Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/21/2012
05:49 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Most Paid Apple iOS, Google Android Apps Have Been Hacked

New study finds that less than 5 percent of popular mobile apps use professional-grade defenses

Bad actors are hacking and repackaging the most popular paid and free apps for Apple iOS and Google Android devices, a new study finds.

Ninety-two percent of the top 100 paid Apple iOS apps and 100 percent of top 100 paid Android apps have been hacked, says Arxan Technologies in its new report, "State of Security in the App Economy: Mobile Apps Under Attack." The report is based on the study of 230 top apps, both paid and free, for Apple's iOS and Google's Android devices.

Not surprisingly, free apps are also at the mercy of these attackers, with 40 percent of free iOS apps having been hacked, and 80 percent of free Android apps in the same boat.

"We wanted to provide a new, fact-based perspective on the hacking threats that app owners/providers face after releasing their app," says Jukka Alanen, vice president of Arxan. So the report looks at the issues from the developer's perspective rather than the end user's, he says.

How are cybercriminals abusing these mobile apps? By disabling or bypassing security features, unlocking or changing features, selling pirated versions, stealing source code, and spreading malware-infected versions of them, the report says. Gaming, business, productivity, financial services, social networking, entertainment, communication, and healthcare apps are all being targeted.

"So, while piracy is common, there's a wide variety of hacking attack types that we found. All of these attacks can cause significant damage to the application vendor/owner," Alanen says.

Arxan studied hacked versions of mobile apps found on third-party sites outside of Apple App Store and Google Play, such as Cydia, third-party mobile app distribution sites, hacker/cracker sites, and others. "We did not review whether the original applications in Apple App Store or Google Play were already compromised in some way, but know anecdotally that some of the malware found in official app markets has been based on repackaged versions of other pre-existing applications redistributed with malware," Alanen says.

The attackers typically reverse-engineer the app's code and then retool it for their own purposes. "This process is made easy with widely available free or low-cost hacking tools," the Arxan reports says.

App developers are expected to soon take a hit financially, as well, in the wake of this activity, the report says. Mobile app revenues are expected to hit more than $60 billion by 2016, and the volume of mobile payments to hit $1 trillion, according to data from KPMG, ABI Research, and TechNavio.

And yet fewer than 5 percent of popular mobile apps use what Arxan calls "professional-grade" defenses, such as multiple layers of protection, for tamper-resistance.

The study found that some hacked versions of these popular apps had been downloaded more than 500,000 times from these unofficial third-party sites, so users aren't just getting their apps from authorized Apple and Google app stores.

Even so, it's not just those unofficial third-party sites that are dangerous. "It is very important to understand that users do not need to download apps from third-party sites for app owners to suffer from hacking attacks. Intellectual Property (IP) and decompiled source code can be stolen without the hacker republishing the app on third-party sites," according to Arxan's report. "Furthermore, hackers can republish hacked apps on official app stores (e.g., under a different app name). Finally, merely the known existence of a hacked and tampered version can damage the app owner's brand and customers' trust, even if few users download the hacked version."

Arxan won't name names of the hacked apps, however. "Arxan's intention is not to call out any specific app maker or developer for potential security flaws. Rather, we're trying to educate all of the key stakeholders in the broader App Economy about the potential dangers that are out there, as well as some best practices to begin to address this issue," Alanen says.

The full report from Arxan is available for download here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft Patches Windows Vuln Discovered by the NSA
Kelly Sheridan, Staff Editor, Dark Reading,  1/14/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Post a Comment
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3686
PUBLISHED: 2020-01-17
openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vulnerable to XSS in the distri and version parameter. This was reported through the bug bounty program of Offensive Security
CVE-2019-3683
PUBLISHED: 2020-01-17
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and...
CVE-2019-3682
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
CVE-2019-17361
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
CVE-2019-19142
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.