Recently, more and more hacking activities have been associated with mobile applications, and the trend is expected to continue. When considering exploits such as WireLurker, Masque and other recent attacks, both iOS and Android apps are falling prey to hacks and being exploited for malicious gain. Given this, the findings and recommendations from the “State of Mobile App Security” report from Arxan, an IBM Application Security partner, are important for your security team to understand and incorporate into your daily mobile application security activities.

So how protected are your mobile applications?

Mobile Apps as Hacking Targets

The findings from the report clearly illustrate that unprotected mobile applications are vulnerable to reverse-engineering, repackaging and republishing, and are even susceptible to becoming malicious weapons. Most applications are actually not well protected. For example, the analysis revealed that the following had been hacked:

  • 97 percent of top paid Android applications;
  • 87 percent of top paid iOS applications;
  • 80 percent of the most popular free Android applications;
  • 75 percent of the most popular free iOS applications.

The research also revealed that hacks are occurring on applications across industry verticals. In the financial services sector, hacking and/or malware have been the predominant methods of credit card breaches that occurred between 2005 and 2014, according to Privacy Rights Clearinghouse. Most applications have been successfully hacked. Specific findings related to financial services applications — in addition to retail and health care applications — are summarized in the following infographic:

Mobile Application Survey Methodology

The 360 applications analyzed in this study were identified in the iOS App Store and Google Play store, and a number of techniques and sources were used to identify hacked versions of the applications. The techniques used to find hacked versions included, but were not limited to, the following:

  • Searching “unofficial” application stores;
  • Examining application distribution sites;
  • Reviewing top sites for torrents, which allow users to download data over the Internet where the data originates from other users;
  • Examining file download sites.

The numbers are staggering and frightening — can this really be the case?

When you consider the following points, you realize how we’ve gotten to the state we’re in:

  • Securing mobile apps hasn’t been a significant focus for many organizations. Instead, most organizations have focused on network- and device-level protection.
  • Those who are focused on application layer security are not typically protecting their binary code, which is the code downloaded from an app store. A mobile application whose binary code is not protected is at risk and can potentially jeopardize other security measures, as well.
  • Once an application is hacked, there is no shortage of outlets for distribution. In fact, there are hundreds of app stores and websites around the world, many of which are legitimate but have limited security controls. Unfortunately, many others are focused solely on distributing torrents and hacked apps.

How to Protect Mobile Applications

To combat the unique threats that mobile applications are susceptible to, organizations must adopt preemptive and reactive measures, such as the following:

  • Applications with high-risk profiles running on mobile platforms should be made tamper-resistant and be capable of detecting and defending themselves against threats at run time. Learn more about how to maintain the confidentiality of code and establish run-time application self-protection in this video.
  • The software that is used to enable mobile wallets and payment applications (such as host card emulation software for Android platforms) should leverage cryptographic key protection and application hardening.
  • As part of the mobile application development life cycle, your organization should conduct penetration tests that assess your level of vulnerability to reverse-engineering and tampering that can result from unprotected binary code.

Hopefully, the proliferation of recent mobile attacks and findings from our research are eye-opening for developers and security practitioners. However, I suspect that a dramatic shift in focus toward application protection, including making applications self-protecting at run time, won’t occur anytime soon and that the state of app security won’t change much in the near term. However, I hope I’m proven wrong.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…