India’s explosive shift to an app-first economy has fundamentally redrawn the cybersecurity battlefield. As UPI processes billions of transactions and super-apps become digital lifelines for hundreds of millions, the mobile application has quietly become the most consequential — and most vulnerable — frontier in enterprise security.
Head Global Delivery & Solution Engineering
Protectt.ai
In this conversation, Nitin Talwar, a seasoned voice in mobile security strategy, unpacks how adversaries have evolved from targeting network perimeters to infiltrating the app runtime itself. From AI-powered fraud campaigns and RAT-enabled MFA bypasses to the inadequacy of legacy models in real-time payment environments, Talwar offers a clear-eyed diagnosis of today’s threat landscape — and a compelling vision for what genuinely resilient mobile security must look like in 2026 and beyond.
CISO Forum: How is the mobile app layer emerging as the primary attack surface in India’s app-first economy?
Nitin Talwar: India’s digital transformation has transitioned from web-centric to mobile-based, making mobile apps the primary target for adversaries. For instance, with UPI’s massive user base, mobile devices are now digital vaults. Thus, attackers have shifted focus from network perimeters to the app’s runtime environment.
Fragmentation across Android versions and the proliferation of “super-apps” create expansive vulnerabilities. We are witnessing sophisticated malware targeting API endpoints and exploiting local storage. In this app-first economy, the mobile application is no longer just a gateway; it is the perimeter itself, demanding a fundamental shift toward mobile app security.
CISO Forum: What new forms of fraud are you seeing inside apps that traditional cybersecurity tools fail to detect?
Nitin Talwar: Traditional tools struggle against “invisible” threats like sophisticated screen overlays. Modern fraudsters use Remote Access Trojans (RATs) to bypass multi-factor authentication by mirroring screens in real time. We also see attacks in which malicious or repackaged apps intercept sensitive data at runtime before it is securely transmitted.
Furthermore, synthetic identity fraud (augmented by generative AI) is increasingly challenging traditional KYC systems by creating accounts that appear legitimate. These threats operate within the “trusted” app environment, rendering perimeter defenses insufficient. Detecting these requires deep visibility into the app’s execution state and real-time monitoring of system-level interactions that traditional tools do not often observe.
CISO Forum: How is AI changing the scale, speed, and sophistication of fraud in mobile ecosystems?
Nitin Talwar: AI has industrialized fraud, moving it from manual operations to hyper-automated, high-velocity campaigns. Generative AI now crafts highly personalized smishing and vishing attacks that can bypass human skepticism at scale. In mobile ecosystems, AI is increasingly used to accelerate vulnerability discovery, reverse-engineer app logic, and optimize exploit strategies.
We are also seeing AI-driven bots that mimic human-like swiping and typing behaviors to evade behavioral detection systems. This evolution enables fraudsters to execute account takeovers and fraudulent transactions at machine-scale speeds, forcing a transition from reactive security measures to AI-driven, real-time predictive defense mechanisms.
CISO Forum: Why are legacy security models inadequate for securing UPI and real-time digital payment journeys?
Nitin Talwar: Legacy security models were designed for session-based, delayed-settlement environments, not the sub-second finality of UPI. Traditional firewalls and IP-based filtering cannot verify the integrity of the device or the user’s intent in real time. In UPI ecosystems, the threat moves faster than the “detect-and-respond” cycle of legacy systems.
These older models lack granular device-binding intelligence and cannot detect if an app is running in a compromised environment, such as an emulator or a rooted device. To secure real-time payments, security must be decentralized and embedded within the transaction flow to enable instant risk scoring.
CISO Forum: What role does behavioral intelligence play in detecting fraud before a transaction is executed?
Nitin Talwar: Behavioral intelligence is the layer of “passive biometrics” that analyzes how a user interacts with their device. By monitoring typing cadence, swipe patterns, and navigation behavior, we can establish a unique “digital DNA.”
If a fraudster attempts a transaction, even with valid credentials, their interaction patterns, such as inconsistent navigation or non-human-like input, can trigger anomalies. This allows enterprises to intercept fraud at the “intent” stage, before any capital leaves the account. In 2026, this is critical for distinguishing between legitimate users under duress and automated or scripted interactions, providing a seamless yet rigorous security layer.
CISO Forum: How can enterprises embed security directly into apps without compromising user experience?
Nitin Talwar: Enterprises must move away from “bolted-on” security toward a “built-in” philosophy. By integrating Runtime Application Self-Protection (RASP) during the CI/CD pipeline, security becomes an intrinsic part of the app architecture. This allows the application to detect and respond to threats such as debugging, hooking, or screen-sharing attempts autonomously, without requiring user intervention or adding latency.
Furthermore, using “invisible MFA”, such as device fingerprinting and behavioral signals, reduces reliance on traditional OTP-based flows. Silent Mobile Verification (SMV) is also gaining traction. The goal is to create a “zero-friction, zero-trust” environment where security decisions are informed by a combination of on-device signals and backend intelligence, ensuring both performance and resilience.
CISO Forum: What will the next generation of mobile app security look like in an AI-driven, real-time threat landscape?
Nitin Talwar: The next generation of security will be characterized by adaptive, self-defending applications that leverage on-device and cloud intelligence to respond to emerging threats in real time. We are moving toward a Zero-Trust framework, where trust is never assumed and is continuously verified through multi-modal signals.
Security will become increasingly context-aware, adjusting its intensity based on user behavior, device posture, and environmental risk. We will also see greater adoption of AI-driven threat detection and automated response mechanisms that anticipate and mitigate attacks earlier in the lifecycle. Ultimately, mobile security will evolve from a static barrier to a dynamic, intelligent system that protects the entire digital ecosystem.
