Latest news
92% of the top 100 mobile apps have been hacked
Posted on 20 August 2012.
Ninety-two percent of the Top 100 paid Apple iOS apps and 100 percent of Top 100 paid Android apps have been hacked, according to a new report by Arxan Technologies.
They revealed the widespread prevalence of “cracked” mobile apps and the financial impact befalling the multi-billion dollar App Economy due to compromised brands, lost revenues, IP theft, and piracy.
The proliferation of mobile devices has created an app-centric global marketplace, ushering in the App Economy that is driving new business models and revenue streams across all industries. Arxan set out to analyze the extent of malicious mobile app hacking by researching hacked versions of top Apple iOS and Android apps from third-party sites outside of the Apple App Store and Google Play marketplaces.
The sample of 230 top apps included the top 100 paid Apple iOS and top 100 paid Android apps as well as 15 highly popular free apps for iOS and the same 15 free apps for Android.
Key findings reveal:
More than 90% of top 100 paid mobile apps have been hacked: 92% of top paid iOS apps and 100% of top paid Android apps were found to have been hacked.
Free apps are not immune from hackers: 40% of popular free iOS apps and 80 percent of the same Android apps were found to have been hacked.
Hacking is pervasive across all categories of mobile apps: Hacked versions of mobile apps were found across all key industries such as games, business, productivity, financial services, social networking, entertainment, communication, and healthcare.
Mobile apps are subject to many diverse types of hacks and tampering attacks, such as disabled or circumvented security, unlocked or modified features, free pirated copies, ad-removed versions, source code/IP theft, and illegal malware-infested versions.
The Anatomy of an App Hack entails three steps: Define the exploit and attack targets; reverse-engineer the code; and tamper with the code; this process is made easy with widely available free or low-cost hacking tools.
Financial risks from hacking are increasing rapidly: Mobile app hacking is becoming a major economic issue with consumer and enterprise mobile app revenues growing to more than $60 billion by 2016 and mobile payments volume exceeding $1 trillion (based on data from KPMG, ABI Research, and TechNavio).
“We envision a thriving App Economy with freedom and confidence to innovate and distribute new apps. However, this potential is being threatened by hackers, and most enterprises, security teams, and app developers are not prepared for these attacks,” said Jukka Alanen, VP at Arxan.
“The integrity of mobile apps can be easily compromised through new tampering/reverse-engineering attack vectors. The traditional approaches to application security such as secure software development practices and vulnerability scanning cannot address the new hacking patterns that we identified. The findings call for new approaches for mobile app owners to build protections directly inside their apps to withstand these new attacks,” he added.
“As consumer devices such as iPhones and iPads proliferate in the enterprise and among consumers, the number of organizations interested in custom development of mobile applications is steadily on the rise. We've already seen mobile apps take off in the financial sector, with online banking, check cashing, and online trading apps. Security, although a prime driver for custom development, is one of the hardest aspects to get right,” wrote Chenxi Wang, Ph.D., vice president and principal analyst at Forrester Research, Inc., in the June 2011 research report, Building Secure iPhone and iPad Apps.
They revealed the widespread prevalence of “cracked” mobile apps and the financial impact befalling the multi-billion dollar App Economy due to compromised brands, lost revenues, IP theft, and piracy.
The proliferation of mobile devices has created an app-centric global marketplace, ushering in the App Economy that is driving new business models and revenue streams across all industries. Arxan set out to analyze the extent of malicious mobile app hacking by researching hacked versions of top Apple iOS and Android apps from third-party sites outside of the Apple App Store and Google Play marketplaces.
The sample of 230 top apps included the top 100 paid Apple iOS and top 100 paid Android apps as well as 15 highly popular free apps for iOS and the same 15 free apps for Android.
Key findings reveal:
More than 90% of top 100 paid mobile apps have been hacked: 92% of top paid iOS apps and 100% of top paid Android apps were found to have been hacked.
Free apps are not immune from hackers: 40% of popular free iOS apps and 80 percent of the same Android apps were found to have been hacked.
Hacking is pervasive across all categories of mobile apps: Hacked versions of mobile apps were found across all key industries such as games, business, productivity, financial services, social networking, entertainment, communication, and healthcare.
Mobile apps are subject to many diverse types of hacks and tampering attacks, such as disabled or circumvented security, unlocked or modified features, free pirated copies, ad-removed versions, source code/IP theft, and illegal malware-infested versions.
The Anatomy of an App Hack entails three steps: Define the exploit and attack targets; reverse-engineer the code; and tamper with the code; this process is made easy with widely available free or low-cost hacking tools.
Financial risks from hacking are increasing rapidly: Mobile app hacking is becoming a major economic issue with consumer and enterprise mobile app revenues growing to more than $60 billion by 2016 and mobile payments volume exceeding $1 trillion (based on data from KPMG, ABI Research, and TechNavio).
“We envision a thriving App Economy with freedom and confidence to innovate and distribute new apps. However, this potential is being threatened by hackers, and most enterprises, security teams, and app developers are not prepared for these attacks,” said Jukka Alanen, VP at Arxan.
“The integrity of mobile apps can be easily compromised through new tampering/reverse-engineering attack vectors. The traditional approaches to application security such as secure software development practices and vulnerability scanning cannot address the new hacking patterns that we identified. The findings call for new approaches for mobile app owners to build protections directly inside their apps to withstand these new attacks,” he added.
“As consumer devices such as iPhones and iPads proliferate in the enterprise and among consumers, the number of organizations interested in custom development of mobile applications is steadily on the rise. We've already seen mobile apps take off in the financial sector, with online banking, check cashing, and online trading apps. Security, although a prime driver for custom development, is one of the hardest aspects to get right,” wrote Chenxi Wang, Ph.D., vice president and principal analyst at Forrester Research, Inc., in the June 2011 research report, Building Secure iPhone and iPad Apps.
Spotlight
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
