This article was updated on 11.21.14

Got apps? Chances are, one of them is a malware-laden clone. According to the “State of Mobile Apps Security” report from Arxan Technologies, mobile applications are anything but safe. Popular apps for both iOS and Android devices have been hacked, replicated and then listed for download on app stores — and the problem is expected to worsen as app downloads increase and HTML5 use rises.

‘Free’ Market?

The market for free apps is huge. According to Security Week, the number of free apps downloaded is exploding. In 2014, 127 billion no-cost mobile apps were downloaded, and in just three years, that number is expected to reach 253 billion. Paid apps are also predicted to see an increase — from 11 billion this year to 14 billion in 2017 — with the majority of both app types coming from the Google Play store.

When it comes to app security, however, the numbers tell a different story. Of the top 100 free apps on Apple iTunes and the Google Play store, 75 percent of iOS apps and 80 percent of Android apps have been hacked. And paid app hacks are even worse. Out of the most popular 100, 87 percent of all Apple-based apps have been hacked and repackaged, while a whopping 97 percent of for-pay Android apps have been compromised.

Risky Business in Mobile Apps Security

However, iOS- and Android-native apps can’t last forever, right? Some see the rise of platform-neutral HTML5 coding as the best way to combat these threats and deliver a unified user experience that is exempt from common security concerns. But according to a recent IT World article, even HTML5 may not be enough. While research firm Gartner predicts that more than 50 percent of all apps will use HTML5 by 2016, a team from Syracuse University has discovered a flaw in the code’s middleware. This flaw puts it at risk for injection attacks that stem from JavaScript calls made in a mobile device’s native language. For example, this flaw could be used to access speakers or cameras. Because mobile users are more likely to grant broad permissions (location, contact lists, etc.) to “trusted” apps on their device, it won’t take much for code to be injected and run to compromise a smartphone or tablet.

Boundary Building

Is there any hope for mobile apps? Arxan thinks so, arguing for enhanced protection of payment apps and mobile wallets with app hardening and secure cryptography. To slow the spread of repackaged apps, the company hopes to convince developers they should build in tamper-resistant features and run-time threat detection to catch the kind of code injections noted above. Jonathan Carter, technical director at Arxan, describes the war on hacked apps as a “dynamic battlefield” because with every new app, there’s a cybercriminal waiting to clone, sell or corrupt it.

When it comes to mobile apps security, both free and for-pay apps are at risk. Even new HTML5 code isn’t off the hook since code injection is a real possibility at the middleware layer. For businesses already adjusting to the transition from a desktop-based workforce to one that relies on personal mobile devices, these findings are daunting. Ultimately, app safety is a two-pronged approach. Developers must put run-time application self-protection ahead of all other defense, and users must be diligent: Never give an app permission it doesn’t absolutely need.

More from

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…