November 18, 2014 By Douglas Bonderud 2 min read

This article was updated on 11.21.14

Got apps? Chances are, one of them is a malware-laden clone. According to the “State of Mobile Apps Security” report from Arxan Technologies, mobile applications are anything but safe. Popular apps for both iOS and Android devices have been hacked, replicated and then listed for download on app stores — and the problem is expected to worsen as app downloads increase and HTML5 use rises.

‘Free’ Market?

The market for free apps is huge. According to Security Week, the number of free apps downloaded is exploding. In 2014, 127 billion no-cost mobile apps were downloaded, and in just three years, that number is expected to reach 253 billion. Paid apps are also predicted to see an increase — from 11 billion this year to 14 billion in 2017 — with the majority of both app types coming from the Google Play store.

When it comes to app security, however, the numbers tell a different story. Of the top 100 free apps on Apple iTunes and the Google Play store, 75 percent of iOS apps and 80 percent of Android apps have been hacked. And paid app hacks are even worse. Out of the most popular 100, 87 percent of all Apple-based apps have been hacked and repackaged, while a whopping 97 percent of for-pay Android apps have been compromised.

Risky Business in Mobile Apps Security

However, iOS- and Android-native apps can’t last forever, right? Some see the rise of platform-neutral HTML5 coding as the best way to combat these threats and deliver a unified user experience that is exempt from common security concerns. But according to a recent IT World article, even HTML5 may not be enough. While research firm Gartner predicts that more than 50 percent of all apps will use HTML5 by 2016, a team from Syracuse University has discovered a flaw in the code’s middleware. This flaw puts it at risk for injection attacks that stem from JavaScript calls made in a mobile device’s native language. For example, this flaw could be used to access speakers or cameras. Because mobile users are more likely to grant broad permissions (location, contact lists, etc.) to “trusted” apps on their device, it won’t take much for code to be injected and run to compromise a smartphone or tablet.

Boundary Building

Is there any hope for mobile apps? Arxan thinks so, arguing for enhanced protection of payment apps and mobile wallets with app hardening and secure cryptography. To slow the spread of repackaged apps, the company hopes to convince developers they should build in tamper-resistant features and run-time threat detection to catch the kind of code injections noted above. Jonathan Carter, technical director at Arxan, describes the war on hacked apps as a “dynamic battlefield” because with every new app, there’s a cybercriminal waiting to clone, sell or corrupt it.

When it comes to mobile apps security, both free and for-pay apps are at risk. Even new HTML5 code isn’t off the hook since code injection is a real possibility at the middleware layer. For businesses already adjusting to the transition from a desktop-based workforce to one that relies on personal mobile devices, these findings are daunting. Ultimately, app safety is a two-pronged approach. Developers must put run-time application self-protection ahead of all other defense, and users must be diligent: Never give an app permission it doesn’t absolutely need.

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today