December 12, 2014 By Patrick Kehoe 3 min read

Recently, more and more hacking activities have been associated with mobile applications, and the trend is expected to continue. When considering exploits such as WireLurker, Masque and other recent attacks, both iOS and Android apps are falling prey to hacks and being exploited for malicious gain. Given this, the findings and recommendations from the “State of Mobile App Security” report from Arxan, an IBM Application Security partner, are important for your security team to understand and incorporate into your daily mobile application security activities.

So how protected are your mobile applications?

Mobile Apps as Hacking Targets

The findings from the report clearly illustrate that unprotected mobile applications are vulnerable to reverse-engineering, repackaging and republishing, and are even susceptible to becoming malicious weapons. Most applications are actually not well protected. For example, the analysis revealed that the following had been hacked:

  • 97 percent of top paid Android applications;
  • 87 percent of top paid iOS applications;
  • 80 percent of the most popular free Android applications;
  • 75 percent of the most popular free iOS applications.

The research also revealed that hacks are occurring on applications across industry verticals. In the financial services sector, hacking and/or malware have been the predominant methods of credit card breaches that occurred between 2005 and 2014, according to Privacy Rights Clearinghouse. Most applications have been successfully hacked. Specific findings related to financial services applications — in addition to retail and health care applications — are summarized in the following infographic:

Mobile Application Survey Methodology

The 360 applications analyzed in this study were identified in the iOS App Store and Google Play store, and a number of techniques and sources were used to identify hacked versions of the applications. The techniques used to find hacked versions included, but were not limited to, the following:

  • Searching “unofficial” application stores;
  • Examining application distribution sites;
  • Reviewing top sites for torrents, which allow users to download data over the Internet where the data originates from other users;
  • Examining file download sites.

The numbers are staggering and frightening — can this really be the case?

When you consider the following points, you realize how we’ve gotten to the state we’re in:

  • Securing mobile apps hasn’t been a significant focus for many organizations. Instead, most organizations have focused on network- and device-level protection.
  • Those who are focused on application layer security are not typically protecting their binary code, which is the code downloaded from an app store. A mobile application whose binary code is not protected is at risk and can potentially jeopardize other security measures, as well.
  • Once an application is hacked, there is no shortage of outlets for distribution. In fact, there are hundreds of app stores and websites around the world, many of which are legitimate but have limited security controls. Unfortunately, many others are focused solely on distributing torrents and hacked apps.

How to Protect Mobile Applications

To combat the unique threats that mobile applications are susceptible to, organizations must adopt preemptive and reactive measures, such as the following:

  • Applications with high-risk profiles running on mobile platforms should be made tamper-resistant and be capable of detecting and defending themselves against threats at run time. Learn more about how to maintain the confidentiality of code and establish run-time application self-protection in this video.
  • The software that is used to enable mobile wallets and payment applications (such as host card emulation software for Android platforms) should leverage cryptographic key protection and application hardening.
  • As part of the mobile application development life cycle, your organization should conduct penetration tests that assess your level of vulnerability to reverse-engineering and tampering that can result from unprotected binary code.

Hopefully, the proliferation of recent mobile attacks and findings from our research are eye-opening for developers and security practitioners. However, I suspect that a dramatic shift in focus toward application protection, including making applications self-protecting at run time, won’t occur anytime soon and that the state of app security won’t change much in the near term. However, I hope I’m proven wrong.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today