Research reveals widespread mobile app hacking

All of the top 100 paid Android apps and 56% of the top 100 paid Apple iOS apps have been hacked, research has revealed.

Compared with the 2012 research, the proportion of compromised free Android apps has decreased from 80% to 73%, but increased in free iOS apps from 40% to 53%.

The research by security firm Arxan Technologies also revealed widespread app hacking among high-risk apps such as mobile financial apps.

In its second annual State of Security in the App Economy report, Arxan found “cracked” mobile financial apps to be widespread.

Focusing on these apps for the first time, Arxan found that 53% of the Android financial apps it reviewed had been “cracked”, while 23% of the iOS financial apps were hacked variants.

The report said the findings highlight the potential for massive revenue loss, unauthorised access to data, intellectual property (IP) theft, fraud, altered user experience and brand erosion.

As the growth in mobile tech innovation continues, payment use accelerates and transaction volumes increase, mobile app security remains a critical issue, the report said.

“The widespread use of “cracked” apps represents a real and present danger given the explosion of smartphone and tablet use in the workplace and home,” said Arxan CTO Kevin Morgan.

“Not only is IP theft costing software stakeholders millions of dollars every year, but unprotected apps are vulnerable to tampering, either through installed malware or through decompiling and reverse engineering – enabling hackers to analyse code and target core security or business logic that is protecting or enabling access to sensitive corporate data,” he said.   

Morgan said pirated versions of popular software are available on numerous unofficial app stores such as Cydia, app distribution sites, hacker/cracker sites, and file download and torrent sites.

Researchers found that some of the hacked versions have been downloaded more than half a million times, indicating the scale of the problem.

“The challenge for greater mobile application security remains significant,” said Morgan.

He believes core recommendations for improving mobile application security need to be integrated early in the application development lifecycle and made a key component of any mobile-first strategy.

In light of the 2013 analysis, Arxan makes the following recommendations:

• All Android applications that process sensitive information assets must be hardened against binary-level integrity or reverse-engineering attacks before deployment.
• Mobile applications with a high-risk profile (Android, iOS or other mobile platform) must be capable of defending themselves against static or dynamic analysis at runtime and be made tamper-resistant.
• Organisations should complement traditional web security tools and programs with binary code protection for code hosted in a mobile environment.

Arxan notes that recommendations outlined in the 2012 report still need to be widely adopted by application owners, and are outlined below:

• Continue to foster mobile app protection as a strategic initiative.
• Prioritise protections for mobile apps that deal with transactions, payments, sensitive data or have high-value IP.
• Do not assume that web app security strategies are adequate to address the new requirements for mobile app protections.
• Focus on protecting the integrity of mobile apps against tampering/reverse-engineering attacks regardless of platform.
• Reduce technical risk by deploying apps with protections that are built directly into the application binary that will defeat both static and runtime attacks.