“State of Security in the App Economy” research

By Jukka Alanen, Vice President, Arxan Technologies, Inc. Mobile apps under attack On Monday August 20th 2012, we announced an “industry-first” security study that examined the widespread nature of attacks and risks that application owners face when they release mobile apps. There are several prior studies looking at the prevalence of malware in end-user mobile devices and apps. However, there are no studies that look at the prevalence of app hacking from an application owner’s perspective, i.e., how common is it that mobile apps get hacked/cracked after their release. We sought to provide a new, fact-based perspective on the hacking threats that app owners/providers face after releasing their app. This State of Security in the App Economy: “Mobile Apps under Attack” research revealed that over 90% of top mobile apps have been hacked, cracked, and breached, and are available as illegitimate versions on third-party sites. Our research highlights six types of hacking attacks: – Disabled or circumvented security (e.g., crack iOS encryption, license management, etc) – Unlocked or modified features (e.g., allow user to access restricted functionality) – Free pirated copies (piracy) – Ad-removed versions – Source code/IP theft (via reverse-engineering and disassembly/decompilation to expose IP/source code) – Illegal malware-infested versions (hacker cracks the app, injects malware, repackages the app and distributes it, often while making the app free to entice users). These hacking attacks on mobile apps can cause significant damage to the application vendor / owner: – Brand and reputation compromise (from publicly known hacked versions, tampering attacks, and repackaged copies with malware exploits). – Revenue losses (from piracy, lost paid apps, in-app purchases or ad revenues, lost users, or lost intellectual property). – User experience compromise (from hacked versions with problems or affected experience in multi-user applications such as games). – Exposure to liabilities (from tampering, fraud, theft, or exposure of sensitive information, purchases, transactions, etc.) The research presents a grave security situation for mobile app owners: – No application is safe: we found hacked versions across all industries/categories(e.g., games, business, productivity, financial services, social networking, entertainment, communication, and health). In addition, we found that free apps are not immune to hacking: 40% of our studied Apple iOS popular free apps were hacked and 80% of the same Android apps. – The hacking attacks are based on reverse-engineering/tampering techniques (what we call “Anatomy of an App Hack”) that traditional application security methods such as SDLC/secure software development practices and application vulnerability analyses do not address. Moreover, the hacking process with tampering/reverse-engineering is made easy with widely available free or low-cost automated hacking tools. What do the findings mean…? …for preventing mobile malware? For instance, 86% of Android malware are repackaged versions of legitimate applications (source: NC State University study, published in IEEE Security & Privacy 2012). Before releasing their app, application owners need to protect the integrity of their app code against malware insertion by making the code tamper-proof and self-defending. If app owners follow this approach, a lot of the mobile malware can be prevented in the first place, reducing the amount of mobile malware in the world and protecting both the reputation of the app owner as well as the safety of their users. …for application developers? As an estimate, less than 5% of major app developers have deployed adequate professional-grade measures inside their apps to protect the integrity of the app code against hacking attacks. App developers need to build protections directly into the app using steps that counter how hackers attack an app: 1. Assess risks and attack targets in the app, 2. Harden the code against reverse-engineering, and 3. Make the app tamper-proof and self-defending. By doing so, app developers can leverage mobile app protection as an enabler to allow full freedom and confidence to innovate and distribute high-value and sensitive mobile apps. For instance, app developers can then put sensitive/high-value code on mobile devices without needing to make architectural trade-offs that hinder user experience. …for CISOs and enterprise IT security departments? Security departments need to make mobile app protection a strategic priority, reflecting its new criticality to address hacking attacks and the growing value at stake. They should set security policies to govern mobile app protection (e.g., which apps need to be protected and how) – this is important to consider across external B2C/B2B apps as well as internal B2E apps. We recommend being especially diligent about protecting mobile apps that deal with transactions, payments, sensitive data, or that have high-value IP (e.g., financial services, commerce, digital media, gaming, healthcare, government, corporate apps). Importantly, CISOs and their teams cannot assume that web app security strategies address the new requirements for mobile app protection due to very different threats. They should focus new app security initiatives on protecting the integrity of mobile apps against tampering/reverse-engineering attacks, in addition to traditional approaches to avoiding vulnerabilities. …for mobile end-users? Overall, our research focuses on what application owners/providers need to do to keep their applications secure from hackers and other attackers, rather than what individual end-users should do. However, the origin of many end-user risks, such as malware hidden in an application, is that a legitimate application was compromised (and, e.g., repackaged with malware). Therefore, end-users should push application developers make their applications protected against these attacks, i.e., prevent the insertion of malware or application tampering in the first place. But given that many application developers are failing to protect their applications, end-users obviously need to take appropriate security measures on their own such as exercising due care when downloading/installing apps, avoiding suspicious sites, using strong passwords, etc. …for you? Contact us at info@arxan.com to discuss your unique situation with us. We can help you assess the risks/threats that your mobile apps face and help you protect your apps from hacking attacks.