Interactive write-ups and data explorations from NowSecure's mobile research team. Every post is built on evidence pulled from NowSecure MARI (Mobile App Risk Intelligence) — our continuous analysis engine that scans thousands of mobile apps every day — not on vendor claims.
NowSecure Labs is a public sandbox where our researchers publish interactive investigations into mobile apps — the data, the methods, and the findings, in the open. Each post is grounded in observed behavior: hardcoded URLs, live network traffic, and pinned certificates captured from real app binaries.
The evidence comes from NowSecure MARI, which scans thousands of mobile apps per day on an ongoing basis. When we report that an SDK is "active," it means we watched the app actually contact the endpoint during analysis, cross-validated by multiple signals — not just that a string appeared in the binary.
An independent researcher worked out how to decrypt AppLovin's mobile ad-auction traffic — the encrypted handshake that decides which ad you see in the two seconds an app is loading. NowSecure measured how far the SDK reaches: 2,732 apps across 1,404 publishers in our May 2026 snapshot, including apps with billions of downloads.
California makes every data broker operating in the state register each year and swear to what it collects and who it sells to. We cross-referenced that 566-broker registry against a 94,023-app NowSecure MARI sample: 70 registered brokers turned up on phones — 24 running as live SDKs, the rest as URL strings baked into app binaries.
The Context AI → Vercel breach exposed API keys, source code, and database contents tied to hundreds of customer organizations. Most coverage stopped at web infrastructure; NowSecure MARI looked at the mobile side — binaries already on real phones that hardcode or call *.vercel.app endpoints. That doesn't mean those apps were compromised; it maps a potential supply-chain blast radius that can't be closed with a single git push.