Eye On A.I. – Episode #319: Subho Halder – Why Traditional App Security Fails in the Age of AI

Release Date: February 1, 2026
Host: Craig S. Smith
Guest: Subho Halder, Co-founder & CEO of Appknox

Episode Overview

In this eye-opening discussion, host Craig S. Smith sits down with Subho Halder, who leads security company Appknox, to explore why traditional app security frameworks are inadequate in an era of AI-driven apps, rapidly evolving software, and accelerating release cycles. Halder discusses the new threat landscape—ranging from malicious “wrapper” apps to data farming and evolving vulnerabilities brought about by AI agents—and calls for a decisive shift from securing static code to monitoring dynamic system behaviors. The episode illuminates not only the technical challenges but also the broader societal impact of trust, transparency, regulation, and the evolving roles of human and AI “defenders.”

Key Topics & Insights

1. The New Reality of App Security

Mobile Apps, Trust, and Changing Release Cycles [00:00–04:40]:
- Apps today carry vast amounts of personal info—payment, identity, behavioral data. Release cycles have compressed from months to days.
- Notable Quote:
  “We are moving from securing software as an object to securing software as a living system.” – Subho Halder [05:16]
Legacy Security Models Are Obsolete [02:45–05:55]:
- Old models assumed fixed binaries and predictable logic. AI-powered and rapidly evolving apps break these assumptions.

2. Types of AI-Era Threats and How They Work

Malicious Actors & Fake Apps [06:17–13:10]:
- Malicious AI or “fakes” often mimic trusted brands (ChatGPT, WhatsApp) to steal data or earn ad revenue. Even regulated app stores aren’t immune.
- AI is also a double-edged sword: facilitates both the identification of malicious apps and scale of attacks.
- Notable Quote:
  “At scale…security at scale is where AI kind of wins the race…Unfortunately for humans, at scale you still need time.” – Subho Halder [09:38]
Categories of Fake/Malicious Apps:
- Adware: Benign wrappers to generate revenue through ads.
- Data Farming: Apps gather personal data and sell to brokers, competitors, marketers, even financial institutions.
- Active Malicious/Attack Apps: Function as malware or viruses intending direct harm (e.g., unauthorized payments).
Failure Points in App Store Reviews [11:03–13:57]:
- Fake apps often pass store reviews by appearing benign—using “plausible” justification for permissions and functions.

3. Data Harvesting & The Data Economy

Monetization and Abuse of User Data [15:27–17:12]:
- Personal data is commoditized—sold on the dark web, to brokers, or for targeting ads and financial products.
- Notable Quote:
  “There are three kinds of fake applications…adware, data farming…and those intended to do damage and harm to the user.” – Subho Halder [15:41]

4. The Dual Role of AI in Security

Security for AI & AI for Security [17:12–22:16]:
- Security for AI: Ensuring AI agents in apps don’t overreach, access, or leak unintended data.
- AI for Security: Leveraging AI for defensive practices like automated pen-testing, threat detection.
- The Barrier Shift:
  Attackers don’t need deep expertise—AI can now be “prompt engineered” to find weaknesses for them.
- Notable Quote:
  “Script kiddies…are no more script kiddies…now they are more like a prompt engineer or a security prompt engineer.” – Subho Halder [20:09]

5. Building and Measuring Trust

Transparency is Key [22:16–26:21]:
- Black-box nature of AI erodes user trust. Transparency about data handling is vital.
- Societal shift from implicit trust to explicit—users increasingly want proof rather than promises.
- Notable Quote:
  “Transparency is the key to building trust. If I transparently tell the users, this is how I process your data, this is how the AI processes your data…that’s the initial first step.” – Subho Halder [23:46]
Controls and Consent [26:21–28:53]:
- Users should be given clear choices about what data to share; companies must justify their data requests.
Regulatory and Cultural Factors [31:10–35:41]:
- “Trust is kind of a mix between the law, the government and the company.”
  US companies are more trusted not just for technical or business reasons, but for potential accountability and oversight.

6. Security Flaws in Retail Apps (Case Study)

Findings from Appknox’s Security Report [35:41–39:16]:
- Retail apps, even from major brands, often lack basic secure communications, are vulnerable to man-in-the-middle attacks, and may store sensitive keys insecurely.
- Focus remains on performance/scaling during sales, while basic security is sidelined.
- Notable Quote:
  “Retail applications…are not at the top notch. Secured application. If you compare it with banking application, banking applications has far more security protections.” – Subho Halder [38:49]

7. Appknox: Solutions and Approach

Company Focus & Products [39:16–42:04]:
- Security scanning for mobile apps (their specialty)
- Store monitoring to detect and remove fakes (“Store Knox”)
- AI-driven automated penetration testing (AI “reasoning cycles” for vulnerability discovery)
- Focus is B2B: supporting companies, not end-users.

8. Developer Burnout in the Age of AI

AI Changes the Nature of Developer Work [42:04–48:05]:
- AI speeds up code generation but increases review and comprehension burdens. Developers must now audit and understand code produced by AI—which is often more complex and less transparent than human-produced code.
- Memorable Story:
  Reviewing AI-generated pull requests is more time-intensive, as humans must now “review the reviewer,” sometimes with another AI, leading to “developer fatigue.”
- Notable Quote:
  “Developer fatigue has shifted from writing the piece of code to actually reviewing it and putting it before the production. It hasn’t solved anything. It’s just shifting the problem…” – Subho Halder [46:10]

9. Penetration Testing: Human vs AI

What Is Pen Testing—And The New Frontier [48:05–52:03]:
- Traditional pen-testing relies on human reasoning.
- AI is beginning to automate aspects of pen-testing, leveraging its reasoning cycle.
- Today’s AI pen-testing is at 1% of human capability, but rapid improvements are forecasted.
- Notable Quote:
  “From 1 to 100%, it won’t take time…in the next two to three years we will have AI agents which are actually doing much better than what human pen testers are.” – Subho Halder [51:46]

10. The Path Forward: Humans, AI, and Security

What’s Next for Appknox and Cybersecurity [52:03–55:23]:
- Vision: “Brain of a penetration tester”—AI models that reason about binaries, not just API endpoints.
- AI will commoditize baseline security tasks, freeing humans to tackle higher-order problems like zero-day exploits.
- Trust, process, and transparency—not just tech—will define security and business success in an AI world.
- Notable Quote:
  "AI is not going to come and eat your job up. It's like you have to level up to the next higher level, higher order problem." – Subho Halder [53:10]

Notable Quotes & Memorable Moments

| Timestamp | Speaker | Quote | |-----------|-------------------|------------------------------------------------------------------------------------------| | 05:16 | Subho Halder | “We are moving from securing software as an object to securing software as a living system.” | | 09:38 | Subho Halder | “At scale…security at scale is where AI kind of wins the race…Unfortunately for humans, at scale you still need time.” | | 15:41 | Subho Halder | “There are three kinds of fake applications…adware, data farming…and those intended to do damage and harm to the user.” | | 20:09 | Subho Halder | “Script kiddies…are no more script kiddies…now they are more like a prompt engineer or a security prompt engineer.” | | 23:46 | Subho Halder | “Transparency is the key to building trust. If I transparently tell the users, this is how I process your data, this is how the AI processes your data…that’s the initial first step.” | | 38:49 | Subho Halder | “Retail applications…are not at the top notch. Secured application. If you compare it with banking application, banking applications has far more security protections.” | | 46:10 | Subho Halder | “Developer fatigue has shifted from writing the piece of code to actually reviewing it and putting it before the production. It hasn’t solved anything. It’s just shifting the problem…” | | 51:46 | Subho Halder | “From 1 to 100%, it won’t take time…in the next two to three years we will have AI agents which are actually doing much better than what human pen testers are.” | | 53:10 | Subho Halder | "AI is not going to come and eat your job up. It's like you have to level up to the next higher level, higher order problem." |

Key Timestamps

00:00–04:40: How mobile apps have evolved; security lagging behind.
06:17–13:10: Understanding malicious apps and threats in app stores.
15:27–17:12: Data harvesting business models explained.
17:12–22:16: The dual role of AI: for security and as a threat vector.
22:16–31:10: The challenge of building/measuring user trust; regulatory context.
35:41–39:16: Findings from Appknox’s retail app security report.
39:16–42:04: Appknox’s offerings and approach.
42:04–48:05: Developer burnout and the unintended consequences of rapid AI code generation.
48:05–52:03: The future of penetration testing—humans vs AI.
52:03–55:23: Looking ahead—human roles, zero-days, and Appknox’s innovation roadmap.

Summary Takeaways

Security paradigms must radically adapt for a dynamic AI era where apps are living systems, not static products.
Traditional review and compliance practices are insufficient. Even major app stores are vulnerable to sophisticated, data-harvesting fakes.
AI is revolutionizing both sides: attackers have new low-barrier tools, but defenders can also use AI for scalable threat detection and automated pen-testing.
Trust and transparency are now essential. Regulatory frameworks, company processes, and honest user communication make up the new trust equation.
Developer roles are shifting: AI accelerates some stages but causes burnout in reviewing and understanding opaque, auto-generated code.
Pen-testing and security will be increasingly automated, but humans must focus on higher-order threats and continual learning.

Eye On A.I. – Episode #319: Subho Halder – Why Traditional App Security Fails in the Age of AI

Release Date: February 1, 2026
Host: Craig S. Smith
Guest: Subho Halder, Co-founder & CEO of Appknox

Episode Overview

Key Topics & Insights

1. The New Reality of App Security

Mobile Apps, Trust, and Changing Release Cycles [00:00–04:40]:
- Apps today carry vast amounts of personal info—payment, identity, behavioral data. Release cycles have compressed from months to days.
- Notable Quote:
  “We are moving from securing software as an object to securing software as a living system.” – Subho Halder [05:16]
Legacy Security Models Are Obsolete [02:45–05:55]:
- Old models assumed fixed binaries and predictable logic. AI-powered and rapidly evolving apps break these assumptions.

2. Types of AI-Era Threats and How They Work

Malicious Actors & Fake Apps [06:17–13:10]:
- Malicious AI or “fakes” often mimic trusted brands (ChatGPT, WhatsApp) to steal data or earn ad revenue. Even regulated app stores aren’t immune.
- AI is also a double-edged sword: facilitates both the identification of malicious apps and scale of attacks.
- Notable Quote:
  “At scale…security at scale is where AI kind of wins the race…Unfortunately for humans, at scale you still need time.” – Subho Halder [09:38]
Categories of Fake/Malicious Apps:
- Adware: Benign wrappers to generate revenue through ads.
- Data Farming: Apps gather personal data and sell to brokers, competitors, marketers, even financial institutions.
- Active Malicious/Attack Apps: Function as malware or viruses intending direct harm (e.g., unauthorized payments).
Failure Points in App Store Reviews [11:03–13:57]:
- Fake apps often pass store reviews by appearing benign—using “plausible” justification for permissions and functions.

3. Data Harvesting & The Data Economy

Monetization and Abuse of User Data [15:27–17:12]:
- Personal data is commoditized—sold on the dark web, to brokers, or for targeting ads and financial products.
- Notable Quote:
  “There are three kinds of fake applications…adware, data farming…and those intended to do damage and harm to the user.” – Subho Halder [15:41]

4. The Dual Role of AI in Security

Security for AI & AI for Security [17:12–22:16]:
- Security for AI: Ensuring AI agents in apps don’t overreach, access, or leak unintended data.
- AI for Security: Leveraging AI for defensive practices like automated pen-testing, threat detection.
- The Barrier Shift:
  Attackers don’t need deep expertise—AI can now be “prompt engineered” to find weaknesses for them.
- Notable Quote:
  “Script kiddies…are no more script kiddies…now they are more like a prompt engineer or a security prompt engineer.” – Subho Halder [20:09]

5. Building and Measuring Trust

Transparency is Key [22:16–26:21]:
- Black-box nature of AI erodes user trust. Transparency about data handling is vital.
- Societal shift from implicit trust to explicit—users increasingly want proof rather than promises.
- Notable Quote:
  “Transparency is the key to building trust. If I transparently tell the users, this is how I process your data, this is how the AI processes your data…that’s the initial first step.” – Subho Halder [23:46]
Controls and Consent [26:21–28:53]:
- Users should be given clear choices about what data to share; companies must justify their data requests.
Regulatory and Cultural Factors [31:10–35:41]:
- “Trust is kind of a mix between the law, the government and the company.”
  US companies are more trusted not just for technical or business reasons, but for potential accountability and oversight.

6. Security Flaws in Retail Apps (Case Study)

Findings from Appknox’s Security Report [35:41–39:16]:
- Retail apps, even from major brands, often lack basic secure communications, are vulnerable to man-in-the-middle attacks, and may store sensitive keys insecurely.
- Focus remains on performance/scaling during sales, while basic security is sidelined.
- Notable Quote:
  “Retail applications…are not at the top notch. Secured application. If you compare it with banking application, banking applications has far more security protections.” – Subho Halder [38:49]

7. Appknox: Solutions and Approach

Company Focus & Products [39:16–42:04]:
- Security scanning for mobile apps (their specialty)
- Store monitoring to detect and remove fakes (“Store Knox”)
- AI-driven automated penetration testing (AI “reasoning cycles” for vulnerability discovery)
- Focus is B2B: supporting companies, not end-users.

8. Developer Burnout in the Age of AI

AI Changes the Nature of Developer Work [42:04–48:05]:
- AI speeds up code generation but increases review and comprehension burdens. Developers must now audit and understand code produced by AI—which is often more complex and less transparent than human-produced code.
- Memorable Story:
  Reviewing AI-generated pull requests is more time-intensive, as humans must now “review the reviewer,” sometimes with another AI, leading to “developer fatigue.”
- Notable Quote:
  “Developer fatigue has shifted from writing the piece of code to actually reviewing it and putting it before the production. It hasn’t solved anything. It’s just shifting the problem…” – Subho Halder [46:10]

9. Penetration Testing: Human vs AI

What Is Pen Testing—And The New Frontier [48:05–52:03]:
- Traditional pen-testing relies on human reasoning.
- AI is beginning to automate aspects of pen-testing, leveraging its reasoning cycle.
- Today’s AI pen-testing is at 1% of human capability, but rapid improvements are forecasted.
- Notable Quote:
  “From 1 to 100%, it won’t take time…in the next two to three years we will have AI agents which are actually doing much better than what human pen testers are.” – Subho Halder [51:46]

10. The Path Forward: Humans, AI, and Security

What’s Next for Appknox and Cybersecurity [52:03–55:23]:
- Vision: “Brain of a penetration tester”—AI models that reason about binaries, not just API endpoints.
- AI will commoditize baseline security tasks, freeing humans to tackle higher-order problems like zero-day exploits.
- Trust, process, and transparency—not just tech—will define security and business success in an AI world.
- Notable Quote:
  "AI is not going to come and eat your job up. It's like you have to level up to the next higher level, higher order problem." – Subho Halder [53:10]

Notable Quotes & Memorable Moments

Key Timestamps

00:00–04:40: How mobile apps have evolved; security lagging behind.
06:17–13:10: Understanding malicious apps and threats in app stores.
15:27–17:12: Data harvesting business models explained.
17:12–22:16: The dual role of AI: for security and as a threat vector.
22:16–31:10: The challenge of building/measuring user trust; regulatory context.
35:41–39:16: Findings from Appknox’s retail app security report.
39:16–42:04: Appknox’s offerings and approach.
42:04–48:05: Developer burnout and the unintended consequences of rapid AI code generation.
48:05–52:03: The future of penetration testing—humans vs AI.
52:03–55:23: Looking ahead—human roles, zero-days, and Appknox’s innovation roadmap.

Summary Takeaways

Security paradigms must radically adapt for a dynamic AI era where apps are living systems, not static products.
Traditional review and compliance practices are insufficient. Even major app stores are vulnerable to sophisticated, data-harvesting fakes.
AI is revolutionizing both sides: attackers have new low-barrier tools, but defenders can also use AI for scalable threat detection and automated pen-testing.
Trust and transparency are now essential. Regulatory frameworks, company processes, and honest user communication make up the new trust equation.
Developer roles are shifting: AI accelerates some stages but causes burnout in reviewing and understanding opaque, auto-generated code.
Pen-testing and security will be increasingly automated, but humans must focus on higher-order threats and continual learning.

wavePod

#319 Subho Halder: Why Traditional App Security Fails in the Age of AI

Summary

Eye On A.I. – Episode #319: Subho Halder – Why Traditional App Security Fails in the Age of AI

Episode Overview

Key Topics & Insights

1. The New Reality of App Security

2. Types of AI-Era Threats and How They Work

3. Data Harvesting & The Data Economy

4. The Dual Role of AI in Security

5. Building and Measuring Trust

6. Security Flaws in Retail Apps (Case Study)

7. Appknox: Solutions and Approach

8. Developer Burnout in the Age of AI

9. Penetration Testing: Human vs AI

10. The Path Forward: Humans, AI, and Security

Notable Quotes & Memorable Moments

Key Timestamps

Summary Takeaways

Summary

Eye On A.I. – Episode #319: Subho Halder – Why Traditional App Security Fails in the Age of AI

Episode Overview

Key Topics & Insights

1. The New Reality of App Security

2. Types of AI-Era Threats and How They Work

3. Data Harvesting & The Data Economy

4. The Dual Role of AI in Security

5. Building and Measuring Trust

6. Security Flaws in Retail Apps (Case Study)

7. Appknox: Solutions and Approach

8. Developer Burnout in the Age of AI

9. Penetration Testing: Human vs AI

10. The Path Forward: Humans, AI, and Security

Notable Quotes & Memorable Moments

Key Timestamps

Summary Takeaways