November 18, 2014 By Douglas Bonderud 2 min read

This article was updated on 11.21.14

Got apps? Chances are, one of them is a malware-laden clone. According to the “State of Mobile Apps Security” report from Arxan Technologies, mobile applications are anything but safe. Popular apps for both iOS and Android devices have been hacked, replicated and then listed for download on app stores — and the problem is expected to worsen as app downloads increase and HTML5 use rises.

‘Free’ Market?

The market for free apps is huge. According to Security Week, the number of free apps downloaded is exploding. In 2014, 127 billion no-cost mobile apps were downloaded, and in just three years, that number is expected to reach 253 billion. Paid apps are also predicted to see an increase — from 11 billion this year to 14 billion in 2017 — with the majority of both app types coming from the Google Play store.

When it comes to app security, however, the numbers tell a different story. Of the top 100 free apps on Apple iTunes and the Google Play store, 75 percent of iOS apps and 80 percent of Android apps have been hacked. And paid app hacks are even worse. Out of the most popular 100, 87 percent of all Apple-based apps have been hacked and repackaged, while a whopping 97 percent of for-pay Android apps have been compromised.

Risky Business in Mobile Apps Security

However, iOS- and Android-native apps can’t last forever, right? Some see the rise of platform-neutral HTML5 coding as the best way to combat these threats and deliver a unified user experience that is exempt from common security concerns. But according to a recent IT World article, even HTML5 may not be enough. While research firm Gartner predicts that more than 50 percent of all apps will use HTML5 by 2016, a team from Syracuse University has discovered a flaw in the code’s middleware. This flaw puts it at risk for injection attacks that stem from JavaScript calls made in a mobile device’s native language. For example, this flaw could be used to access speakers or cameras. Because mobile users are more likely to grant broad permissions (location, contact lists, etc.) to “trusted” apps on their device, it won’t take much for code to be injected and run to compromise a smartphone or tablet.

Boundary Building

Is there any hope for mobile apps? Arxan thinks so, arguing for enhanced protection of payment apps and mobile wallets with app hardening and secure cryptography. To slow the spread of repackaged apps, the company hopes to convince developers they should build in tamper-resistant features and run-time threat detection to catch the kind of code injections noted above. Jonathan Carter, technical director at Arxan, describes the war on hacked apps as a “dynamic battlefield” because with every new app, there’s a cybercriminal waiting to clone, sell or corrupt it.

When it comes to mobile apps security, both free and for-pay apps are at risk. Even new HTML5 code isn’t off the hook since code injection is a real possibility at the middleware layer. For businesses already adjusting to the transition from a desktop-based workforce to one that relies on personal mobile devices, these findings are daunting. Ultimately, app safety is a two-pronged approach. Developers must put run-time application self-protection ahead of all other defense, and users must be diligent: Never give an app permission it doesn’t absolutely need.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today