An average of 96% of the top 100 paid mobile apps have been hacked, a study has revealed.
The study looked at 230 top apps from third-party sites outside of the Apple App Store and Google Pay marketplaces, including the top 100 paid apps on Android and iOS.
Among the paid apps, the study found 92% of the iOS apps had been hacked, compared with 100% on the Google Android platform.
However, only 40% of the popular free iOS apps had been hacked, rising to 80% for free apps on the Android platform.
The study found that business, financial services and productivity apps were among those most affected, with hacking activities ranging from disabling security to unlocking and modifying app features.
Hackers also resorted to code and IP theft, and distributing illegal malware-infested versions of apps.
Developers need to harden their code against reverse engineering and make their apps tamper-proof and self-defending, Arxan said.
"A thriving app economy is under threat from hackers, and most enterprises, security teams and app developers are not prepared," said Jukka Alanen, vice-president at Arxan and the lead author of the new study.
"The integrity of mobile apps can be easily compromised through new tampering/reverse engineering attack vectors," he said.
The integrity of mobile apps can be easily compromised through new tampering/reverse engineering attack vectors
Jukka Alanen, vice-president, Arxan
According to Alanen, the traditional approaches to application security, such as secure software development practices and vulnerability scanning, cannot address the new hacking patterns identified by the study.
"The findings call for new approaches for mobile app owners to build protections directly inside their apps to withstand these new attacks," he said.
The report recommends that app owners:
- Make mobile app protection a strategic priority, reflecting its new criticality to address hacking attacks and the growing value at stake;
- Be especially diligent about protecting mobile apps that deal with transactions, payments, sensitive data, or have high-value IP (e.g. financial services, commerce, digital media, gaming, healthcare, government, corporate apps);
- Do not assume that web app security strategies are adequate to address the new requirements for mobile app protection;
- Focus app security initiatives on protecting the integrity of mobile apps against tampering/reverse-engineering attacks, in addition to traditional approaches to avoiding vulnerabilities;
- Build protection directly into the app – harden the code against reverse-engineering, and make the app tamper-proof and self-defending – to counter how hackers attack an app.