient identity and access management (IAM) occurs when cloud resources, including those used by mobile applications are not properly secured with strong access control policies.

Insufficient logging and monitoring

Insufficient logging and monitoring is a critical security vulnerability that arises when applications or backend systems fail to capture and monitor key events effectively.

Internet of things (IoT) integration attacks

These attacks exploit vulnerabilities and insecure channels or APIs in IoT devices that interact with mobile apps.

Lack of encryption for data at rest and in transit

Encryption is critical for protecting data both at rest (stored data) and in transit (data being transferred over networks).

Location tracking attacks

This attack involves using apps or malware to collect precise location data from users without their knowledge.

Malicious app permissions

Malicious app permissions occur when mobile applications request more permissions than necessary to function, potentially granting attackers access to sensitive data or critical device functionality.

Man-in-the-middle (MitM) attacks

Man-in-the-middle (MitM) attacks occur when an attacker intercepts and potentially alters communication between a mobile device and a server without either party being aware.

Man-in-the-middle (MitM) attacks via malicious public Wi-Fi

MitM attacks occur when an attacker positions themselves between a user and the internet, intercepting or altering data sent over unsecured or misconfigured connections.

Misconfigured cloud storage buckets

Misconfigured cloud storage buckets refer to storage instances, such as Amazon S3 or Google Cloud Storage, that are incorrectly set up to allow public access or insufficient access controls.

Mobile app backdoors

Mobile app backdoors are hidden functionalities in apps that provide attackers with persistent, unauthorized access.

Mobile malware

Mobile malware refers to malicious software specifically designed to target mobile devices.

Mobile malware downloaded from third-party app stores

This attack occurs when malicious apps are disguised as legitimate ones and downloaded from untrusted sources.

Mobile ransomware

Mobile ransomware infects devices through malicious apps, email attachments, or links.

Outdated OS and applications

Running outdated operating systems (OS) or applications leaves devices vulnerable to known exploits, increasing the risk of malware infections, data breaches, and remote attacks.

Physical loss or device theft

The physical loss or theft of a mobile device poses a significant security risk, especially if the device is not adequately secured.

Pretexting attacks

Attackers use fabricated stories to manipulate users into revealing sensitive information or taking unauthorized actions.

Prompt injection attacks

A prompt injection attack (PIA) happens when attackers hide malicious instructions inside normal-looking user input.

QR code phishing attacks

Attackers use malicious QR codes to redirect users to phishing sites or install malware.

Rooting and jailbreaking

Rooting (Android) and jailbreaking (iOS) refer to the process of removing manufacturer-imposed restrictions on a mobile device, granting users full control over the operating system.

Security misconfiguration

Security misconfiguration refers to improperly configured security settings in an application, server, or cloud environment.

Session hijacking

Session hijacking occurs when attackers steal or manipulate a user's session ID or authentication token, allowing them to take over the user's session without needing their credentials.

Shared responsibility model issues

The shared responsibility model in cloud computing defines the division of security responsibilities between cloud providers and customers.

SMS/text-based phishing attacks

SMS-based phishing (or "smishing") attacks exploit the trust users place in their mobile devices.

Social engineering attacks

Social engineering attacks, such as phishing, rely on psychological manipulation to trick users into revealing sensitive information or performing unsafe actions.

Social engineering on messaging apps

This attacks tricks users into sharing information or clicking malicious links on messaging platforms.

Social media phishing attacks

Social media phishing attacks use fake social media messages or posts to deceive users into exposing sensitive information or clicking malicious links.

Socially engineered SIM swapping

SIM swapping relies on social engineering tactics to trick telecom providers into porting a victim's number to an attacker-controlled SIM card.

Subscription Traps

Subscription traps are a form of fraud where users unknowingly enroll in recurring payments through misleading offers or hidden terms.

Supply chain attacks

Supply chain attacks target vulnerabilities in software development tools, third-party libraries used in mobile apps, or other components in the software supply chain, such as build pipelines or update mechanisms.

Supply chain attacks targeting app development tools

This attack compromises tools used by developers to inject vulnerabilities into multiple apps.

Tailgating/shoulder surfing attacks

These attacks involve observing users as they enter sensitive information (such as passwords or PINs) on mobile devices, or gaining physical access to secure areas where mobile devices are used, often during login or payment processes.

Unpatched network devices

Unpatched network devices, such as routers, firewalls, and switches, can be targeted by attackers when these devices contain known vulnerabilities that haven’t been addressed with security patches or firmware updates.

Unvalidated inputs

Unvalidated inputs occur when an application fails to properly validate or sanitize the data entered by users.

Use of hardcoded credentials

Hardcoding credentials, such as usernames, passwords, API keys, or cryptographic keys, directly into the source code of a mobile app is a major security risk.

Vishing attacks

Voice phishing or ‘vishing’ involves fraudulent phone calls to deceive users into revealing sensitive information.

Watering hole attacks

Watering hole attacks target specific groups by compromising websites or mobile apps that their intended victims frequently visit.

Weak encryption protocols

Weak encryption protocols refer to outdated or vulnerable encryption methods that no longer provide adequate protection for data in transit or at rest.

Weak screen lock

Weak screen lock refers to the use of easily guessable or insecure screen lock mechanisms.

Zero-click attacks

Zero-click attacks target flaws in mobile apps or operating systems that allow attackers to gain control without any user action, such as opening a link or downloading a file.

Zero-day vulnerabilities

A zero-day vulnerability refers to a security flaw in software that is unknown to the vendor and for which no patch or mitigation is available at the time of exploitation.
Related

Check out our other resources

Get expert app security insights straight to your inbox

Receive the latest blogs, guides, and threat intelligence from our team.
Subscribe

Subscribe to our newsletter
  • Promon shield icon

    Ready to protect your apps?

    Connect to an expert to talk about your app security needs and how we can help.

    Book a meeting
  • boxes-3D-packages

    The mobile app security library

    Browse through our app security resources and get to know our subject-matter experts.

    Read more