Arxan has published its second annual report on the mobile app security space, concluding that cyber criminals and hackers are now switching their attentions to compromising the integrity of paid-for apps, as well paying special attention to Apple's iOS (iPhone and iPad) platform.
The problem, says Kevin Morgan, CTO of the app integrity specialist, is so great that three of the main US banks have developed specific takedown programmes to deal with the issue of hacked and similar rogue versions of their legitimate apps.
Morgan told SCMagazineUK.com that there are two distinct types of hacked apps: those that are modified versions of the legitimate version and designed to harvest the user's credentials; and a second stream that are complete rewrites of the original app - and are designed with a much wider approach to fraud in mind.
"Here, hackers are decompiling the code in order to remove any security elements," he said, adding that it is - unfortunately - very easy to decompile the program code using the powerful desktop utilities available to developers.
Arxan's report – which is titled `the State of Security in the App Economy' - reveals that 100 percent of the top 100 paid-for Android apps have been hacked, whilst 56 percent of iOS apps in this category have also been compromised.
Interestingly, on the free app front, whilst the volume of hacked top 100 Android apps fell to 73 percent in 2013 (down from 80 percent in 2012), the volume of hacked iOS apps rose from 40 percent last year to 53 percent this year, indicating a distinct shift by cyber criminals towards the Apple ecosystem.
Arxan's CTO says the solution to the rising problem of compromised versions of legitimate apps is for developers to take a more secure approach to their code development processes.
“This isn't a panacea to the problem, but it does raise the bar. It also adds to the development costs,” he said, adding that it does not always come down to stemming a financial loss, but also – as the US banks have discovered – involves protection the company's brand reputation.
Morgan's report suggests that the process of cracking a mobile app remains the same three-step process it has been for time, namely the analysis of the code, identifying the software target and then launching an app attack.
The report goes on to recommend that all Android applications that process sensitive information assets must be hardened against binary-level integrity or reverse-engineering attacks before they are deployed in organisations.
In addition, Arxan says that mobile applications with a high-risk profile (i.e. Android, iOS and other mobile platforms) must be capable of defending themselves against static or dynamic analysis at runtime and be made tamper-resistant.
Finally, the report recommends that organisations should complement traditional web security tools and programs with binary code protection for code hosted in a mobile environment.