Recently, more and more hacking activities have been associated with mobile applications, and the trend is expected to continue. When considering exploits such as WireLurker, Masque and other recent attacks, both iOS and Android apps are falling prey to hacks and being exploited for malicious gain. Given this, the findings and recommendations from the “State of Mobile App Security” report from Arxan, an IBM Application Security partner, are important for your security team to understand and incorporate into your daily mobile application security activities.
So how protected are your mobile applications?
Mobile Apps as Hacking Targets
The findings from the report clearly illustrate that unprotected mobile applications are vulnerable to reverse-engineering, repackaging and republishing, and are even susceptible to becoming malicious weapons. Most applications are actually not well protected. For example, the analysis revealed that the following had been hacked:
- 97 percent of top paid Android applications;
- 87 percent of top paid iOS applications;
- 80 percent of the most popular free Android applications;
- 75 percent of the most popular free iOS applications.
The research also revealed that hacks are occurring on applications across industry verticals. In the financial services sector, hacking and/or malware have been the predominant methods of credit card breaches that occurred between 2005 and 2014, according to Privacy Rights Clearinghouse. Most applications have been successfully hacked. Specific findings related to financial services applications — in addition to retail and health care applications — are summarized in the following infographic:
Mobile Application Survey Methodology
The 360 applications analyzed in this study were identified in the iOS App Store and Google Play store, and a number of techniques and sources were used to identify hacked versions of the applications. The techniques used to find hacked versions included, but were not limited to, the following:
- Searching “unofficial” application stores;
- Examining application distribution sites;
- Reviewing top sites for torrents, which allow users to download data over the Internet where the data originates from other users;
- Examining file download sites.
The numbers are staggering and frightening — can this really be the case?
When you consider the following points, you realize how we’ve gotten to the state we’re in:
- Securing mobile apps hasn’t been a significant focus for many organizations. Instead, most organizations have focused on network- and device-level protection.
- Those who are focused on application layer security are not typically protecting their binary code, which is the code downloaded from an app store. A mobile application whose binary code is not protected is at risk and can potentially jeopardize other security measures, as well.
- Once an application is hacked, there is no shortage of outlets for distribution. In fact, there are hundreds of app stores and websites around the world, many of which are legitimate but have limited security controls. Unfortunately, many others are focused solely on distributing torrents and hacked apps.
How to Protect Mobile Applications
To combat the unique threats that mobile applications are susceptible to, organizations must adopt preemptive and reactive measures, such as the following:
- Applications with high-risk profiles running on mobile platforms should be made tamper-resistant and be capable of detecting and defending themselves against threats at run time. Learn more about how to maintain the confidentiality of code and establish run-time application self-protection in this video.
- The software that is used to enable mobile wallets and payment applications (such as host card emulation software for Android platforms) should leverage cryptographic key protection and application hardening.
- As part of the mobile application development life cycle, your organization should conduct penetration tests that assess your level of vulnerability to reverse-engineering and tampering that can result from unprotected binary code.
Hopefully, the proliferation of recent mobile attacks and findings from our research are eye-opening for developers and security practitioners. However, I suspect that a dramatic shift in focus toward application protection, including making applications self-protecting at run time, won’t occur anytime soon and that the state of app security won’t change much in the near term. However, I hope I’m proven wrong.