Recently, more and more hacking activities have been associated with mobile applications, and the trend is expected to continue. When considering exploits such as WireLurker, Masque and other recent attacks, both iOS and Android apps are falling prey to hacks and being exploited for malicious gain. Given this, the findings and recommendations from the “State of Mobile App Security” report from Arxan, an IBM Application Security partner, are important for your security team to understand and incorporate into your daily mobile application security activities.

So how protected are your mobile applications?

Mobile Apps as Hacking Targets

The findings from the report clearly illustrate that unprotected mobile applications are vulnerable to reverse-engineering, repackaging and republishing, and are even susceptible to becoming malicious weapons. Most applications are actually not well protected. For example, the analysis revealed that the following had been hacked:

  • 97 percent of top paid Android applications;
  • 87 percent of top paid iOS applications;
  • 80 percent of the most popular free Android applications;
  • 75 percent of the most popular free iOS applications.

The research also revealed that hacks are occurring on applications across industry verticals. In the financial services sector, hacking and/or malware have been the predominant methods of credit card breaches that occurred between 2005 and 2014, according to Privacy Rights Clearinghouse. Most applications have been successfully hacked. Specific findings related to financial services applications — in addition to retail and health care applications — are summarized in the following infographic:

Mobile Application Survey Methodology

The 360 applications analyzed in this study were identified in the iOS App Store and Google Play store, and a number of techniques and sources were used to identify hacked versions of the applications. The techniques used to find hacked versions included, but were not limited to, the following:

  • Searching “unofficial” application stores;
  • Examining application distribution sites;
  • Reviewing top sites for torrents, which allow users to download data over the Internet where the data originates from other users;
  • Examining file download sites.

The numbers are staggering and frightening — can this really be the case?

When you consider the following points, you realize how we’ve gotten to the state we’re in:

  • Securing mobile apps hasn’t been a significant focus for many organizations. Instead, most organizations have focused on network- and device-level protection.
  • Those who are focused on application layer security are not typically protecting their binary code, which is the code downloaded from an app store. A mobile application whose binary code is not protected is at risk and can potentially jeopardize other security measures, as well.
  • Once an application is hacked, there is no shortage of outlets for distribution. In fact, there are hundreds of app stores and websites around the world, many of which are legitimate but have limited security controls. Unfortunately, many others are focused solely on distributing torrents and hacked apps.

How to Protect Mobile Applications

To combat the unique threats that mobile applications are susceptible to, organizations must adopt preemptive and reactive measures, such as the following:

  • Applications with high-risk profiles running on mobile platforms should be made tamper-resistant and be capable of detecting and defending themselves against threats at run time. Learn more about how to maintain the confidentiality of code and establish run-time application self-protection in this video.
  • The software that is used to enable mobile wallets and payment applications (such as host card emulation software for Android platforms) should leverage cryptographic key protection and application hardening.
  • As part of the mobile application development life cycle, your organization should conduct penetration tests that assess your level of vulnerability to reverse-engineering and tampering that can result from unprotected binary code.

Hopefully, the proliferation of recent mobile attacks and findings from our research are eye-opening for developers and security practitioners. However, I suspect that a dramatic shift in focus toward application protection, including making applications self-protecting at run time, won’t occur anytime soon and that the state of app security won’t change much in the near term. However, I hope I’m proven wrong.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read