An analysis by Arxan into the top 100 paid apps for both iOS and Android shows that there are hacked versions in the market: 92% of the top iOS apps and 100% of the top Android apps have been hacked. For Apple, the threat is to jailbroken devices and from unofficial app markets such as Cydia. For Android that threat is mainly, but not entirely, from unofficial sources.
The hackers’ methodology is to obtain official versions of the apps, to reverse-engineer the code and alter it, and to return the modified app to the market usually via third party app markets. The reverse engineering is aided by automated tools – even encrypted iOS apps can be dumped while running (ie, unencrypted) with tools such as Clutch. Other disassembly and debugging tools such as IDA Pro can be used, and can even return compiled code back to source code – especially, notes the report, Android Java apps.
While all Android users are at risk, it is primarily jailbroken iOS users that are at risk from the hacked apps. Android users can simply set a flag in the device settings to allow apps from sources other than Google Play (which does at least provide some protection). iOS users have to go through the process of jailbreaking a device that is designed to accept apps only from the Apple App Store. These are encrypted and digitally signed. However, increasing numbers of iOS users are jailbreaking their device (that is, gaining root access to the operating system) to allow unofficial apps to run.
The Arxan report, however, is primarily aimed at app developers rather than users. “We envision a thriving app economy with freedom and confidence to innovate and distribute new apps. However, this potential is being threatened by hackers, and most enterprises, security teams, and app developers are not prepared for these attacks,” said Jukka Alanen, vice president at Arxan and the lead author of the new study.
The study points out that hacking leads to loss of revenue, intellectual property and brand reputation for the developers; and could exclude them from a dynamic and rapidly growing market. This market is currently worth around $16 billion, and is expected to grow to more than $60 billion by 2016. Arxan makes a number of recommendations for the developers, including increased security awareness during development, hardening the code against reverse-engineering, and making it tamper-proof and self-defending.