To promote the responsible and effective management of complexity in the mobile ecosystem, relevant issues need to be better identified, and better solutions should be developed. Factors which have an impact on mobile vulnerability and that sparked discussion at the roundtable include, but are not limited to, the following.
Support lifecycles
Devices or systems with short support lifecycles become insecure, as they no longer receive critical updates, leaving large user bases exposed. Short support lifecycles are also detrimental to environmental objectives as they incentivise hardware churn. Legislation, including the EU Cyber Resilience Act, requires effective security updates through mechanisms such as product operational lifecycles and mandates requiring manufacturers to provide guidance on end-of-life policies.
Criminal ecosystems
Organised cybercriminal networks provide tooling, infrastructure and services that lower barriers to conducting and scaling mobile exploitation. This is particularly acute with cyber scamming, for which large criminal operations have been established in West Africa and South East Asia.
Mobile app supply-chain dependencies
Mobile application developers rarely map and understand their supply chain dependencies, for example, how the open source tools that developers integrate and automatically update are secured or assured. According to a 2025 report from Zimperium, over 60% of Android apps use free open source tools. Several participants at the roundtable estimated similar levels of dependency and highlighted that this creates exposure to vulnerabilities with no guarantee of security patching.
Market incentives
Similarly to other technology areas, security for mobile is often viewed as a secondary consideration compared with profitability or speed to market (the time between an idea being generated and its reaching the market). For example, AI integration in consumer applications often requires aggregating and analysing personal data, sometimes in data centres outside the users’ jurisdictions. One roundtable participant highlighted this example to illustrate how market incentives can jeopardise security principles.
Technological improvement
Advances raised throughout the roundtable demonstrate how effective improvements in technology can benefit mobile security. According to one participant, memory safety vulnerabilities as a share of total exploited vulnerabilities have fallen by over 65% in the past five years, following efforts to mandate memory-safe programming languages. Another participant highlighted the introduction (by iOS in 2014 and Android in 2015) of MAC (media access control) address randomisation, a privacy-enhancing measure that averts tracking systems when scanning for wireless access points.
User cost sensitivity
Where mobile data costs are high, users are discouraged from applying updates or are incentivised to connect to free Wi-Fi that has the potential to be insecure. Similarly, reliance on second-hand devices – especially from untrustworthy vendors – increases the risk that malware is pre-downloaded. These constraints are more common in developing or lower-income countries.
AI deployment
AI is a factor in defending and attacking the mobile ecosystem. Extensive research is being conducted on the AI offence–defence balance in conflict, wider society and geopolitics. For mobile security, offensive use-cases include enhancing phishing activities or propagating malware, while on the defensive side, developers can accelerate vulnerability detection and response. The net effect is uncertain, and more direct conversation – especially relating to mobile security – would be beneficial.
Conclusion
The preceding contribution underscores the need for policymakers, industry and civil society to take mobile security more seriously. The roundtable confirmed that risks are real and present: social engineering, malicious applications and physical device theft are widespread and impose high costs on consumers and the economy. The increasing centrality of mobile devices to, among other areas, commerce, communication and public services, will continue to exacerbate the risk.
Tensions between competition, consumer rights and cybersecurity exist but they risk being overstated. The tendency to legislate on these issues in silos, combined with the lack of a joined-up approach in implementation, has resulted in disjointed regulatory incentives. Nonetheless, change occurs slowly, and markets do not shift overnight. What may be seen as an unacceptable trade-off or friction today may be viewed as a speed bump tomorrow. Instead of fixating on the opposition between these factors, further analysis would benefit from deconstructing the binary choice between them and identifying mutually beneficial outcomes.
The complexity of mobile ecosystems also emerged as a central concern throughout the roundtable. Devices, operating systems, networks, applications and other systems form a layered structure, in which responsibility is often displaced or unclear. The assumption that large firms in key market segments will take accountability for the risk of complexity is misplaced and can obscure the extent of vulnerability. Identifying, addressing and mainstreaming factors that impact mobile security is therefore pressing – from support lifecycles and open source dependencies to market incentives and AI deployment. Without a systematic approach, initiatives will remain siloed and underacknowledged.&
At the same time, there are grounds for optimism. Technological improvements, such as adopting memory-safe languages and more secure communication protocols, reflect commendable technical efforts to improve mobile security. Cooperation between stakeholders is also notable. Examples such as stakeholder collaboration on countermeasures to filter SMS messages – thereby preventing fraudulent use of stolen devices – illustrate a willingness and capacity to improve across the ecosystem through targeted efforts.
The roundtable demonstrated that mobile device cybersecurity merits the same attention as any pervasive consumer technology. In fact, the growing role of mobile devices in the critical functions of individuals and organisations demands more focus than is currently paid. This paper is a call for greater acknowledgement among policymakers of mobile cybersecurity and an invitation to conduct further systematic research.
Recommendations
From the roundtable discussion, the following recommendations were provisionally identified. They are included here to illustrate the active marketplace of ideas and avenues for further investigation, rather than serving as firm and finalised recommendations.
- Sufficiently resource the enforcement of existing regulatory frameworks and better track the impact of interventions.
- Advise competition and consumer rights regulators to account for the impact on individual and national security when making judgements on the mobile ecosystem.
- Explore further measures to support and promote app stores’ efforts to improve security, such as minimum standards, a public–private advisory body and security assurance labelling for important applications, including online banking.
- Explore additional measures to ensure digital markets can improve security within fair competition frameworks.
- Assess the possibility of requiring vendors to sell or release relevant material that would allow third parties to continue providing critical security updates to users on a subscription model, when products are reaching end of life.
- Provide data for critical security updates free of charge.
- Conduct systematic research on mobile security, as called for by academic literature reviews.
For terms of use, see Website Terms and Conditions of Use.
Click Here For The Original Source.
