State of Security App Economy

8/22/2019 State of Security App Economy

1/15

Protecting the App Econ

State of Security in theApp Economy:Mobile Apps Under Attack

Volume 1 -

Research Re

right 2012 Arxan Technologies, Inc.


2/15

Executive Summary

The proliferation of mobile devices has created an app-centric globalmarketplace, ushering in the App Economy that is driving innovation, new

business models, and revenue streams across all industries. Its importance toorganizations and consumers calls for a rigorous understanding of risks andthreats to its continued vitality and growth.

In its State of Security in the App Economy: Mobile Apps under Attackresearch, Arxan Technologies sought to develop a new, fact-based perspectiveon the prevalence and nature of malicious mobile app hacking threats. Thisresearch is the first of its kind across the global security industry and provides anew perspective on how pervasively mobile apps are being attacked by hackers.The data reveals the widespread mobile hacking of top Apple iOS and Androidapps and shows how the App Economy is under attack by hackers with tens of

billions of dollars at risk for mobile app owners from tampering, piracy, IP theft,and malware/exploit injection attacks.

Key findings

1. More than 90% of top paid mobile apps have been hacked: 92% of Top100 paid apps for Apple iOS and 100% of Top 100 paid apps for Androidwere found to have been hacked.

2. Free apps are not immune from hackers: 40% of popular free Apple iOSapps and 80% of the same free Android apps were found to have been

hacked.

3. Hacking is pervasive across all categories of mobile apps: Hackedversions were found across all key industries such as games, business,productivity, financial services, social networking, entertainment,communication, and health.

4. Mobile apps are subject to many diverse types of hacks and tamperingattacks such as disabled or circumvented security, unlocked or modifiedfeatures, free pirated copies, ad-removed versions, source code/IP theft,and illegal malware-infested versions.

5. Financial risks from hacking are increasing rapidly: Mobile app hacking isbecoming a major economic issue with consumer and enterprise mobileapp revenues growing to over $60 billion and mobile payments volumeexceeding $1 trillion by 2016.

6. Anatomy of an App Hack involves three steps: 1. Define the exploit andattack targets, 2. Reverse-engineer the code, and 3. Tamper with the


3/15

code; this process is made easy with widely available free or low-costhacking tools.

7. Traditional approaches to app security (e.g., secure software developmentpractices, app vulnerability scanning) do not protect against these new

attack vectors, leaving app owners unprepared against hackers.

8. Most app owners have not yet taken adequate measures to protect theirapps against these attacks: as an estimate, less than 5% of popular appscontain professional-grade protections to defend against hacking attacks.

Recommendations

1. Make mobile app protection a strategic priority, reflecting its new criticalityto address hacking attacks and the growing value at stake.

2. Be especially diligent about protecting mobile apps that deal withtransactions, payments, sensitive data, or that have high-value IP (e.g.,financial services, commerce, digital media, gaming, healthcare,government, corporate apps).

3. Do not assume that web app security strategies address the newrequirements for mobile app protection due to very different threats.

4. Focus app security initiatives on protecting the integrity of mobile appsagainst tampering/reverse-engineering attacks, in addition to traditional

approaches to avoiding vulnerabilities.

5. Build protections directly into the app using steps that counter howhackers attack an app: 1. Assess risks and attack targets in the app, 2.Harden the code against reverse-engineering, and 3. Make the apptamper-proof and self-defending.

6. Leverage mobile app protection as an enabler to allow full freedom andconfidence to innovate and distribute high-value and sensitive mobileapps.


4/15

Methodology

Arxan Technologies identified and reviewed hacked versions of top Apple iOS

and Android apps from third-party sites outside of official Apple and Google appstores. The review of paid apps was based on the Top 100 iPhone Paid App listfrom Apple App Store and the Top 100 Android Paid App list from Google Play.The review of free apps was based on 15 highly popular free apps for Apple iOSand the same 15 free apps for Android. In total, our sample included 230 apps.This data from Apple and Google was accessed in May 2012. Hacked versionsof these Apple iOS and Android apps were located in May-June 2012 by usingboth standard search engines (such as Google Search) and searching third-partysites such as unofficial app stores (e.g., Cydia), app distribution sites,hacker/cracker sites, and file download and torrent sites.

The way in which mobile users can access these hacked versions from third-party sites depends on their device.

On Android devices, a simple button in the device settings controlswhether the device accepts apps from any source/app market (not justGoogle Play).

On Apple iOS devices, downloading apps from outside Apple App Storerequires users to first jailbreak or root their device. This can be done withsimple automated tools and then the user can install third-party app storeapps directly on the device or download apps from any website.

Accessing apps from third-party sites has become increasingly common; forinstance, we found that some of the hacked versions have been downloaded

over half a million times from unofficial sites.

It is very important to understand that users do not need to download apps fromthird-party sites for app owners to suffer from hacking attacks. IntellectualProperty (IP) and decompiled source code can be stolen without the hackerrepublishing the app on third-party sites. Furthermore, hackers can republishhacked apps on official app stores (e.g., under a different app name). Finally,merely the known existence of a hacked and tampered version can damage theapp owners brand and customers trust, even if few users download the hackedversion.


5/15

Key Findings

Finding 1: More than 90% of top paid mobile apps have been hacked: 92%

of Top 100 paid apps for Apple iOS and 100% of Top 100 paid apps forAndroid were found to have been hacked.

The research shows widespread hacking of top paid Apple iOS and Android apps(see Exhibit 1). Nearly all of the 200 apps in our sample were available on third-party sites as hacked/cracked versions (often as free pirated or tamperedcopies).

Based on identifying and reviewing hacked versions of top iOS and Android apps from third-partysites outside of official app storesExhibit 1

Finding 2: Free apps are not immune from hackers: 40% of popular freeApple iOS apps and 80% of the same free Android apps were found to havebeen hacked.

Similar to top paid apps, popular free apps were found to be widely available ashacked/cracked versions on third-party sites (typically as modified versions).

Android apps were twice as commonly hacked as Apple iOS apps (see Exhibit2).

Top 100 Paid Apps(n=100 per O/S)

Apple iOS Android

Hacked

Not hacked

92%

8%

100%

Hacked

Not hacked (0%)


6/15

Based on identifying and reviewing hacked versions of top iOS and Android apps from third-partysites outside of official app storesExhibit 2

Finding 3: Hacking is pervasive across all categories of mobile apps:Hacked versions were found across all key industries such as games,business, productivity, financial services, social networking, entertainment,communication, and health.

No category was immune to mobile hacking attacks. In our sample, we foundhacked versions of applications in all of the following categories: games (sports,action, arcade, brain/puzzle, racing, cards/casino), business, productivity,finance, social networking, tools, utilities, photo & video, music, entertainment,health & fitness, education, navigation, reference, travel & local, communication,weather. This highlights the pervasive nature of the hacking attacks where noapp is safe.

Finding 4: Mobile apps are subject to many diverse types of hacks andtampering attacks such as disabled or circumvented security, unlocked or

modified features, free pirated copies, ad-removed versions, sourcecode/IP theft, and illegal malware-infested versions.

We found a variety of different hacks all of which can be broadly categorized inthe six types of attacks shown in Exhibit 3.

Popular Free Apps(n=15 per O/S)

Apple iOS Android

Hacked

Not hacked

Hacked

Not hacked

40%60%

80%

20%


7/15

Exhibit 3

A few specific patterns can be highlighted: Overall, security mechanisms (such as licensing, policies, encryption,

certificate signing) were found to be commonly disabled or circumvented. For paid apps, free pirated copies were found to be extremely common.

Nearly all of the paid apps were available on third-party sites as freedownloads.

For apps with ad-based business models (often in free apps), we foundmany of those apps available as ad-stripped versions.

Apps with restricted features were found to be commonly available asunrestricted versions. This is especially typical of games with cheat hacks(but exists also in other types of apps). In hacked versions of these apps,users can often get unlimited resources (money, weapons, cars, etc),access levels that would otherwise require hours of play, or manipulatehigh scores. In some cases, these features or levels were designed to beavailable as in-app purchases and the hacked versions may allow the userto bypass and circumvent these purchase requirements.

Some apps were found to have hacked versions that (at least supposedly)contain improvements such as added features and capabilities (e.g., HD,video uploads, additional device or operating system version support).Obviously, the quality and stability of these hacker-modified versions isuncertain.

A particular danger with hacked versions that look appealing to potentialusers (due to being free, ad-stripped, or improved) is that they contain

Freepiratedcopies

Ad-removedversions

Unlocked ormodifiedfeatures

Disabled orcircum-vented

security

Sourcecode/IP

theft

Malware

injectionin theapp

Mobile Apps

Types of Hacking Attacksfaced by Mobile Apps


8/15

hidden exploits such as malware. Hackers can crack popular apps, injectmalware, and redistribute without original app owners or users beingaware of what has happened.

Finally, app owners should also be very concerned about source code andIP theft (through decompilation and disassembly). Many of the cracked

apps can enable others to take and leverage proprietary code and IP forother uses (e.g., competing apps).

Finding 5: Financial risks from hacking are increasing rapidly: Mobile apphacking is becoming a major economic issue with consumer andenterprise mobile app revenues growing to over $60 billion and mobilepayments volume exceeding $1 trillion by 2016.

Hacking can cause severe business consequences to app owners such as Brand and reputation compromise (from publicly known hacked versions,

tampering attacks, and repackaged copies with malware exploits) Revenue losses (from lost paid apps, in-app purchases or ad revenues,

lost users, or lost intellectual property) User experience compromise (from hacked versions with problems or

affected experience, e.g., social/multi-player games with cheating issues) Exposure to liabilities (from tampering, theft, or exposure of sensitive

information, purchases, transactions, etc.)

Even though many mobile apps have low price-points (such as a few dollars oreven less), the economic impact can be significant due to high volumes and largenumbers of users. As an example, for one popular game, we found that a free

pirated version has been downloaded over half a million times just from one ofthe many sites where free pirated versions of that game are available. Thissuggests that many app owners are already today losing significant revenues.

The economic impact from hacking attacks will worsen multiple times over withthe rapid growth of the mobile App Economy (see Exhibit 4). According toindustry analysts, consumer and enterprise-related mobile apps hadapproximately $16 billion in global revenue in 2011. This is expected to grow toover $60 billion by 2016, fueled especially by consumer-focused mobile apprevenues. Mobile payments volume is expected to reach over $1 trillion by 2016.

All in all, mobile app hacking presents an increasingly severe financial threat.


9/15

Mobile App Economy

Source: ABI Research, TechNavio, KPMG

Exhibit 4

Finding 6: Anatomy of an App Hack involves three steps: 1. Define theexploit and attack targets, 2. Reverse-engineer the code, and 3. Tamperwith the code; this process is made easy with widely available free or low-cost hacking tools.

The general pattern (Anatomy of an App Hack) for mobile app hacking follows athree-step process as shown at a high level in Exhibit 5.

STEP 1: The attacker defines what to compromise or modify in the appsuch as certain security features, program functionality or pirate the app.

STEP 2: The attacker uses automated tools possibly with some manualwork to reverse-engineer the application and understand its structure. This

step can involve static (at-rest) and/or dynamic (real-time, during appexecution) analysis of the code. There are many widely available, free orlow-cost, and powerful decompilation tools and disassembly & debuggingtools (such as IDA Pro) that enable efficient reverse-engineering and inmany cases can enable hacker to translate a binary app code back into itssource code. Especially Android Java apps can be easily and triviallydecompiled back to source code. Native Android and iOS apps arerelatively easy to reverse-engineer as well. Encrypted apps can becracked easily by hackers by getting (dumping) the code from the devicememory (where it is running in a decrypted form during app execution);this can be done with automated hacking tools (e.g., Clutch for iOS).

STEP 3: Once understanding the inner workings of the app, the hackercan tamper with the code such as modify targeted parts of the app,disable security, unlock functionality, inject malware/exploits, andrepackage the app and distribute it.

Mobile app revenues

Enterprise mobile apps

Mobile payments volume

$8.5bn(2011)

$46bn(2016)

$7bn(2011)

$11.5bn(2014)

$124bn(2011)

$945bn(2015)


10/15

Exhibit 5

There are a few specific app cracking highlights for Apple iOS and Android.

Apple iOS:iOS apps downloaded from the Apple App Store are encrypted and signed, andcan only be run on devices that can correctly decrypt their bytes and verify theirsignatures. To pirate such an app, hackers typically create an unencrypted(unprotected) version of the app and republish it on third-party sites. People whowant to run these pirated apps must have their devices jailbroken, since

jailbreaking disables the other half of the protection which is the signatureverification check imposed by the iOS kernel. To create a decrypted version of aprotected app, hackers typically start by jailbreaking the phone and installingautomated cracking tools (e.g., Clutch). They download the original app from

Apple App Store and run the tool to produce a decrypted version of the app.These tools internally use a debugger to load and decrypt the app from memoryand dump it to a raw file. Then, the hacker can repackage and republish the appon third-party sites.

Android:For Android, apps released through Google Play are not encrypted (though, thisis changing with new operating system versions) and can be self-signed. Anyonewho can get hold of a copy of the app can unpack the app, make modifications(e.g., bypass any licensing checks implemented in the code), resign the app (withtheir own keys), and republish it elsewhere (or even via Google Play). Peoplewho want to run pirated apps do not need to root their devices, as the AndroidOS itself does not pose a restriction on which app store or source to use. To

1. Define the exploitand attack targets

2. Reverse-engineer thecode

3.Tamper with the code

Compromise security (authentication,jailbreak detection, license management,

DRM, encryption, anti-virus) Modify or steal functionality (applicationlogic, algorithms, IP)

Understand the code with automated tools andmanual work

Dynamic analysis (e.g., debugging, tracing,memory analysis)

Static analysis (e.g., disassembly, decompilation)

Modify targeted parts of the code

Create and distribute a tampered version Steal IP for illegal use

Anatomy of App Hack


11/15

crack an Android app, hackers can download the app on another machine (e.g.,Mac) and run a tool (e.g., apktool) to unpackage the app and disassemble itsDalvik bytecode. They analyze the disassembled code or use tools (e.g., dex2jarand a Java decompiler) to decompile Dalvik bytecode to Java source code andanalyze the source code. They can make changes to disable license checks (or

other modifications) and repackage the app and resign it. Google Play provides"Google Play Licensing" as an option to app developers. This is implementedthrough Googles License Verification Library. It has multiple single points offailure (e.g., license API call) and has widely been cracked. Other Android appmarkets such as Amazon's and Verizon's are also known to be easily defeatable.

Finding 7: Traditional approaches to app security (e.g., secure softwaredevelopment practices, app vulnerability scanning) do not protect againstthese new attack vectors, leaving app owners unprepared against hackers.

There is an established set of practices, processes, and tools that app ownersare used to in order to develop and release secure applications. Unfortunately,these traditional approaches do not protect against the afore-described mobileapp hacking patterns and tampering/reverse-engineering based attacks.Software practices such as Security Development Lifecycle (SDL) help appowners to develop safe and clean code. App vulnerability testing and scanningtools help app owners identify vulnerabilities. These approaches and toolscontinue to be relevant and important to avoid leaving flaws and holes in theapps (such as problems with buffer overflows, SQL injection, cross-site scripting,poor use of APIs, etc.). However, these approaches do not provide real-timeintegrity protection and security against tampering/reverse-engineering based

attacks. Vulnerability-free code can still be easily reverse-engineered andtampered resulting in the hacker compromising the integrity of the app.

Finding 8: Most app owners have not yet taken adequate measures toprotect their apps against these attacks: as an estimate, less than 5% ofpopular apps contain professional-grade protections to defend againsthacking attacks.

Based on our hacking results analysis and discussions with app owners, very fewapp owners (estimated less than 5%) have deployed adequate professional-grade measures to protect their apps against hacking attacks. Some apppublishers have used simple code obfuscation or encryption methods both ofwhich are inadequate. Free and low-cost code obfuscators are easily and triviallydefeated by hackers and automated tools due to their simplicity. Encryption caneasily be circumvented via run-time memory analysis and dumping ofunencrypted code, and it may also result in excessive performance and file sizeproblems. App owners are clearly far behind hackers in their understanding andsophistication around how easily apps can be compromised.


12/15

Recommendations

Recommendation 1: Make mobile app protection a strategic priority,

reflecting its new criticality to address hacking attacks and the growingvalue at stake.

Mobile apps provide large-scale opportunities for innovation, productivity, andvalue creation. However, they are, without a doubt, the new target for hackingattacks that threaten to compromise the app owners brand, revenue/businessmodel, IP, and potentially expose to liabilities. In the new perimeter-less worldwhere mobile apps are running in the wild on open devices that cannot be fullycontrolled and locked down, app owners need to make mobile app security astrategic security priority.

Recommendation 2: Be especially diligent about protecting mobile appsthat deal with transactions, payments, sensitive data, or that have high-value IP (e.g., financial services, commerce, digital media, gaming,healthcare, government, corporate apps).

In the world of millions of apps, not all apps can have equal priority for high-degree of protection against hacking. App owners should prioritize theirprotection efforts based on the sensitivity and value of the app. Keycharacteristics of sensitive, high-value apps including dealing with transactions,payments, or sensitive data, generating significant revenue, or containing

valuable proprietary IP. Many apps in financial services, commerce, digitalmedia/entertainment, gaming, healthcare, government, and corporate appcategories have these characteristics and therefore their integrity should beprotected very diligently.

Recommendation 3: Do not assume that web app security strategiesaddress the new requirements for mobile app protection due to verydifferent threats.

Security strategies need to be based on a deliberate analysis of the threat

landscape and potential attack vectors. With web sites and web apps, the attacksurface can be fairly narrow and focused mainly on input attacks (e.g., SQLinjection, cross-site scripting) and network access/traffic attacks. Mobileapplications have a very different and much broader attack surface. Mobile appsare running out in the open and hackers typically have access to the actualbinary application code. Hackers can attack the app code, reverse-engineer, andtamper with it without the app owner having any visibility or control. Therefore,


13/15

mobile app owners need to address this new threat landscape and attack vectorswith new security strategies that are relevant for mobile apps.

Recommendation 4: Focus app security initiatives on protecting the

integrity of mobile apps against tampering/reverse-engineering attacks, inaddition to traditional approaches to avoiding vulnerabilities.

Traditional methods for secure software development and vulnerability testingare still necessary but insufficient against tampering/reverse-engineering basedattacks as they cannot assure the integrity of the app after it has been released.

App owners need to adopt a new step in their app development, management,and security lifecycle to ensure their apps are protected and can maintain theirintegrity in the wild against hacking attacks (see Exhibit 6). Before releasing theapp, app owners need take new measures to protect their apps againsttampering/reverse-engineering based threat vectors.

Exhibit 6

Recommendation 5: Build protections directly into the app using steps thatcounter how hackers attack an app: 1. Assess risks and attack targets inthe app, 2. Harden the code against reverse-engineering, and 3. Make theapp tamper-proof and self-defending.

App owners need to build protective mechanisms directly in their apps such that

these protections go wherever the app goes and the app is always self-protectedand maintains its integrity against hacking attacks, regardless of the device or itsenvironment. Effective app protection is grounded in understanding howattackers can hack the app (Anatomy of Mobile App Hack) and countering thatwith protection steps as shown in Exhibit 7.

STEP 1: Understand the risks and attacks targets in their app. Thisrequires thinking through what is sensitive, high-value code in their app,where is it located, and how attackers may compromise it.


14/15

STEP 2: Harden the app code against reverse-engineering such that theafore-described static and dynamic analysis techniques and tools cannotunderstand and expose the code.

STEP 3: Make the app tamper-proof and self-defending. If a hacker istrying tamper with the app, the app needs to detect these attacks, defend

itself, and react in an appropriate way to thwart the attack. Also, the appshould be able to self-heal itself to original code if a hacker is trying tomodify the code.

Exhibit 7

Professional-grade protection involves a few key characteristics: A multi-layered network of protections inside the app that can perform the

tamper-resistant and self-defending operations. A single layer ofprotection is insufficient and several layers are needed for sufficientdefense-in-depth.

The protections should secure the integrity of the app against a variety ofstatic and dynamic (run-time) hacking attacks.

The protections should have some diversity such that the same crackingtechniques/tools cannot be used repeatedly.

The protections should not be visible to attackers and should appear asnormal code (without signatures, wrappers, processes, etc.)

Building these protections in the app should not require any source codemodifications to avoid disrupting the app development process and toensure scalability and easy renewability of protection designs. Thesecurity protections should be added to compiled code or binary codebefore releasing the app.

1. Define the exploit and

attack targets

2. Reverse-engineer the code

3. Tamper with the code

1. Assess risks and attack

targets in the app

2. Harden the code againstreverse-engineering

3. Make the app tamper-proofand self-defending

Attack Steps Protection Steps


15/15

Recommendation 6: Leverage mobile app protection as an enabler to allowfull freedom and confidence to innovate and distribute high-value andsensitive mobile apps.

Security is too often a blocker for innovation. It does not have to be. Mobile

platforms can enable a thriving App Economy and security concerns should nothold it back. App owners need to have freedom to innovate apps withoutcompromising security or business model, and they need to have confidence todeploy sensitive or high-value apps on untrusted devices. For instance, securityconcerns should not cause app owners to make architectural decisions (e.g.,avoiding native apps) that limit functionality of the app or its user experience. Bybeing proactive about mobile app protection and viewing it as an enabler, appowners can move forward with the full potential of mobile devices.

Date post:	08-Aug-2018
Category:	Documents
Upload:	bionics-health-and-technology-ltda
View:	219 times
Download:	1 times

State of Security App Economy

Documents