Try reloading the player or open this episode directly on YouTube.
In this episode, Joel DeStefano from Guardsquare discusses mobile app security, emphasizing its unique challenges compared to backend and cloud systems.
Now Playing
Ship It Conversations: Guardsquare’s Joel DeStefano on Mobile App Security, Runtime Protection, App Hardening, and Why Scanning Isn’t Enough
Ship It Weekly
0:0035:58
Chapters
Jump to a section in this episode.
Speed & share
Transcript
Mobile app security is one of those areas where
cloud and backend people can get a little too
comfortable because in the backend, you control
a lot. You control the runtime, you control the
servers, you control the network, you control
the policies. You can wrap the thing in IAM,
logging, monitoring, deployment controls, runtime
controls, and a whole pile of infrastructure
that at least gives you a fighting chance. Mobile
is different. With mobile, you ship the app and
now it is out there. It is on someone else's
device, in someone else's environment, maybe
rooted, maybe jailbroken, maybe running next
to malware, maybe sitting in the hands of someone
trying to reverse engineer it, hook values, bypass
checks. Scrape data, or figure out how your business
logic talks to your backend. And that changes
the trust model because scanning the app before
release matters, but it does not answer the bigger
question. What happens after the app leaves your
build pipeline? That is really what this conversation
is about. Not just mobile scanning, not just
App Store approval, not just we don't store secrets
in the app, so we're fine. More like, what does
mobile app security actually mean? When the thing
you shipped is now a public artifact that attackers
can pull apart, instrument, modify, and abuse.
I'm Brian Teller from Teller's Tech, and this
is Ship It Weekly. Welcome back to Ship It Weekly,
where I filter the noise and focus on what actually
matters when you are the one running infrastructure
and owning reliability. Most weeks, it's a quick
news recap. In between those, I do conversation
episodes with people who are building platforms,
running infrastructure, securing applications,
and thinking through where this industry is actually
headed. Today is one of those conversations.
I'm joined by Joel DeStefano from Guardsquare,
where he is a product manager. We're talking
about mobile app security, what it means beyond
basic scanning, why mobile has a different trust
model than backend or cloud systems, and how
teams can improve posture without turning CI/CD
into a nightmare. And I like this conversation
because mobile security can be easy for infrastructure
For this Conversations episode, the part that stuck with me is how easy it is for backend and cloud people to bring the wrong mental model to mobile security.
In backend systems, we are used to control.
We control the runtime. We control the infrastructure. We control IAM. We control the network path. We control the deployment process. We control observability, logging, and a lot of the runtime environment around the application.
Mobile changes that.
You ship the app and now it is out there.
It is running on someone else’s device, in someone else’s environment, with software you do not control, under conditions you may never see directly. Maybe the device is rooted. Maybe it is jailbroken. Maybe there is malware nearby. Maybe someone is decompiling the app, running instrumentation, hooking values, bypassing checks, or trying to understand enough of the workflow to abuse the backend.
That is the trust shift Joel DeStefano kept coming back to in this conversation.
Mobile app security is not just “did we scan the app before release?”
Scanning matters. Dependency checks matter. TLS configuration matters. Not shipping secrets in the app matters. All of that is table stakes.
But it is point-in-time assurance.
It tells you something before release.
It does not tell you what happens after the app leaves the pipeline.
That is where I think a lot of teams get too comfortable. They assume the App Store review process is handling more than it is. They assume the OS is protecting the application logic. They assume that because the backend stores the sensitive data, the mobile app itself is not an interesting target.
That last one is probably the most dangerous assumption.
The sensitive thing is not always a secret string sitting in the app.
Sometimes the sensitive thing is the workflow.
How does the app authenticate? How does it talk to the backend? What does the backend trust? What values does the app send? What checks happen locally? What behavior changes when a condition flips from false to true?
If an attacker can learn the business logic, they may not need a database dump from the app. They may only need enough understanding to abuse the system around it.
That is especially true for apps tied to money, login, account recovery, medical workflows, retail transactions, subscriptions, loyalty points, streaming access, or anything else that represents real business value.
So the better question is not just, “Do we have secrets in the app?”
The better question is, “What can someone learn from this app, and how could they use that against us?”
That is a much more useful way to think about mobile security.
I also liked how Joel framed the layered approach.
Testing matters.
Hardening matters.
Runtime protection matters.
Monitoring matters.
Those are not interchangeable pieces. They solve different parts of the problem.
Testing and scanning help catch issues before release. Hardening and obfuscation make reverse engineering harder. Runtime checks help detect suspicious environments, debuggers, hooking frameworks, rooted devices, overlays, accessibility abuse, and other signs that something about the app execution is not right. Monitoring helps teams understand what is actually happening after the app is in the wild.
That monitoring piece is important because the threat landscape does not freeze when you ship.
Attackers change tools. Tactics change. Activity spikes in different regions. A new framework gets popular. A workflow starts being abused in a way nobody expected.
If you are not watching, you are guessing.
That does not mean every app needs the same level of protection. A tiny internal utility is not the same as a banking app, a healthcare app, or a payment flow. But a lot more apps are business-critical than people admit.
Mobile apps are not just “apps” anymore.
They are storefronts. Payment platforms. Account portals. Medical device managers. Subscription systems. Streaming platforms. Banking experiences. Identity and recovery paths.
If that is where users spend time and money, attackers will spend time there too.
The CI/CD part of this conversation is also worth paying attention to.
Security that destroys the release process usually does not last.
That is true in cloud. It is true in platform engineering. It is true in mobile too.
If the security tooling slows everything down, breaks builds constantly, creates stability issues, or forces teams into a painful release process, engineering teams will eventually route around it. Maybe not officially. Maybe not loudly. But they will find a way to keep shipping.
So the goal has to be security that lives inside the real delivery process.
High-severity findings should block. Critical issues should stop the release. But lower-severity issues may become tracked risk. Runtime protections still need QA. Performance constraints still matter. Stability matters. App size can matter. A few milliseconds might be acceptable. A crash is not.
That is the tradeoff.
Not “security versus shipping.”
More like, “how do we make security part of shipping without pretending delivery constraints do not exist?”
That is a healthier conversation for DevOps, SRE, platform, AppSec, and mobile teams to have together.
I also thought the AI angle was interesting because it fits the broader theme we keep seeing across security.
AI may make attackers faster.
It may help them understand app logic faster. It may help them reason about code faster. It may help them reverse engineer faster. It may compress the time between “I have this app” and “I understand where to poke.”
But Joel’s point was that the fundamentals do not disappear.
If you already have the right model, AI increases pressure.
If you do not have the right model, AI makes the gap more painful.
That seems broadly true across security right now. AI is not replacing the need for good fundamentals. It is raising the cost of not having them.
For mobile, those fundamentals look like understanding the trust model, protecting the app, making reverse engineering harder, adding runtime checks, validating that the app connecting to your backend is genuine, and monitoring what is happening in the field.
The biggest mistake is assuming someone else has solved the problem for you.
The App Store will not save you.
The OS will not save your business logic.
A scanner will not protect runtime behavior.
And “we do not store sensitive data in the app” does not mean the app has nothing valuable to reveal.
That is probably my main takeaway from this episode.
Mobile app security is not magic, but it is different.
It is a different trust boundary. It is a different runtime model. It is a different visibility problem. And it needs to be treated as part of the system, not as a separate thing that gets checked at the end.
Because once the app is shipped, the question is not just whether you built it safely.
The question is whether you can still trust what is connecting back.
📝 Notes
Show Notes
This is a guest conversation episode of Ship It Weekly, separate from the weekly news recaps.
In this Ship It: Conversations episode, I talk with Joel DeStefano from Guardsquare about mobile app security, why it is different from backend and cloud security, and why scanning alone is not enough once an app is shipped into the real world.
We talk about the shift in trust model that happens with mobile apps. In backend and cloud systems, teams usually have more control over the runtime, infrastructure, policies, and monitoring. With mobile, the app becomes a public artifact running on someone else’s device, in an environment you do not fully control.
The bigger theme here is that mobile security is not just “scan it before release.” Scanning matters, but teams also need to think about app hardening, obfuscation, runtime protection, monitoring, and whether the app connecting back to their APIs is genuine and uncompromised.
Highlights
• Why mobile changes the trust model compared to backend and cloud systems
• What DevOps, SRE, and platform teams should understand about mobile app risk
• Why scanning is useful, but not enough by itself
• The danger of assuming app store approval means an app is secure
• Why “we do not store sensitive data in the app” can be a misleading security argument
• How attackers can reverse engineer apps, inspect workflows, and learn how the app talks to backend APIs
• What code hardening and obfuscation actually help protect against
• Why runtime checks matter for rooted devices, compromised environments, debuggers, hooking frameworks, overlays, and accessibility abuse
• The difference between Android and iOS security assumptions
• Why the OS is not responsible for protecting your app’s business logic
• How mobile security should fit into CI/CD without destroying release velocity
• What should block a release versus what should become tracked risk
• Why testing, hardening, runtime protection, and monitoring should work together as one strategy
• How AI may speed up attackers without fundamentally changing the need for strong security fundamentals
• Joel’s advice for improving mobile security posture: start with the app’s critical workflows, backend interactions, and real business risk
For this Conversations episode, the part that stuck with me is how easy it is for backend and cloud people to bring the wrong mental model to mobile security.
In backend systems, we are used to control.
We control the runtime. We control the infrastructure. We control IAM. We control the network path. We control the deployment process. We control observability, logging, and a lot of the runtime environment around the application.
Mobile changes that.
You ship the app and now it is out there.
It is running on someone else’s device, in someone else’s environment, with software you do not control, under conditions you may never see directly. Maybe the device is rooted. Maybe it is jailbroken. Maybe there is malware nearby. Maybe someone is decompiling the app, running instrumentation, hooking values, bypassing checks, or trying to understand enough of the workflow to abuse the backend.
That is the trust shift Joel DeStefano kept coming back to in this conversation.
Mobile app security is not just “did we scan the app before release?”
Scanning matters. Dependency checks matter. TLS configuration matters. Not shipping secrets in the app matters. All of that is table stakes.
But it is point-in-time assurance.
It tells you something before release.
It does not tell you what happens after the app leaves the pipeline.
That is where I think a lot of teams get too comfortable. They assume the App Store review process is handling more than it is. They assume the OS is protecting the application logic. They assume that because the backend stores the sensitive data, the mobile app itself is not an interesting target.
That last one is probably the most dangerous assumption.
The sensitive thing is not always a secret string sitting in the app.
Sometimes the sensitive thing is the workflow.
How does the app authenticate? How does it talk to the backend? What does the backend trust? What values does the app send? What checks happen locally? What behavior changes when a condition flips from false to true?
If an attacker can learn the business logic, they may not need a database dump from the app. They may only need enough understanding to abuse the system around it.
That is especially true for apps tied to money, login, account recovery, medical workflows, retail transactions, subscriptions, loyalty points, streaming access, or anything else that represents real business value.
So the better question is not just, “Do we have secrets in the app?”
The better question is, “What can someone learn from this app, and how could they use that against us?”
That is a much more useful way to think about mobile security.
I also liked how Joel framed the layered approach.
Testing matters.
Hardening matters.
Runtime protection matters.
Monitoring matters.
Those are not interchangeable pieces. They solve different parts of the problem.
Testing and scanning help catch issues before release. Hardening and obfuscation make reverse engineering harder. Runtime checks help detect suspicious environments, debuggers, hooking frameworks, rooted devices, overlays, accessibility abuse, and other signs that something about the app execution is not right. Monitoring helps teams understand what is actually happening after the app is in the wild.
That monitoring piece is important because the threat landscape does not freeze when you ship.
Attackers change tools. Tactics change. Activity spikes in different regions. A new framework gets popular. A workflow starts being abused in a way nobody expected.
If you are not watching, you are guessing.
That does not mean every app needs the same level of protection. A tiny internal utility is not the same as a banking app, a healthcare app, or a payment flow. But a lot more apps are business-critical than people admit.
Mobile apps are not just “apps” anymore.
They are storefronts. Payment platforms. Account portals. Medical device managers. Subscription systems. Streaming platforms. Banking experiences. Identity and recovery paths.
If that is where users spend time and money, attackers will spend time there too.
The CI/CD part of this conversation is also worth paying attention to.
Security that destroys the release process usually does not last.
That is true in cloud. It is true in platform engineering. It is true in mobile too.
If the security tooling slows everything down, breaks builds constantly, creates stability issues, or forces teams into a painful release process, engineering teams will eventually route around it. Maybe not officially. Maybe not loudly. But they will find a way to keep shipping.
So the goal has to be security that lives inside the real delivery process.
High-severity findings should block. Critical issues should stop the release. But lower-severity issues may become tracked risk. Runtime protections still need QA. Performance constraints still matter. Stability matters. App size can matter. A few milliseconds might be acceptable. A crash is not.
That is the tradeoff.
Not “security versus shipping.”
More like, “how do we make security part of shipping without pretending delivery constraints do not exist?”
That is a healthier conversation for DevOps, SRE, platform, AppSec, and mobile teams to have together.
I also thought the AI angle was interesting because it fits the broader theme we keep seeing across security.
AI may make attackers faster.
It may help them understand app logic faster. It may help them reason about code faster. It may help them reverse engineer faster. It may compress the time between “I have this app” and “I understand where to poke.”
But Joel’s point was that the fundamentals do not disappear.
If you already have the right model, AI increases pressure.
If you do not have the right model, AI makes the gap more painful.
That seems broadly true across security right now. AI is not replacing the need for good fundamentals. It is raising the cost of not having them.
For mobile, those fundamentals look like understanding the trust model, protecting the app, making reverse engineering harder, adding runtime checks, validating that the app connecting to your backend is genuine, and monitoring what is happening in the field.
The biggest mistake is assuming someone else has solved the problem for you.
The App Store will not save you.
The OS will not save your business logic.
A scanner will not protect runtime behavior.
And “we do not store sensitive data in the app” does not mean the app has nothing valuable to reveal.
That is probably my main takeaway from this episode.
Mobile app security is not magic, but it is different.
It is a different trust boundary. It is a different runtime model. It is a different visibility problem. And it needs to be treated as part of the system, not as a separate thing that gets checked at the end.
Because once the app is shipped, the question is not just whether you built it safely.
The question is whether you can still trust what is connecting back.