Arxan Technologies released its second annual report on the mobile app security landscape, and the findings are sure to open plenty of eyes.
According to Arxan, 100-percent of the Top 100 paid Android apps and 56-percent of the top 100 paid iOS apps were hacked in 2013. There has also been a healthy increase in the number of attacks aimed at free iOS apps.
“What we’ve identified in this report is software that in some way, shape, or form has been tampered with and republished,” says Kevin Morgan, Arxan’s Chief Technology Officer and Vice President of Engineering. “We have to distinguish between the security state of the system software and the security state of the application software that’s added in aftermarket traction. What we’re focused on here is the later, as what folks can do is take an application that’s distributed, say by a major bank, access that application, open it up under a variety of tools that are available on the market to disassemble it and take it all the way back to high-level source form. From there, they can look for where the critical places are inside the software to make modifications, like the anti-fraud controls in a banking application or the software that manages the credentials flow in a software application. They target those areas for code modifications or code additions, then recompile that application and redistribute it under false pretenses.
“iOS is particularly interesting because apps are signed by Apple, and only signed apps will run in an iOS device unless a device is jailbroken. For better or worse, people jailbreak their device to run unsigned software, so people take this original application, get it running in memory to where it’s all decrypted, dump that, and then do their tampering, repackage it, and distribute it for jailbroken phones in an unsigned state. That’s what’s happening in the iOS world to get around the whole iOS encryption process.”
As for using your smartphone this holiday season to make purchases, Morgan says it’s buyer beware.
“I think you need to be extremely careful as a consumer of the integrity and legitimacy of the application you’re loading,” he adds. “If you’re going to any sort of non-standard app storefront and loading your app, I think you’re under extreme risk. But if you’re going to the iTunes store, I think you’re very much in the safety zone because Apple is doing vetting, so if you see a Bank of America app on iTunes, it’s going to be the legitimate Bank of America app, and not a tampered version.
“Google Play is a little more suspect in this regard. It’s pretty much the wild west over there.”