Approov has published an analysis arguing that AI is eroding the value of mobile app obfuscation as a security defence, changing how businesses should protect mobile APIs.
The analysis focuses on AI systems that can reverse engineer mobile applications, identify embedded secrets and reproduce app behaviour quickly enough to reduce the cost of attack. Approov argues this undermines a long-standing assumption in mobile security: that the effort required to strip obfuscation and understand API call patterns would deter most attackers.
Ted Miracco, Chief Executive Officer of Approov, said the immediate issue extends beyond threats to major financial institutions. "Most of the coverage has focused on what Mythos might do to financial infrastructure. There's a more immediate implication that every company with a mobile app needs to understand right now. Mythos changes the economics of mobile API attacks. Permanently."
Mobile app security has often relied on secrets embedded in applications, including API keys, tokens, hardcoded credentials and signing logic. In Approov's view, AI models with the de-obfuscation capabilities described in the analysis can extract and replicate those elements at scale, making it easier to build tools that imitate legitimate mobile traffic.
Threat shift
According to the analysis, this creates a broader problem for organisations that rely on behavioural analytics or anomaly detection on the backend to identify fraudulent requests. Approov argues AI can study legitimate traffic patterns and generate synthetic requests that resemble normal user behaviour closely enough to evade those controls.
The analysis points to factors such as request timing, session cadence, geographic distribution and device fingerprints. If attackers can model those signals accurately, Approov argues, traditional backend monitoring becomes less effective as a last line of defence.
Approov links this argument to a broader shift in cybersecurity, saying AI-powered attack methods are changing the balance between attackers and defenders. Its position is that mobile security strategies built around making reverse engineering difficult are becoming less relevant as automation improves.
The company advocates what it calls a zero-secrets architecture. Under that approach, the app does not contain long-lived credentials that can be extracted and reused, and authentication is obtained at runtime rather than embedded during development.
Runtime checks
Approov said that model still requires a way to verify that API calls are coming from a genuine, unmodified app on a trustworthy device. It argues that runtime attestation provides that check by requiring software to obtain a short-lived cryptographic token before an API request is accepted.
The approach is designed to prevent the theft of long-lived credentials and reduce the risk of replay attacks through a challenge-response process. The analysis also argues that an attestation system operating at runtime is harder for synthetic clients to spoof, even if they can mimic network and behavioural patterns.
Approov said the approach is already in use across iOS, Android, including Google Mobile Services and non-Google Mobile Services environments, and HarmonyOS NEXT. It added that the technology is deployed in sectors including financial services, media, automotive and healthcare.
The analysis places the issue in the context of rising concern about highly capable AI systems being used to identify and exploit software vulnerabilities. For businesses with mobile apps and APIs, Approov argues, the point at which AI changes the economics of attack has already arrived.
Its core contention is that obfuscation no longer offers a meaningful barrier on its own and that behavioural detection no longer provides a dependable fallback. In that framing, companies need to replace, rather than refine, older mobile API security models.
Approov also pointed to its own work in runtime attestation, saying the method is available now rather than being a longer-term concept. "The same AI capability that deobfuscates your app can also study your legitimate traffic patterns and generate synthetic requests that are statistically indistinguishable from real user behavior. Request timing, session cadence, geographic distribution, device fingerprints. AI can model all of it and produce traffic that passes every behavioral test you have deployed. The defender's last line of detection is being outmaneuvered by the same technology that broke the first line," Miracco said.
Approov's analysis concludes that businesses with consumer-facing mobile apps should review whether they still depend on app-based secrets or obfuscation as core protections, arguing that those methods are losing effectiveness against AI-assisted attacks.