Threat actors are increasingly targeting mobile apps, adding to the security risks for enterprises and their customers.
To help address this burgeoning issue, enterprise software delivery platform vendor Digital.ai Tuesday is expanding its Application Security suite with the addition of Quick Protect Agent to give developers a quick, no-code way to protect their enterprise apps from tampering.
While flagship apps such as client-facing mobile banking receive a lot of attention from security teams, secondary and tertiary apps such as trading apps, or apps for employees only that aren’t in public app stores, may not, noted Digital.ai CEO Derek Holt. Security teams just don’t have the resources to apply the same rigor to them. The Quick Protect Agent is designed to fill that gap.
In the 2025 version of Digital.ai’s Annual Application Security Threat Report, Holt said, “We saw that over 80% of the apps in the respective app stores are under attack, and we saw about a 20% increase year over year in the number of attacks.” When investigators dug deeper, they found that the industry has done a “pretty good job” of putting more guards and protections in place in some industry verticals and with primary apps.
“However, the threat actors are now going after secondary and tertiary apps and are starting to expand into industry verticals that maybe were previously not as much of a focus area,” he said.
That discovery led to the development of the Quick Protect Agent, with a simple interface that allows developers to drag and drop their binaries into a GUI and select the level of security required and any or all of the offered protections, including all four OWASP MASVS (Mobile Application Security Verification Standard) Resilience categories. Once the protections are approved, the tool provides a command line interface version of the configuration to include in automated pipelines for future builds.
While the full Application Security Suite gives security teams the ability to fine-tune security for flagship apps, balancing security protections and performance, Holt said, they frequently don’t have the resources to give all apps the same attention. Quick Protect Agent asks a series of questions about general areas of concern and the required balance between performance and security, and the agent then generates the security profile for the app.
In both cases, he said, detailed logs record every decision.
“This is an interesting new set of capabilities and largely aligns with what we are seeing in the devops space,” said Jason Andersen, principal analyst at Moor Insights & Strategy. “Overall, Digital.ai’s assertion that we are witnessing a significant increase in hacking activity is accurate. Companies like JFrog, who cover different aspects of the toolchain, are also seeing similar increases and it’s largely being chalked up to increased use of automation and AI technology by hackers. So, the need is certainly there, especially in mobile applications which tend to be much more frequently updated than typical enterprise web apps. That’s a crucial distinction for a set of applications that are frankly higher visibility due to customer and partner contact.”
Andersen noted that the use of agents in the development workflow accomplishes two things. First, it helps developers not well acquainted with application security to protect their apps. “I’d expect this to lead to better coverage and more frequent application of security processes,” he said.
In addition, he pointed out, the solution makes a lot of sense as the use and complexity of agents increases.
“New agent capabilities and standards, such as those seen in tools like GitHub Copilot, are pointing to a new future in the devops toolchain,” he said. “Consider agents like these engaging in some degree of cross-agent teaming, resulting in a more real-time and autonomous application security process.”
However, said David Shipley, CEO of Beauceron Security, “Obscure code helps, but it doesn’t close vulnerabilities: it makes them harder to find by, for example, old-fashioned trial and error.” This kind of intervention, he said, “is like having the forward collision alert come on to stop an accident” — it’s a good thing, but it would be better if we understood the reason so that we fixed the underlying cause, not just the symptom.