This article was updated on 11.21.14

Got apps? Chances are, one of them is a malware-laden clone. According to the “State of Mobile Apps Security” report from Arxan Technologies, mobile applications are anything but safe. Popular apps for both iOS and Android devices have been hacked, replicated and then listed for download on app stores — and the problem is expected to worsen as app downloads increase and HTML5 use rises.

‘Free’ Market?

The market for free apps is huge. According to Security Week, the number of free apps downloaded is exploding. In 2014, 127 billion no-cost mobile apps were downloaded, and in just three years, that number is expected to reach 253 billion. Paid apps are also predicted to see an increase — from 11 billion this year to 14 billion in 2017 — with the majority of both app types coming from the Google Play store.

When it comes to app security, however, the numbers tell a different story. Of the top 100 free apps on Apple iTunes and the Google Play store, 75 percent of iOS apps and 80 percent of Android apps have been hacked. And paid app hacks are even worse. Out of the most popular 100, 87 percent of all Apple-based apps have been hacked and repackaged, while a whopping 97 percent of for-pay Android apps have been compromised.

Risky Business in Mobile Apps Security

However, iOS- and Android-native apps can’t last forever, right? Some see the rise of platform-neutral HTML5 coding as the best way to combat these threats and deliver a unified user experience that is exempt from common security concerns. But according to a recent IT World article, even HTML5 may not be enough. While research firm Gartner predicts that more than 50 percent of all apps will use HTML5 by 2016, a team from Syracuse University has discovered a flaw in the code’s middleware. This flaw puts it at risk for injection attacks that stem from JavaScript calls made in a mobile device’s native language. For example, this flaw could be used to access speakers or cameras. Because mobile users are more likely to grant broad permissions (location, contact lists, etc.) to “trusted” apps on their device, it won’t take much for code to be injected and run to compromise a smartphone or tablet.

Boundary Building

Is there any hope for mobile apps? Arxan thinks so, arguing for enhanced protection of payment apps and mobile wallets with app hardening and secure cryptography. To slow the spread of repackaged apps, the company hopes to convince developers they should build in tamper-resistant features and run-time threat detection to catch the kind of code injections noted above. Jonathan Carter, technical director at Arxan, describes the war on hacked apps as a “dynamic battlefield” because with every new app, there’s a cybercriminal waiting to clone, sell or corrupt it.

When it comes to mobile apps security, both free and for-pay apps are at risk. Even new HTML5 code isn’t off the hook since code injection is a real possibility at the middleware layer. For businesses already adjusting to the transition from a desktop-based workforce to one that relies on personal mobile devices, these findings are daunting. Ultimately, app safety is a two-pronged approach. Developers must put run-time application self-protection ahead of all other defense, and users must be diligent: Never give an app permission it doesn’t absolutely need.

More from

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…