← BACK TO FEED
app securityagentic AImobile threatscybersecurityattack surface

Your App Is Under Attack Before Lunch on Launch Day

Digital.ai's *2026 App Security Threat Report* reveals that AI — particularly agentic AI — has dramatically accelerated and broadened app-based cyberattacks, with the proportion of monitored apps under attack rising from 55% in 2022 to 87% in 2026. AI has lowered the technical barriers for attackers, closing the historic security gap between iOS and Android, enabling sophisticated attacks within hours of an app's release, and driving steep rises in attack rates across previously complex-to-exploit sectors like automotive and medical devices. The report concludes that defenders can no longer treat any app or sector as a lower-priority target, and must adopt their own agentic AI defences to counter the increasingly sophisticated and fast-moving threat landscape.

Digital.ai's 2026 App Security Threat Report makes for uncomfortable reading if you still think your mobile app is a soft target that nobody's bothered with yet. Spoiler: they have.

The headline number is stark. The proportion of client-facing apps under active attack has jumped from 55% in 2022 to 87% today. That is not a gradual drift. It is a structural shift, and AI is the reason for it.

The old model of attack economics relied on skilled adversaries willing to invest significant time in reverse engineering, exploit development, and dynamic analysis. That barrier is gone. AI-assisted tooling has democratised all three, handing capabilities that once required genuine expertise to anyone with enough motivation and an internet connection.

One data point that should focus minds: a Digital.ai customer recorded a platform integrity attack on their app one hour and fifty-six minutes after it appeared in the store. Less than two hours. The window between publication and first hostile contact is no longer measured in days. Shipping an app is now, functionally, a security exposure event the moment it goes live.

The iOS versus Android picture is equally instructive. In 2023, iOS apps faced roughly half the attack rate of their Android counterparts. By 2026 that gap has narrowed to almost nothing, with iOS now absorbing 97% of the Android attack rate. The reason is straightforward: AI tools operate comfortably across both ecosystems, so the platform-specific knowledge that once gave iOS some practical protection no longer provides much cover.

Look at the vertical breakdown and the AI story gets even clearer. Attack rates across automotive, medical device, and financial services apps have converged sharply between 2025 and 2026. That convergence is not coincidental.

Automotive apps used to be protected partly by their own complexity. Telematics protocols, proprietary binary formats, OEM authentication flows. Unpicking all that required a fairly specific skill set, which naturally kept the attacker pool small. AI tooling makes that expertise broadly accessible now, so that historical complexity no longer functions as a meaningful barrier.

Medical device apps tell an even sharper story. They recorded an eight-percentage-point rise in attack rates, the steepest of any vertical tracked. The report's interpretation is blunt: these are precisely the sectors where the effort required to extract value was highest, meaning AI assistance produces the largest marginal gain for attackers who previously found the return on effort too low to bother.

The geographic insulation argument also needs putting to rest. Some organisations have implicitly relied on being far from known threat clusters. Digital.ai's position is that this reliance should be made explicit, examined honestly, and then abandoned. Distance is not a defence when the tooling is global and automated.

Digital.ai CEO Derek Holt puts it plainly: the same AI used to build an app in the morning is being used to attack it in the afternoon. The question for every AppSec team is whether the application is built to defend itself from the moment it hits the store, or whether the security team is sitting around waiting to notice it has become an entry point. With 87% of monitored apps under active attack, waiting is simply not a viable posture.

The conclusion the report pushes towards is that defenders need to adopt agentic AI defensively to counter what attackers are already doing offensively. This is not a novel observation in principle, but the data here gives it weight. Bad actors move faster than industry because they have no compliance requirements, no change management process, and nothing to lose from breaking things. The result is an attack frequency that has risen sharply and shows no sign of slowing.

The onus is now firmly on the defensive side to close the gap.