A company by the name of Arxan has been looking into the rapid growth of the mobile app market and has found that the mobile app market is in serious danger. In a recent study that was published on August 20th they found that over 90% of the top 100 mobile applications had been hacked. The study went a little deeper and found that 92% if the top 100 paid apps for Apple have been hacked and that 100% of the top 100 paid apps for Android have been hacked. This has also trickled over into free apps as well with a staggering number of them hacked for various reasons. The hacked apps were not limited to certain classifications either they appeared across the spectrum of applications.
What is happening is that mobile apps are not hardened against this type of attack vector. Because the installer files can be saved with the proper tools attackers have the entire app code. With fairly common and inexpensive tools they can take the app and “reprogram it” to suit their purposes from including a simple removal of DRM to installing more complicated malware. The attacks have become sophisticated enough that many times a simple scan is not enough. The traditional search for vulnerabilities is no longer enough as well. As the source code can be decompiled easily the attacker does not need to look for an attack vector that pre-exists in the code; they can simply create on all on their own.
Unfortunately the mobile world shares another pattern with the PC, apathy when it comes to spending the money to cover security. The mobile world, like the cloud world that it is tethered to, is a cash cow. Developers, mobile carriers and phone makers can make significant money from the sales of their wares. Apple routinely brags about their number of apps downloaded from their walled garden so we know the figures are staggering. Apple does have a something in place to help though. They have the walled garden which is supposed to protect the end user against hacked apps or malware. Now we all know that the walled garden is not perfect and that things can slip-by and even can be installed after the fact by poisoning the in-app purchase model. However, it is much better than nothing for many users. On the other hand, the number of jailbroken iOS devices is a significant portion of the number of iOS devices on the street. This means that people are often downloading apps that have not received the same level of scrutiny that (or arbitrary rejection) Apple would put them to. This does not mean that Jailbreaking means you will automatically get a hacked app or malware. The people that run Cydia and Rock are very diligent about checking the apps and there are warnings about using repositories that provide pirated apps.
In keeping with Android’s more open nature getting third party apps is much simpler. All you have to do is click a check box to allow the installation of apps from outside the Play store. You can also grab several “installer” apps that will allow you to install an apk file directly without the need to download anything from the internet. This makes getting pirated apps easier, but also introduces a greater risk.
Although Blackberry and Windows Phone were not listed in the Arxan study they are not immune. We have seen methods for side loading applications on both using some fairly common tools as well. We expect to see Windows Phone 8 “broken” shortly after the official launch with multiple developers showing methods to side load apps onto both Windows Phone and Windows RT.
The Arxan study has some advice for mobile app developers and to a lesser extent carriers and phone makers. First they warn that the app industry is growing at a staggering rate. They anticipate that app revenue will hit $60 Billion soon and will grow even more in the near future. This makes it an amazing target for hackers as well as an area where there is great potential for loss. This loss is not just in app revenue, but to the reputation of the Development Company and loss of brand confidence. As an example, think of what would happen is a banking App was compromised at the installer level. Would you trust that bank again if your account was cleaned out due to someone hacking the original app and reseeding it? This might sound outlandish, but consider that only 5-10% of apps contain protections against reverse engineering and it becomes much more alarming.
To put it bluntly the mobile market HAS to break out the checkbook and start spending money to protect their apps. They need to invest in tools that protect apps from being decompiled as well as offer protection to check for any tampering of the original code (self-defending apps). They need to take the time and see what portions of the apps are most vulnerable and can be used against the end user and protect each part of their app appropriately. Although there is no such thing as a secure app, code OS, browser etc. Companies can make it more difficult to perform simple exploits on their apps as well as make it more complicated to decompile the apps for study. This can make it more costly to the potential hacker and slow the spread of mobile malware. Nothing will ever stop it, but maybe if developers, phone makers and carriers changed their policies and practices now a serious dent could be put into it.
You can read the Arxan study here
Discuss this in our Forum