This article was updated on 11.21.14

Got apps? Chances are, one of them is a malware-laden clone. According to the “State of Mobile Apps Security” report from Arxan Technologies, mobile applications are anything but safe. Popular apps for both iOS and Android devices have been hacked, replicated and then listed for download on app stores — and the problem is expected to worsen as app downloads increase and HTML5 use rises.

‘Free’ Market?

The market for free apps is huge. According to Security Week, the number of free apps downloaded is exploding. In 2014, 127 billion no-cost mobile apps were downloaded, and in just three years, that number is expected to reach 253 billion. Paid apps are also predicted to see an increase — from 11 billion this year to 14 billion in 2017 — with the majority of both app types coming from the Google Play store.

When it comes to app security, however, the numbers tell a different story. Of the top 100 free apps on Apple iTunes and the Google Play store, 75 percent of iOS apps and 80 percent of Android apps have been hacked. And paid app hacks are even worse. Out of the most popular 100, 87 percent of all Apple-based apps have been hacked and repackaged, while a whopping 97 percent of for-pay Android apps have been compromised.

Risky Business in Mobile Apps Security

However, iOS- and Android-native apps can’t last forever, right? Some see the rise of platform-neutral HTML5 coding as the best way to combat these threats and deliver a unified user experience that is exempt from common security concerns. But according to a recent IT World article, even HTML5 may not be enough. While research firm Gartner predicts that more than 50 percent of all apps will use HTML5 by 2016, a team from Syracuse University has discovered a flaw in the code’s middleware. This flaw puts it at risk for injection attacks that stem from JavaScript calls made in a mobile device’s native language. For example, this flaw could be used to access speakers or cameras. Because mobile users are more likely to grant broad permissions (location, contact lists, etc.) to “trusted” apps on their device, it won’t take much for code to be injected and run to compromise a smartphone or tablet.

Boundary Building

Is there any hope for mobile apps? Arxan thinks so, arguing for enhanced protection of payment apps and mobile wallets with app hardening and secure cryptography. To slow the spread of repackaged apps, the company hopes to convince developers they should build in tamper-resistant features and run-time threat detection to catch the kind of code injections noted above. Jonathan Carter, technical director at Arxan, describes the war on hacked apps as a “dynamic battlefield” because with every new app, there’s a cybercriminal waiting to clone, sell or corrupt it.

When it comes to mobile apps security, both free and for-pay apps are at risk. Even new HTML5 code isn’t off the hook since code injection is a real possibility at the middleware layer. For businesses already adjusting to the transition from a desktop-based workforce to one that relies on personal mobile devices, these findings are daunting. Ultimately, app safety is a two-pronged approach. Developers must put run-time application self-protection ahead of all other defense, and users must be diligent: Never give an app permission it doesn’t absolutely need.