Ninety-two percent of the Top 100 paid Apple iOS apps and 100% of Top 100 paid Android apps have been hacked, according to a new research report “State of Security in the App Economy: Mobile Apps Under Attack.” The report, which reveals the widespread prevalence of “cracked” mobile apps and the financial impact befalling the multi-billion dollar app economy due to compromised brands, lost revenues, intellectual property theft and piracy, was released by Arxan Technologies.
Arxan identified and reviewed hacked versions of top Apple iOS and Android apps from third-party sites outside of official Apple and Google app stores. The review of paid apps was based on the Top 100 iPhone paid app list from Apple App Store and the Top 100 Android paid app list from Google Play.
The review of free apps was based on 15 highly popular free apps for Apple iOS and the same 15 free apps for Android. The sample included 230 apps.
In an unregulated BYOD environment, the way users can access these hacked versions from third party sites depends on their device. On Android devices, a simple button in the device settings controls whether the device accepts apps from any source or app market (not just Google Play). While it’s a more difficult on Apple iOS devices, it can still be done. Downloading apps from outside Apple App Store requires users to first jailbreak or root their device. This can be done with simple automated tools and then the user can install third-party app store apps directly on the device or download apps from any website.
Accessing apps from third-party sites has become increasingly common; for instance, it was found that some of the hacked versions have been downloaded over half a million times from unofficial sites.
It is very important to understand that users do not need to download apps from third-party sites to suffer from hacking attacks. Intellectual property and decompiled source code can be stolen without the hacker republishing the app on third-party sites. Furthermore, hackers can republish hacked apps on official app stores (e.g., under a different app name). Finally, merely the known existence of a hacked and tampered version can damage the app owner’s brand and customers’ trust, even if few users download the hacked version.
Key findings of the report reveal:
•40% of popular free iOS apps and 80% of the same Android apps were found to have been hacked.
• Hacked versions of mobile apps were found across all key industries such as games, business, productivity, financial services, social networking, entertainment, communication and healthcare.
•Mobile apps are subject to many diverse types of hacks and tampering attacks, such as disabled or circumvented security, unlocked or modified features, free pirated copies, ad-removed versions, source code/IP theft and illegal malware-infested versions.
•Mobile app hacking is becoming a major economic issue with consumer and enterprise mobile app revenues growing to more than $60 billion by 2016 and mobile payments volume exceeding $1 trillion (based on data from KPMG, ABI Research, and TechNavio).
“We envision a thriving app economy with freedom and confidence to innovate and distribute new apps. However, this potential is being threatened by hackers, and most enterprises, security teams and app developers are not prepared for these attacks,” said Jukka Alanen, vice president at Arxan and the lead author of the new study. “The integrity of mobile apps can be easily compromised through new tampering and reverse-engineering attack vectors. The traditional approaches to application security, such as secure software development practices and vulnerability scanning, cannot address the new hacking patterns that we identified. The findings call for new approaches for mobile app owners to build protections directly inside their apps to withstand these new attacks.”
The report also offers a look into the tactics employed by hackers, enabling application developers and security teams to better understand the methods used which threaten the emerging app economy. The report suggests organizations leverage mobile app protection to enable them to freely innovate and distribute high-value and sensitive mobile apps with confidence.
Specific recommendations include:
•Make mobile app protection a strategic priority, reflecting its new criticality to address hacking attacks and the growing value at stake.
•Be especially diligent about protecting mobile apps that deal with transactions, payments, sensitive data, or that have high-value IP (e.g., financial services, commerce, digital media, gaming, healthcare, government, corporate apps).
•Do not assume that web app security strategies are adequate to address the new requirements for mobile app protection.
•Focus app security initiatives on protecting the integrity of mobile apps against tampering and reverse-engineering attacks, in addition to traditional approaches to avoiding vulnerabilities.
•Build protections directly into the app — harden the code against reverse-engineering and make the app tamper-proof and self-defending — to counter how hackers attack an app.